unity-idm-discuss — Unity discussion and support

[Unity-idm-discuss] Potential bug in home endpoint at unity 3.14.0

[Sander A. <sa....@fz...>]

Hi Krzysztof,
hi Roman,
we found an issue which looks like a bug. We set up MFA, using OTP,
some time ago and most time it works well. But now a user reported a
problem, we do not understand. When we sign into the home endpoint
using OIDC (tested with Google and ORCID), the local credential are not
shown (see first screenshot). If we sign in, using SAML, the local
credentials are shown. The logs do not show any error.

May we missed any additional configuration, which I do not remember and
find in the setting at the moment or is it a bug. I can reproduce this
on another instance as well.

This is our MFA config:

unityServer.core.authenticators.otp.authenticatorName=otp
unityServer.core.authenticators.otp.authenticatorType=otp
unityServer.core.authenticators.otp.localCredential=mfa_otp
unityServer.core.authenticators.otp.configurationFile=${CONF}/authenticators/passwordRetrieval.properties

unityServer.core.authenticationFlow.mfaOptin.authenticationFlowName=mfaOptin
unityServer.core.authenticationFlow.mfaOptin.authenticationFlowPolicy=USER_OPTIN
unityServer.core.authenticationFlow.mfaOptin.firstFactorAuthenticators=samlWeb,oauthWeb
unityServer.core.authenticationFlow.mfaOptin.secondFactorAuthenticators=otp

unityServer.core.authenticationFlow.mfaEnforce.authenticationFlowName=mfaEnforce
unityServer.core.authenticationFlow.mfaEnforce.authenticationFlowPolicy=REQUIRE
unityServer.core.authenticationFlow.mfaEnforce.firstFactorAuthenticators=samlWeb,oauthWeb
unityServer.core.authenticationFlow.mfaEnforce.secondFactorAuthenticators=otp

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Testing feature of adding attributes in JWT tokens

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 6.12.2023 o 14:50, Sander Apweiler pisze:
> Hello Krzysztof,
> hello Roman,
>
> we found the time to start testing the new feature of adding attributes
> in additional claims. From reading the manual, we understood, that we
> do not need to change anything in unity itself. But we are not sure in
> which call the query parameter needs to be added. Is it sufficient in
> the first call of the authorization URL before doing the
> authentication? Or is the parameter needed in the code exchange step?
>
The former, |claims_in_tokens |shall be added to the initial redirect 
URL to OAuth IdP.

Best,
Krzysztof

[Unity-idm-discuss] Testing feature of adding attributes in JWT tokens

[Sander A. <sa....@fz...>]

Hello Krzysztof,
hello Roman,

we found the time to start testing the new feature of adding attributes
in additional claims. From reading the manual, we understood, that we
do not need to change anything in unity itself. But we are not sure in
which call the query parameter needs to be added. Is it sufficient in
the first call of the authorization URL before doing the
authentication? Or is the parameter needed in the code exchange step?

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] Unity 3.14.1 released // roadmap update

[Krzysztof B. <kb...@un...>]

Dear Subscribers,

A patch release was published, including fixes for the following problems:

  * invitation of multiple persons from UpMan
  * stability under high loads

More details: https://unity-idm.eu/releases/release-3-14-1/


Above of that we have finalized our short term plans around releases. We 
plan to ship one more feature release of the current major version 3 (it 
will be 3.15.0). The next feature release will be 4.0.0 with a refreshed 
UI built on a modern technology. After release of Unity 4, Unity 3.15 
will still receive fixes for bugs found there, however there will be no 
feature development in the 3.x releases chain.

Best regards,
Krzysztof

Re: [Unity-idm-discuss] Review of policies by user

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 16.11.2023 o 08:50, Sander Apweiler pisze:
> Good morning Krzysztof,
> good morning Roman,
>
> Is there an option that user can review the policies, where they agreed
> to? I assume I can show the attribute to which policies they agreed but
> this does not show the policies content. I didn't find anything about
> this in the manual.
>
So no, we don't have such functionality.

However, the policies (at least the embedded ones) are publicly 
available. The link is as follows:

https://HOST/unitygw/pub/policyDocuments/POLICY-ID

Maybe it can help with your use case. Otherwise we would need to add 
that. In general generating list of such links is simple.

Best,
Krzysztof

[Unity-idm-discuss] Review of policies by user

[Sander A. <sa....@fz...>]

Good morning Krzysztof,
good morning Roman,

Is there an option that user can review the policies, where they agreed
to? I assume I can show the attribute to which policies they agreed but
this does not show the policies content. I didn't find anything about
this in the manual.

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Enhancement merge entity dialogue

[Roman K. <ro...@un...>]

Hey Sander,

Sorry to be long in my reply, and thank you for your suggestion.
I'll open a ticket to enhance the current merging view.

Kind regards,
Roman

pt., 3 lis 2023 o 12:10 Sander Apweiler <sa....@fz...>
napisał(a):

> Dear Krzysztof,
> If you want to merge two accounts of an user you see just the names of
> the user. It would be very helpful, if the entity ID is shown too.
>
> Best regards,
> Sander
>
> --
> Large-Scale Data Science
> Juelich Supercomputing Centre
>
> phone: +49 2461 61 8847
> fax: +49 2461 61 6656
> email: sa....@fz...
>
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
> Forschungszentrum Juelich GmbH
> 52425 Juelich
> Sitz der Gesellschaft: Juelich
> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
> Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
> Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
>
>
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>

[Unity-idm-discuss] Enhancement merge entity dialogue

[Sander A. <sa....@fz...>]

Dear Krzysztof,
If you want to merge two accounts of an user you see just the names of
the user. It would be very helpful, if the entity ID is shown too.

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Adding certificate in JWK endpoint

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 27.10.2023 o 07:14, Sander Apweiler pisze:
> Hello Krzysztof,
> hello Roman,
>
> one of our connected clients is using Ceph as storage backend and it
> requires the certificate which was used to sign the token. According to
> https://openid.net/specs/openid-connect-discovery-1_0-21.html#ProviderMetadata
> and https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.6
> certificates can be added as optional x5c attribute.
> Since I didn't find anything in the manual and nothing endpoint
> configuration, I assume it is not (yet) possible. Can you correct me if
> I'm wrong or give your thought about possible extension?
>
Yes, Unity only puts bare keys in oidc metadata.

Yes, enhancement to also add a full certificate looks fine.

Best,
Krzysztof

Re: [Unity-idm-discuss] read additional user information from another ldap tree

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 19.10.2023 o 10:12, Sander Apweiler pisze:
> Hi Krzysztof, hi Roman,
> we are preparing another instance of unity where we have the userlogin
> via LDAP. In the LDAP service is a tree which contains the username
> password and an id. The other userinformation are stored in another
> LDAP tree identified by the id from the first one. Is there any
> possibility to fetch this information at the login? According to the
> manual the ldap.additionalSearch is only working with the username,
> which is not present in the second tree.

Unfortunately that can not be achieved. Unity would need to authenticate 
user as a local user first, extract attribute or identity of this user 
holding LDAP id (assumption: LDAP id goes to an attribute or identity in 
Unity) and then perform another query with that attribute being the key. 
That is impossible right now.

> Do we have the possibility to inject the information on other ways. We
> would also have access to an API to request the information. But I
> asusme that unity can not call the API and work with the response.

Natively in Unity it would be pretty hard. I guess the only way is to 
develop a custom enhancement groovy script, but it would be pretty 
involving and would require bigger maintenance work when upgrading Unity.


Maybe it is possible to create some consolidating LDAP proxy service?

Best,
Krzysztof

[Unity-idm-discuss] Adding certificate in JWK endpoint

[Sander A. <sa....@fz...>]

Hello Krzysztof,
hello Roman,

one of our connected clients is using Ceph as storage backend and it
requires the certificate which was used to sign the token. According to
https://openid.net/specs/openid-connect-discovery-1_0-21.html#ProviderMetadata
and https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.6
certificates can be added as optional x5c attribute.
Since I didn't find anything in the manual and nothing endpoint
configuration, I assume it is not (yet) possible. Can you correct me if
I'm wrong or give your thought about possible extension?

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] read additional user information from another ldap tree

[Sander A. <sa....@fz...>]

Hi Krzysztof, hi Roman,
we are preparing another instance of unity where we have the userlogin
via LDAP. In the LDAP service is a tree which contains the username
password and an id. The other userinformation are stored in another
LDAP tree identified by the id from the first one. Is there any
possibility to fetch this information at the login? According to the
manual the ldap.additionalSearch is only working with the username,
which is not present in the second tree.

Do we have the possibility to inject the information on other ways. We
would also have access to an API to request the information. But I
asusme that unity can not call the API and work with the response.

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Generate translation profiles

[Hämmerle, F. <fel...@tu...>]

Hello Roman,

thanks for your answer.

The best way to get the needed configuration lines is to configure the authenticatiors, translationprofiles, endpoints and so on in GUI and after that export the system configuration from the database. All the needed configuration lines can then be copied with copy/paste to the configuration files on the server.

That’s really handy unfortunately this is not mentioned in the manual, would have saved me some time 😉.

Kind regards

Felix


--
Felix Hämmerle
University of Technology Graz
IT Services
Steyrergasse 30/1, 8010 Graz, Austria - Europe
Phone: +43 316 873 6893
Email: fel...@tu...



From: Roman Krysiński <ro...@un...>
Sent: Wednesday, 18 October 2023 11:22
To: Hämmerle, Felix <fel...@tu...>
Cc: uni...@li...
Subject: Re: [Unity-idm-discuss] Generate translation profiles

Hello Felix,

In order to load the translation profile, please use unityServer.core.translationProfiles configuration option in unityServer.conf file.
You can see an example in our repo: https://github.com/unity-idm/unity/blob/dev/integration-tests/src/test/resources/unityServer.conf

Kind regards,
Roman

pon., 16 paź 2023 o 18:50 Hämmerle, Felix via Unity-idm-discuss <uni...@li...<mailto:uni...@li...>> napisał(a):
Hi,

I am trying to do a deployment per configuration scripts, authenticator is working but how can the remote data profil (in json format as in /conf/samples) be loaded?

Is there an identical way to load released data profiles, too?

Kind regards

Felix


--
Felix Hämmerle
Technische Universität Graz
Zentraler Informatikdienst
Steyrergasse 30/1, 8010 Graz, Austria
Tel.: +43 316 873 6893
E-Mail: fel...@tu...<mailto:fel...@tu...>


_______________________________________________
Unity-idm-discuss mailing list
Uni...@li...<mailto:Uni...@li...>
https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss

Re: [Unity-idm-discuss] Generate translation profiles

[Roman K. <ro...@un...>]

Hello Felix,

In order to load the translation profile, please use
unityServer.core.translationProfiles configuration option in
unityServer.conf file.
You can see an example in our repo:
https://github.com/unity-idm/unity/blob/dev/integration-tests/src/test/resources/unityServer.conf

Kind regards,
Roman

pon., 16 paź 2023 o 18:50 Hämmerle, Felix via Unity-idm-discuss <
uni...@li...> napisał(a):

> Hi,
>
> I am trying to do a deployment per configuration scripts, authenticator is
> working but how can the remote data profil (in json format as in
> /conf/samples) be loaded?
>
> Is there an identical way to load released data profiles, too?
>
> Kind regards
>
> Felix
>
>
> --
> Felix Hämmerle
> Technische Universität Graz
> Zentraler Informatikdienst
> Steyrergasse 30/1, 8010 Graz, Austria
> Tel.: +43 316 873 6893
> E-Mail: fel...@tu...
>
>
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>

[Unity-idm-discuss] Generate translation profiles

[Hämmerle, F. <fel...@tu...>]

Hi,

I am trying to do a deployment per configuration scripts, authenticator is working but how can the remote data profil (in json format as in /conf/samples) be loaded?

Is there an identical way to load released data profiles, too?

Kind regards

Felix


-- 
Felix Hämmerle
Technische Universität Graz
Zentraler Informatikdienst
Steyrergasse 30/1, 8010 Graz, Austria
Tel.: +43 316 873 6893
E-Mail: fel...@tu...

Re: [Unity-idm-discuss] Problems while creating invitations in upman

[Roman K. <ro...@un...>]

Hi Sander,

Thank you for reporting the issues, I'll create tickets to cover both of
them.
We are planning to release them in 3.14.1 version.

Kind regards,
Roman

czw., 5 paź 2023 o 09:08 Sander Apweiler <sa....@fz...>
napisał(a):

> Hi Krzysdztof,
> hi Roman,
>
> we are testing unity 3.14.0 and encountered a problem. When we create a
> bulk invitation and one of the email addresses is already a member,
> unity does not send the invitation. I added the screenshot of the
> message and the log.
>
> This might create a lot of trouble because users do not always review
> who is already member of the project and just send invitations. If the
> have entered for example 20 emails and need to re-enter them because
> one of them was already member of the group is not satisfying. But to
> be honest, I'm not sure if we tested this scenario also for older
> versions.
>
> Also the warning that the email textbox is mandatory if you enter
> multiple address is shown until you switch the focus to the next box is
> confusing if everything is already correct but not yet checked.
>
> Best regards,
> Sander
>
> --
> Large-Scale Data Science
> Juelich Supercomputing Centre
>
> phone: +49 2461 61 8847
> fax: +49 2461 61 6656
> email: sa....@fz...
>
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
> Forschungszentrum Juelich GmbH
> 52425 Juelich
> Sitz der Gesellschaft: Juelich
> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
> Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
> Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
>
>
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>

[Unity-idm-discuss] Problems while creating invitations in upman

[Sander A. <sa....@fz...>]

Hi Krzysdztof,
hi Roman,

we are testing unity 3.14.0 and encountered a problem. When we create a
bulk invitation and one of the email addresses is already a member,
unity does not send the invitation. I added the screenshot of the
message and the log.

This might create a lot of trouble because users do not always review
who is already member of the project and just send invitations. If the
have entered for example 20 emails and need to re-enter them because
one of them was already member of the group is not satisfying. But to
be honest, I'm not sure if we tested this scenario also for older
versions.

Also the warning that the email textbox is mandatory if you enter
multiple address is shown until you switch the focus to the next box is
confusing if everything is already correct but not yet checked.

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] Unity 3.14.0 released

[Krzysztof B. <kb...@un...>]

Dear Subscribers,

I'm happy to announce availability of a new Unity release.

As always all relevant links are available at 
https://unity-idm.eu/releases/release-3-14-0/

The 3.14.0 release focuses on performance improvements, when operating 
on large user databases. Besides, some smaller feature requests were 
implemented as well as many bugs were addressed.


        Performance

Changes should resolve slow:

  * inviting multiple users from UpMan
  * OAuth tokens listing in Console
  * bulk registration requests processing
  * loading of registration form


        More capable authorization on IdP

A new released data profile action “stopAuthentication” allows for 
conditional breaking of the authentication flow. The difference from the 
already present “failAuthentication” action is, that user’s agent is not 
redirected back to the client with error response, but instead lands on 
an embedded Unity “finalization” page, which can be flexibly configured.

This feature works the same for both OAuth and SAML IdP endpoints.


        Other improvements

  * ORCID integration was updated, catching up with ORCID API changes
  * Admin can configure size limit for JSON database dump upload, also
    the default limit is dynamic, computed basing on available server’s
    memory.
  * Demo/quickstart server certificate was updated
  * Postgresql based installation handle JSON dump imports correctly now
  * Unity will display caption configured in custom layout of a form,
    also when it is the very first element of the form
  * Attributes preset by invitations which where shown in form are now
    displayed correctly, w/o metadata.


Best regards,
Krzysztof

Re: [Unity-idm-discuss] Merging new accounts if email already exists

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 23.08.2023 o 14:15, Sander Apweiler pisze:
> Hi Krzysztof, hi Roman,
> in our new setup we have the requirement, that users have only one
> account, even if they login via different upstream IdPs. Since there is
> also LDAP one of the identity provider I do not have a persistent
> identifier from the home organisation but can only use the email
> address for this. Of course email address is a bad choise because it is
> reused after a retention period if the user leaves the home
> organisation.
>
> To have the email unique across the user we would need to store it as
> an identity of the account. Please correct me if I am wrong in this
> point.

You are correct.

> If a user logs in and there is already an account with the used email
> address we want to start the account linking procedure instead of
> automatically linking the accounts or giving just access because of the
> same email address. With this step we want to avoid providing access to
> an old account where the user does not exist anymore and is not yet
> removed.
>
> By reading the manual and testing I were just able to automatically
> bind the user to one entity. The second identity from the upstream IdP
> was not taken into account. So I have at the moment two questions.
>
> 1. Is there a way to configure unity to log the user in, if both
> identities does exist at the entity? E.g. username+email for ldap or
> id+email for others.

Yes, it is: in the input profile you need to setup REQUIRE_MATCH for 
both identity types required for a given IdP.

Then the login will be successful only if both will match.

> 2. Is there a way to trigger the account linking if the login provides
> only one of the stored identity but not a second one?

Unfortunately not. When using REQUIRE_MATCH the failure is critical, 
i.e. it does not allow to associate the remote identity with some local one.

We would need a new feature for that.

> I hope you can understand the scenario.

I think more or less yes.

HTH,
Krzysztof

[Unity-idm-discuss] Merging new accounts if email already exists

[Sander A. <sa....@fz...>]

Hi Krzysztof, hi Roman,
in our new setup we have the requirement, that users have only one
account, even if they login via different upstream IdPs. Since there is
also LDAP one of the identity provider I do not have a persistent
identifier from the home organisation but can only use the email
address for this. Of course email address is a bad choise because it is
reused after a retention period if the user leaves the home
organisation.

To have the email unique across the user we would need to store it as
an identity of the account. Please correct me if I am wrong in this
point.

If a user logs in and there is already an account with the used email
address we want to start the account linking procedure instead of
automatically linking the accounts or giving just access because of the
same email address. With this step we want to avoid providing access to
an old account where the user does not exist anymore and is not yet
removed.

By reading the manual and testing I were just able to automatically
bind the user to one entity. The second identity from the upstream IdP
was not taken into account. So I have at the moment two questions.

1. Is there a way to configure unity to log the user in, if both
identities does exist at the entity? E.g. username+email for ldap or
id+email for others.

2. Is there a way to trigger the account linking if the login provides
only one of the stored identity but not a second one?

I hope you can understand the scenario.

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Difficult use-case for ldap integration

[Sander A. <sa....@fz...>]

Hi Krzysztof,
thanks for the feedback. We are not sure if we want to use the userhome
Endpoint of not. Would this also work during the registration/first
time login into unity?

Best regards,
Sander

On Mon, 2023-08-21 at 12:32 +0200, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 18.08.2023 o 12:42, Sander Apweiler pisze:
> > Hi Krzysztof, hi Roman,
> > within another project we have a quite difficult use-case for
> > integrating LDAP for authentication in untiy. The LDAP has one tree
> > containing the usernames, passwords and an identifier (not equal to
> > the
> > username). Within another tree we have this identifier, email and
> > name
> > of the user.
> > 
> > As far as I understood the manual unity would be able to perform
> > the
> > ldapsearch for the attributes on another tree than the bind call
> > for
> > authentication, but it would require the username in both trees. So
> > this would not fit here.
> > 
> > We had two ideas what could work but would need your knowledge to
> > clarify this. The first idea was the mechanism to call an attribute
> > authority after user authentication, like we had in the lifescience
> > use-case in past. Could we use this feature to perform the second
> > LDAP
> > call after authentication to fetch the user information from the
> > seconf
> > tree using the identifier.
> > 
> > The second idea was fetching the user information from a
> > proprietary
> > API, which already exists. For this we would need to trigger a
> > script,
> > which fetches the information and stores them into unity. Would
> > there
> > be a trigger for a groovy script in the authentication/registration
> > process where we could integrate the script?
> 
> 
> The first of your ideas should work.  Note that this will work only
> when 
> in Unity authentication is performed on one of IdP endpoints (SAML or
> OAuth). But if that is fine (and so you don't need to enrich
> information 
> about existing user logging into unity directly, like to homeUI),
> then 
> usage of LDAP importer should be just perfect.
> 
> 
> Best,
> Krzysztof
> 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Difficult use-case for ldap integration

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 18.08.2023 o 12:42, Sander Apweiler pisze:
> Hi Krzysztof, hi Roman,
> within another project we have a quite difficult use-case for
> integrating LDAP for authentication in untiy. The LDAP has one tree
> containing the usernames, passwords and an identifier (not equal to the
> username). Within another tree we have this identifier, email and name
> of the user.
>
> As far as I understood the manual unity would be able to perform the
> ldapsearch for the attributes on another tree than the bind call for
> authentication, but it would require the username in both trees. So
> this would not fit here.
>
> We had two ideas what could work but would need your knowledge to
> clarify this. The first idea was the mechanism to call an attribute
> authority after user authentication, like we had in the lifescience
> use-case in past. Could we use this feature to perform the second LDAP
> call after authentication to fetch the user information from the seconf
> tree using the identifier.
>
> The second idea was fetching the user information from a proprietary
> API, which already exists. For this we would need to trigger a script,
> which fetches the information and stores them into unity. Would there
> be a trigger for a groovy script in the authentication/registration
> process where we could integrate the script?


The first of your ideas should work.  Note that this will work only when 
in Unity authentication is performed on one of IdP endpoints (SAML or 
OAuth). But if that is fine (and so you don't need to enrich information 
about existing user logging into unity directly, like to homeUI), then 
usage of LDAP importer should be just perfect.


Best,
Krzysztof

Re: [Unity-idm-discuss] login via ORCID is not working anymore

[Sander A. <sa....@fz...>]

Hi Krzysztof,
yes it worked for us.

Thank you very much.
Sander

On Fri, 2023-08-18 at 15:27 +0200, Sander Apweiler wrote:
> Hi Krzysztof,
> thanks for the swift reply. We will test this.
> 
> Best regards,
> Sander
> 
> On Fri, 2023-08-18 at 15:19 +0200, Krzysztof Benedyczak wrote:
> > Hi Sander,
> > 
> > W dniu 18.08.2023 o 07:37, Sander Apweiler pisze:
> > > Hello again,
> > > ORCID indicated that the error could be caused by this API
> > > change:
> > > https://groups.google.com/g/orcid-api-users/c/nl-ZCnsLB_U
> > > 
> > > Can we somehow configure update the URL by the configuration to
> > > test
> > > it?
> > 
> > Yes, and yes.
> > 
> > Yes: this is the root cause. I'm openieng a ticket to update the
> > orcid 
> > Oauth settings. Also we will update Unity to use their latest API.
> > 
> > Workaround: add this to your configuration:
> > 
> > unity.oauth2.client.providers.orcid.accessTokenEndpoint=
> > https://orcid.org/oauth/token
> > 
> > where .orcid. should be your config key of orcid authenticator.
> > 
> > Please verify in console if your change was effective.
> > 
> > HTH,
> > Krzysztof
> > 
> 
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] login via ORCID is not working anymore

[Sander A. <sa....@fz...>]

Hi Krzysztof,
thanks for the swift reply. We will test this.

Best regards,
Sander

On Fri, 2023-08-18 at 15:19 +0200, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 18.08.2023 o 07:37, Sander Apweiler pisze:
> > Hello again,
> > ORCID indicated that the error could be caused by this API change:
> > https://groups.google.com/g/orcid-api-users/c/nl-ZCnsLB_U
> > 
> > Can we somehow configure update the URL by the configuration to
> > test
> > it?
> 
> Yes, and yes.
> 
> Yes: this is the root cause. I'm openieng a ticket to update the
> orcid 
> Oauth settings. Also we will update Unity to use their latest API.
> 
> Workaround: add this to your configuration:
> 
> unity.oauth2.client.providers.orcid.accessTokenEndpoint=
> https://orcid.org/oauth/token
> 
> where .orcid. should be your config key of orcid authenticator.
> 
> Please verify in console if your change was effective.
> 
> HTH,
> Krzysztof
> 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] login via ORCID is not working anymore

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 18.08.2023 o 07:37, Sander Apweiler pisze:
> Hello again,
> ORCID indicated that the error could be caused by this API change:
> https://groups.google.com/g/orcid-api-users/c/nl-ZCnsLB_U
>
> Can we somehow configure update the URL by the configuration to test
> it?

Yes, and yes.

Yes: this is the root cause. I'm openieng a ticket to update the orcid 
Oauth settings. Also we will update Unity to use their latest API.

Workaround: add this to your configuration:

unity.oauth2.client.providers.orcid.accessTokenEndpoint=https://orcid.org/oauth/token

where .orcid. should be your config key of orcid authenticator.

Please verify in console if your change was effective.

HTH,
Krzysztof