Menu
▾
▴
unity-idm-discuss
|
From: Sander A. <sa....@fz...> - 2023-12-13 15:33:36
|
Hi Krzysztof,
hi Roman,
we found an issue which looks like a bug. We set up MFA, using OTP,
some time ago and most time it works well. But now a user reported a
problem, we do not understand. When we sign into the home endpoint
using OIDC (tested with Google and ORCID), the local credential are not
shown (see first screenshot). If we sign in, using SAML, the local
credentials are shown. The logs do not show any error.
May we missed any additional configuration, which I do not remember and
find in the setting at the moment or is it a bug. I can reproduce this
on another instance as well.
This is our MFA config:
unityServer.core.authenticators.otp.authenticatorName=otp
unityServer.core.authenticators.otp.authenticatorType=otp
unityServer.core.authenticators.otp.localCredential=mfa_otp
unityServer.core.authenticators.otp.configurationFile=${CONF}/authenticators/passwordRetrieval.properties
unityServer.core.authenticationFlow.mfaOptin.authenticationFlowName=mfaOptin
unityServer.core.authenticationFlow.mfaOptin.authenticationFlowPolicy=USER_OPTIN
unityServer.core.authenticationFlow.mfaOptin.firstFactorAuthenticators=samlWeb,oauthWeb
unityServer.core.authenticationFlow.mfaOptin.secondFactorAuthenticators=otp
unityServer.core.authenticationFlow.mfaEnforce.authenticationFlowName=mfaEnforce
unityServer.core.authenticationFlow.mfaEnforce.authenticationFlowPolicy=REQUIRE
unityServer.core.authenticationFlow.mfaEnforce.firstFactorAuthenticators=samlWeb,oauthWeb
unityServer.core.authenticationFlow.mfaEnforce.secondFactorAuthenticators=otp
Best regards,
Sander
--
Large-Scale Data Science
Juelich Supercomputing Centre
phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------
|
|
From: Krzysztof B. <kb...@un...> - 2023-12-14 08:17:43
|
Hi Sander, W dniu 13.12.2023 o 16:33, Sander Apweiler pisze: > Hi Krzysztof, > hi Roman, > we found an issue which looks like a bug. We set up MFA, using OTP, > some time ago and most time it works well. But now a user reported a > problem, we do not understand. When we sign into the home endpoint > using OIDC (tested with Google and ORCID), the local credential are not > shown (see first screenshot). If we sign in, using SAML, the local > credentials are shown. The logs do not show any error. From the provided screenshots I can't tell one thing. Are you 100% sure that in both cases you have signed as the same Unity entity? This looks like in the OIDC case you signing into some (e.g. autocreated) other entity which simply has no local creds. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2023-12-14 08:21:00
Attachments:
smime.p7s
|
Hi Krzysztof, no I'm not in the same entity ID, but I do not want to be in the same one. The first one was autogenerated via OIDC authN at ORCID and the second one vie SAML authN at FZJ. But the problem is, that I see the local credentials (esp. OTP) only in the second one. Best regards, Sander On Thu, 2023-12-14 at 09:17 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 13.12.2023 o 16:33, Sander Apweiler pisze: > > Hi Krzysztof, > > hi Roman, > > we found an issue which looks like a bug. We set up MFA, using OTP, > > some time ago and most time it works well. But now a user reported > > a > > problem, we do not understand. When we sign into the home endpoint > > using OIDC (tested with Google and ORCID), the local credential are > > not > > shown (see first screenshot). If we sign in, using SAML, the local > > credentials are shown. The logs do not show any error. > > From the provided screenshots I can't tell one thing. Are you 100% > sure > that in both cases you have signed as the same Unity entity? This > looks > like in the OIDC case you signing into some (e.g. autocreated) other > entity which simply has no local creds. > > Best, > Krzysztof > > > -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2023-12-14 08:23:05
|
W dniu 14.12.2023 o 09:20, Sander Apweiler pisze: > Hi Krzysztof, > no I'm not in the same entity ID, but I do not want to be in the same > one. The first one was autogenerated via OIDC authN at ORCID and the > second one vie SAML authN at FZJ. But the problem is, that I see the > local credentials (esp. OTP) only in the second one. OK, but can you double check, if for the entity that signed via OIDC you have those local credentials set (i.e. find that entity in console and list credentials)? |
|
From: Sander A. <sa....@fz...> - 2023-12-14 11:48:56
Attachments:
smime.p7s
|
Hi Krzysztof, they are empty as well. But I found the reason. In registration forms they use different credential requirements, although neigther SAML not OIDC authentication uses local credentials in the registration form. So I would need to update the default credential requirements in the automation tab and update all OIDC based accounts. Best regards, Sander On Thu, 2023-12-14 at 09:22 +0100, Krzysztof Benedyczak wrote: > W dniu 14.12.2023 o 09:20, Sander Apweiler pisze: > > Hi Krzysztof, > > no I'm not in the same entity ID, but I do not want to be in the > > same > > one. The first one was autogenerated via OIDC authN at ORCID and > > the > > second one vie SAML authN at FZJ. But the problem is, that I see > > the > > local credentials (esp. OTP) only in the second one. > > OK, but can you double check, if for the entity that signed via OIDC > you > have those local credentials set (i.e. find that entity in console > and > list credentials)? > > -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
Thanks for helping keep SourceForge clean.
X