Menu
▾
▴
unity-idm-discuss
|
From: Sander A. <sa....@fz...> - 2020-09-14 05:35:44
Attachments:
smime.p7s
unity_cert.log
|
Hello Krzysztof, I encountered an old problem, which is still present in unity. If an IdP updated its certificate and provides it within the federation metadata, like eduGAIN, unity does not update the used certificate by the regular metadata update (once per hour). After the IdP changes its certificate unity just give the attached error. Last metadata update before the error: 2020-09-11T09:40:46,282 [pool-2-thread-2] DEBUG unity.server.saml.MetaToSPConfigConverter: Added a trusted IdP loaded from SAML metadata: https://idp.scc.kit.edu/idp/shibboleth with urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect binding 2020-09-11T09:40:46,282 [pool-2-thread-2] DEBUG unity.server.saml.MetaToSPConfigConverter: Added a trusted IdP loaded from SAML metadata: https://idp.scc.kit.edu/idp/shibboleth with urn:oasis:names:tc:SAML:2.0:bindings:SOAP binding 2020-09-11T09:41:37,769 [pool-2-thread-2] DEBUG unity.server.saml.MetaToSPConfigConverter: Added a trusted IdP loaded from SAML metadata: https://idp.scc.kit.edu/idp/shibboleth with urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect binding 2020-09-11T09:41:37,769 [pool-2-thread-2] DEBUG unity.server.saml.MetaToSPConfigConverter: Added a trusted IdP loaded from SAML metadata: https://idp.scc.kit.edu/idp/shibboleth with urn:oasis:names:tc:SAML:2.0:bindings:SOAP binding Using federations like DFN or eduGAIN makes it impossible to know when a certificate is updated. Cheers, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2020-09-15 07:56:19
Attachments:
smime.p7s
|
Hello Krzysztof, I have some further information about this issue. The KIT IdP, who renews its certificate, offers at the moment two signing certificates in the federation metadata. The old one and the new one. This is a common way for the certificate renewal [1]. It seems that unity only supports one of them and this creates the mismatch. Unity should support all certificates which are provided via the IdP metadata. This rollover procedure should avoid outages for the users during the update procedure. Especially when you use federations it took time until the information reaches the other end of the chain. In best case only a few minutes, when the information reaches the next level before the level above fetches the information. In bad case it takes several days, if the new information only fetched once per day. Is it possible that unity supports this common rollover mechanism for its own certificates in future? Cheers, Sander [1]: https://www.switch.ch/aai/guides/sp/certificate-rollover/ On Mon, 2020-09-14 at 07:35 +0200, Sander Apweiler wrote: > Hello Krzysztof, > I encountered an old problem, which is still present in unity. If an > IdP updated its certificate and provides it within the federation > metadata, like eduGAIN, unity does not update the used certificate by > the regular metadata update (once per hour). After the IdP changes > its > certificate unity just give the attached error. > > Last metadata update before the error: > 2020-09-11T09:40:46,282 [pool-2-thread-2] DEBUG > unity.server.saml.MetaToSPConfigConverter: Added a trusted IdP loaded > from SAML metadata: https://idp.scc.kit.edu/idp/shibboleth with > urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect binding > 2020-09-11T09:40:46,282 [pool-2-thread-2] DEBUG > unity.server.saml.MetaToSPConfigConverter: Added a trusted IdP loaded > from SAML metadata: https://idp.scc.kit.edu/idp/shibboleth with > urn:oasis:names:tc:SAML:2.0:bindings:SOAP binding > 2020-09-11T09:41:37,769 [pool-2-thread-2] DEBUG > unity.server.saml.MetaToSPConfigConverter: Added a trusted IdP loaded > from SAML metadata: https://idp.scc.kit.edu/idp/shibboleth with > urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect binding > 2020-09-11T09:41:37,769 [pool-2-thread-2] DEBUG > unity.server.saml.MetaToSPConfigConverter: Added a trusted IdP loaded > from SAML metadata: https://idp.scc.kit.edu/idp/shibboleth with > urn:oasis:names:tc:SAML:2.0:bindings:SOAP binding > > Using federations like DFN or eduGAIN makes it impossible to know > when > a certificate is updated. > > Cheers, > Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2020-09-16 10:36:14
|
Hello Sander, W dniu 15.09.2020 o 09:55, Sander Apweiler pisze: > Hello Krzysztof, > I have some further information about this issue. The KIT IdP, who > renews its certificate, offers at the moment two signing certificates > in the federation metadata. The old one and the new one. This is a > common way for the certificate renewal [1]. It seems that unity only > supports one of them and this creates the mismatch. Unity should > support all certificates which are provided via the IdP metadata. > > This rollover procedure should avoid outages for the users during the > update procedure. Especially when you use federations it took time > until the information reaches the other end of the chain. In best case > only a few minutes, when the information reaches the next level before > the level above fetches the information. In bad case it takes several > days, if the new information only fetched once per day. We have an old ticket (2017 (!)) about the certificates not being updated after metadata change. The ticket has a note that I was unable to reproduce it despite of several tries. The situation with multiple certificates of an IdP should work - it is supported. I.e. if IdP metadata advertises more then one certificate, then Unity should accept all of them. This feature is I think less tested so I can suspect that there may some bug in it. I can add more detailed logging what I'll do for the next revision - it should help to track down the problem. We have also pending ticket to be able to see in details the runtime (effective) list of trusted IdPs for a SAML authenticator - but that's a bit bigger work, not planned in near term. > Is it possible that unity supports this common rollover mechanism for > its own certificates in future? Yes, why not. We can add a new option to IdP configuration, "former credential" which would be used for metadata only. Sounds rather easy. Do you consider this also for SP (i.e. Unity SAML authenticator)? Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2020-09-17 10:28:48
|
Sander, W dniu 16.09.2020 o 12:35, Krzysztof Benedyczak pisze: > Hello Sander, > > W dniu 15.09.2020 o 09:55, Sander Apweiler pisze: >> Hello Krzysztof, >> I have some further information about this issue. The KIT IdP, who >> renews its certificate, offers at the moment two signing certificates >> in the federation metadata. The old one and the new one. This is a >> common way for the certificate renewal [1]. It seems that unity only >> supports one of them and this creates the mismatch. Unity should >> support all certificates which are provided via the IdP metadata. Good (well, somewhat) news here: indeed you are right - we have a bug here, in general related to handling multiple certificates per an entity. It is broken in a case when multiple certificates advertised for an entity share the same DN (what is actually the common case :/). Working on a fix. Best Krzysztof |
|
From: Sander A. <sa....@fz...> - 2020-09-21 05:22:51
Attachments:
smime.p7s
|
Good morning Krzysztof, I own you still an answer on your last question. On Wed, 2020-09-16 at 12:35 +0200, Krzysztof Benedyczak wrote: > Hello Sander, > > W dniu 15.09.2020 o 09:55, Sander Apweiler pisze: > > Hello Krzysztof, > > I have some further information about this issue. The KIT IdP, who > > renews its certificate, offers at the moment two signing > > certificates > > in the federation metadata. The old one and the new one. This is a > > common way for the certificate renewal [1]. It seems that unity > > only > > supports one of them and this creates the mismatch. Unity should > > support all certificates which are provided via the IdP metadata. > > > > This rollover procedure should avoid outages for the users during > > the > > update procedure. Especially when you use federations it took time > > until the information reaches the other end of the chain. In best > > case > > only a few minutes, when the information reaches the next level > > before > > the level above fetches the information. In bad case it takes > > several > > days, if the new information only fetched once per day. > > We have an old ticket (2017 (!)) about the certificates not being > updated after metadata change. The ticket has a note that I was > unable > to reproduce it despite of several tries. > > The situation with multiple certificates of an IdP should work - it > is > supported. I.e. if IdP metadata advertises more then one > certificate, > then Unity should accept all of them. This feature is I think less > tested so I can suspect that there may some bug in it. > > I can add more detailed logging what I'll do for the next revision - > it > should help to track down the problem. We have also pending ticket to > be > able to see in details the runtime (effective) list of trusted IdPs > for > a SAML authenticator - but that's a bit bigger work, not planned in > near > term. > > > Is it possible that unity supports this common rollover mechanism > > for > > its own certificates in future? > Yes, why not. We can add a new option to IdP configuration, "former > credential" which would be used for metadata only. Sounds rather > easy. > Do you consider this also for SP (i.e. Unity SAML authenticator)? Yes it would be also effect the SP. I guess, if unity is used as Proxy, in most cases the same certificate is used for IdP and SP part. And you need to do the rollover in the same way for both. Cheers, Sander > > Best, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2020-09-21 07:05:09
|
Hi Sander, W dniu 21.09.2020 o 07:22, Sander Apweiler pisze: > Good morning Krzysztof, > I own you still an answer on your last question. > > On Wed, 2020-09-16 at 12:35 +0200, Krzysztof Benedyczak wrote: >> Hello Sander, >> >> W dniu 15.09.2020 o 09:55, Sander Apweiler pisze: >>> Hello Krzysztof, >>> I have some further information about this issue. The KIT IdP, who >>> renews its certificate, offers at the moment two signing >>> certificates >>> in the federation metadata. The old one and the new one. This is a >>> common way for the certificate renewal [1]. It seems that unity >>> only >>> supports one of them and this creates the mismatch. Unity should >>> support all certificates which are provided via the IdP metadata. >>> >>> This rollover procedure should avoid outages for the users during >>> the >>> update procedure. Especially when you use federations it took time >>> until the information reaches the other end of the chain. In best >>> case >>> only a few minutes, when the information reaches the next level >>> before >>> the level above fetches the information. In bad case it takes >>> several >>> days, if the new information only fetched once per day. >> We have an old ticket (2017 (!)) about the certificates not being >> updated after metadata change. The ticket has a note that I was >> unable >> to reproduce it despite of several tries. >> >> The situation with multiple certificates of an IdP should work - it >> is >> supported. I.e. if IdP metadata advertises more then one >> certificate, >> then Unity should accept all of them. This feature is I think less >> tested so I can suspect that there may some bug in it. >> >> I can add more detailed logging what I'll do for the next revision - >> it >> should help to track down the problem. We have also pending ticket to >> be >> able to see in details the runtime (effective) list of trusted IdPs >> for >> a SAML authenticator - but that's a bit bigger work, not planned in >> near >> term. >> >>> Is it possible that unity supports this common rollover mechanism >>> for >>> its own certificates in future? >> Yes, why not. We can add a new option to IdP configuration, "former >> credential" which would be used for metadata only. Sounds rather >> easy. >> Do you consider this also for SP (i.e. Unity SAML authenticator)? > Yes it would be also effect the SP. I guess, if unity is used as Proxy, > in most cases the same certificate is used for IdP and SP part. And you > need to do the rollover in the same way for both. That was my assumption too, agreed. One extra note: this task is more involving than my first thought was: we also need to support decryption, and we need to be able to decrypt with either of the certificates. Cheers, Krzysztof |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X