Menu
▾
▴
unity-idm-discuss
|
From: Nikolaos E. <ni...@ad...> - 2018-06-07 11:47:43
|
Hello Krzysztof, Based on this session of the unity idm documentation http://www.unity-idm.eu/documentation/unity-2.4.0/manual.html#_preselected_automated_authentication I managed to preselect an IdP and auto login using the parameters ?uy_select_authn=samlWeb.${authenticationOptionId}&uy_auto_login=true . It’s possible to make a OIDC authorization request with preselected IdP for a specific client? Regards, Nick |
|
From: Krzysztof B. <kb...@un...> - 2018-06-08 07:38:51
|
Hi Nikolaos, W dniu 07.06.2018 o 13:30, Nikolaos Evangelou pisze: > Hello Krzysztof, > > Based on this session of the unity idm documentation > http://www.unity-idm.eu/documentation/unity-2.4.0/manual.html#_preselected_automated_authentication I > managed to preselect an IdP and auto login using the parameters > ?uy_select_authn=samlWeb.${|authenticationOptionId}|&uy_auto_login=true . > It’s possible to make a OIDC authorization request with preselected > IdP for a specific client? > I'm not sure if I understand the question. As you succeeded with auto-login with those options, which are provided by a client, you should be able to selectively use them only for your specific client. If the problem is that you can use those special query params for that client, you can enable this server-side. Create a separate oauth authorization endpoint in Unity and configure it to auto-login all clients (|unity.endpoint.web.autoLogin=true|). Then point your specific client to that endpoint. Best Krzysztof |
|
From: Nikolaos E. <ni...@ad...> - 2018-06-08 08:59:45
|
Hi Krzysztof, Let me explain the process with more details. The oauth authorisation flow is: the user sends a authorisation request to /oauth2-authz endpoint (using a web application client) he would redirect to b2access development instance and select an IdP. After login he will be redirected back to the client with a token. The change we want to make to this flow is to preselect a specific IdP for the user for this specific client. Can unity provide this option? Regards, Nick On 8 Jun 2018, at 10:38, Krzysztof Benedyczak <kb...@un...<mailto:kb...@un...>> wrote: Hi Nikolaos, W dniu 07.06.2018 o 13:30, Nikolaos Evangelou pisze: Hello Krzysztof, Based on this session of the unity idm documentation http://www.unity-idm.eu/documentation/unity-2.4.0/manual.html#_preselected_automated_authentication I managed to preselect an IdP and auto login using the parameters ?uy_select_authn=samlWeb.${authenticationOptionId}&uy_auto_login=true . It’s possible to make a OIDC authorization request with preselected IdP for a specific client? I'm not sure if I understand the question. As you succeeded with auto-login with those options, which are provided by a client, you should be able to selectively use them only for your specific client. If the problem is that you can use those special query params for that client, you can enable this server-side. Create a separate oauth authorization endpoint in Unity and configure it to auto-login all clients (unity.endpoint.web.autoLogin=true). Then point your specific client to that endpoint. Best Krzysztof |
|
From: Nikolaos E. <ni...@ad...> - 2018-06-28 06:46:23
|
Hello Krzysztof, I have a different approach for this subject. The users are using a web portal where they request tokens from a client of b2access. The request is: https://unity.eudat-aai.fz-juelich.de/oauth2-as/oauth2-authz?response_type=code&redirect_uri=https%3A%2F%2Fsnf-761524.vm.okeanos.grnet.gr%2Fb2access%2Frefreshtoken.php&client_id=sdc-test-client-id&scope=openid+email+profile<https://unity.eudat-aai.fz-juelich.de/oauth2-as/oauth2-authz?response_type=code&redirect_uri=https://snf-761524.vm.okeanos.grnet.gr/b2access/refreshtoken.php&client_id=sdc-test-client-id&scope=openid+email+profile> After that the flow will throw the users here: https://unity.eudat-aai.fz-juelich.de/oauth2-as/oauth2-authz-web-entry to login Is it possible, instead of the previous url, to redirect the users in this login screen https://unity.eudat-aai.fz-juelich.de/oauth2-as/oauth2-authz-web-entry?uy_select_authn=samlWeb.marine&uy_auto_login=true for that specific client? I have tried to pass these parameters to the authorisation request (like this https://unity.eudat-aai.fz-juelich.de/oauth2-as/oauth2-authz?uy_select_authn=samlWeb.marine&uy_auto_login=true&response_type=code&redirect_uri=https%3A%2F%2Fsnf-761524.vm.okeanos.grnet.gr%2Fb2access%2Frefreshtoken.php&client_id=sdc-test-client-id&scope=openid+email+profile<https://unity.eudat-aai.fz-juelich.de/oauth2-as/oauth2-authz?uy_select_authn=samlWeb.marine&uy_auto_login=true&response_type=code&redirect_uri=https://snf-761524.vm.okeanos.grnet.gr/b2access/refreshtoken.php&client_id=sdc-test-client-id&scope=openid+email+profile> ) but it doesn’t work. Best Regards, Nick On 8 Jun 2018, at 11:59, Nikolaos Evangelou <ni...@ad...<mailto:ni...@ad...>> wrote: Hi Krzysztof, Let me explain the process with more details. The oauth authorisation flow is: the user sends a authorisation request to /oauth2-authz endpoint (using a web application client) he would redirect to b2access development instance and select an IdP. After login he will be redirected back to the client with a token. The change we want to make to this flow is to preselect a specific IdP for the user for this specific client. Can unity provide this option? Regards, Nick On 8 Jun 2018, at 10:38, Krzysztof Benedyczak <kb...@un...<mailto:kb...@un...>> wrote: Hi Nikolaos, W dniu 07.06.2018 o 13:30, Nikolaos Evangelou pisze: Hello Krzysztof, Based on this session of the unity idm documentation http://www.unity-idm.eu/documentation/unity-2.4.0/manual.html#_preselected_automated_authentication I managed to preselect an IdP and auto login using the parameters ?uy_select_authn=samlWeb.${authenticationOptionId}&uy_auto_login=true . It’s possible to make a OIDC authorization request with preselected IdP for a specific client? I'm not sure if I understand the question. As you succeeded with auto-login with those options, which are provided by a client, you should be able to selectively use them only for your specific client. If the problem is that you can use those special query params for that client, you can enable this server-side. Create a separate oauth authorization endpoint in Unity and configure it to auto-login all clients (unity.endpoint.web.autoLogin=true). Then point your specific client to that endpoint. Best Krzysztof ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org<http://Slashdot.org>! http://sdm.link/slashdot_______________________________________________ Unity-idm-discuss mailing list Uni...@li...<mailto:Uni...@li...> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss |
|
From: Nikolaos E. <ni...@ad...> - 2018-07-03 14:22:53
|
Hello Krzysztof,
I’m testing your suggestion to create a separate oauth authorization endpoint, but I got some issues. When I make an authentication request to the new endpoint, I go directly to the login page of my preselected IdP (as expected) but after the login I got stack to ${new_endpoint}/oauth2-authz-web-entry portal, and I’m asked to login again. Do you have any suggestion to deal with this issue?
Regards,
Nick
On 28 Jun 2018, at 09:46, Nikolaos Evangelou <ni...@ad...<mailto:ni...@ad...>> wrote:
Hello Krzysztof,
I have a different approach for this subject. The users are using a web portal where they request tokens from a client of b2access.
The request is: https://unity.eudat-aai.fz-juelich.de/oauth2-as/oauth2-authz?response_type=code&redirect_uri=https%3A%2F%2Fsnf-761524.vm.okeanos.grnet.gr%2Fb2access%2Frefreshtoken.php&client_id=sdc-test-client-id&scope=openid+email+profile<https://unity.eudat-aai.fz-juelich.de/oauth2-as/oauth2-authz?response_type=code&redirect_uri=https://snf-761524.vm.okeanos.grnet.gr/b2access/refreshtoken.php&client_id=sdc-test-client-id&scope=openid+email+profile>
After that the flow will throw the users here: https://unity.eudat-aai.fz-juelich.de/oauth2-as/oauth2-authz-web-entry to login
Is it possible, instead of the previous url, to redirect the users in this login screen https://unity.eudat-aai.fz-juelich.de/oauth2-as/oauth2-authz-web-entry?uy_select_authn=samlWeb.marine&uy_auto_login=true for that specific client?
I have tried to pass these parameters to the authorisation request (like this https://unity.eudat-aai.fz-juelich.de/oauth2-as/oauth2-authz?uy_select_authn=samlWeb.marine&uy_auto_login=true&response_type=code&redirect_uri=https%3A%2F%2Fsnf-761524.vm.okeanos.grnet.gr%2Fb2access%2Frefreshtoken.php&client_id=sdc-test-client-id&scope=openid+email+profile<https://unity.eudat-aai.fz-juelich.de/oauth2-as/oauth2-authz?uy_select_authn=samlWeb.marine&uy_auto_login=true&response_type=code&redirect_uri=https://snf-761524.vm.okeanos.grnet.gr/b2access/refreshtoken.php&client_id=sdc-test-client-id&scope=openid+email+profile> ) but it doesn’t work.
Best Regards,
Nick
On 8 Jun 2018, at 11:59, Nikolaos Evangelou <ni...@ad...<mailto:ni...@ad...>> wrote:
Hi Krzysztof,
Let me explain the process with more details. The oauth authorisation flow is: the user sends a authorisation request to /oauth2-authz endpoint (using a web application client) he would redirect to b2access development instance and select an IdP. After login he will be redirected back to the client with a token. The change we want to make to this flow is to preselect a specific IdP for the user for this specific client. Can unity provide this option?
Regards,
Nick
On 8 Jun 2018, at 10:38, Krzysztof Benedyczak <kb...@un...<mailto:kb...@un...>> wrote:
Hi Nikolaos,
W dniu 07.06.2018 o 13:30, Nikolaos Evangelou pisze:
Hello Krzysztof,
Based on this session of the unity idm documentation http://www.unity-idm.eu/documentation/unity-2.4.0/manual.html#_preselected_automated_authentication I managed to preselect an IdP and auto login using the parameters ?uy_select_authn=samlWeb.${authenticationOptionId}&uy_auto_login=true . It’s possible to make a OIDC authorization request with preselected IdP for a specific client?
I'm not sure if I understand the question. As you succeeded with auto-login with those options, which are provided by a client, you should be able to selectively use them only for your specific client.
If the problem is that you can use those special query params for that client, you can enable this server-side. Create a separate oauth authorization endpoint in Unity and configure it to auto-login all clients (unity.endpoint.web.autoLogin=true). Then point your specific client to that endpoint.
Best
Krzysztof
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org<http://slashdot.org/>! http://sdm.link/slashdot_______________________________________________
Unity-idm-discuss mailing list
Uni...@li...<mailto:Uni...@li...>
https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org<http://Slashdot.org>! http://sdm.link/slashdot_______________________________________________
Unity-idm-discuss mailing list
Uni...@li...<mailto:Uni...@li...>
https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
|
|
From: Nikolaos E. <ni...@ad...> - 2018-07-06 11:00:50
|
Hello Krzysztof,
OK, I will try to describe my use case. I have created an OAuth client and I want to make an authorization request. The only change I want to make is, when the user login to unity, to preselect an IdP for him instead to present him/her multiple IdPs, only for this client. I tried to select the IdP using the URL parameters (?uy_select_authn=samlWeb.${authenticationOptionId}&uy_auto_login=true) but it wasn’t working because uy_select_authn and uy_auto_login were ignored.
I then tried your suggestion to create an authorization endpoint and an authenticator with only one IdP.
When I set unity.endpoint.web.autoLogin=true the flow asks from the user to login 2 times.
[cid:2F7...@ad...]
When I set unity.endpoint.web.autoLogin=false the flow works fine.
[cid:B4A...@ad...]
However the user still needs to select the marine IdP even though it’s the only option.
Is it possible to skip this step?
Regards,
Nick
On 4 Jul 2018, at 10:03, Krzysztof Benedyczak <kb...@un...<mailto:kb...@un...>> wrote:
Nikolaos,
W dniu 28.06.2018 o 08:46, Nikolaos Evangelou pisze:
Hello Krzysztof,
I have a different approach for this subject. The users are using a web portal where they request tokens from a client of b2access.
The request is: https://unity.eudat-aai.fz-juelich.de/oauth2-as/oauth2-authz?response_type=code&redirect_uri=https%3A%2F%2Fsnf-761524.vm.okeanos.grnet.gr%2Fb2access%2Frefreshtoken.php&client_id=sdc-test-client-id&scope=openid+email+profile<https://unity.eudat-aai.fz-juelich.de/oauth2-as/oauth2-authz?response_type=code&redirect_uri=https://snf-761524.vm.okeanos.grnet.gr/b2access/refreshtoken.php&client_id=sdc-test-client-id&scope=openid+email+profile>
After that the flow will throw the users here: https://unity.eudat-aai.fz-juelich.de/oauth2-as/oauth2-authz-web-entry to login
Is it possible, instead of the previous url, to redirect the users in this login screen https://unity.eudat-aai.fz-juelich.de/oauth2-as/oauth2-authz-web-entry?uy_select_authn=samlWeb.marine&uy_auto_login=true for that specific client?
I have tried to pass these parameters to the authorisation request (like this https://unity.eudat-aai.fz-juelich.de/oauth2-as/oauth2-authz?uy_select_authn=samlWeb.marine&uy_auto_login=true&response_type=code&redirect_uri=https%3A%2F%2Fsnf-761524.vm.okeanos.grnet.gr%2Fb2access%2Frefreshtoken.php&client_id=sdc-test-client-id&scope=openid+email+profile<https://unity.eudat-aai.fz-juelich.de/oauth2-as/oauth2-authz?uy_select_authn=samlWeb.marine&uy_auto_login=true&response_type=code&redirect_uri=https://snf-761524.vm.okeanos.grnet.gr/b2access/refreshtoken.php&client_id=sdc-test-client-id&scope=openid+email+profile> ) but it doesn’t work.
Can you rephrase and extend your use case? I have made 2nd approach to read it and I'm filing to understand. Just precisely describe what you want to realize and then how you try this.
Best,
Krzysztof
|
|
From: Krzysztof B. <kb...@un...> - 2018-07-04 07:06:49
|
W dniu 03.07.2018 o 16:22, Nikolaos Evangelou pisze:
> Hello Krzysztof,
>
> I’m testing your suggestion to create a separate oauth authorization
> endpoint, but I got some issues. When I make an authentication request
> to the new endpoint, I go directly to the login page of my preselected
> IdP (as expected) but after the login I got stack to
> ${new_endpoint}/oauth2-authz-web-entry portal, and I’m asked to login
> again. Do you have any suggestion to deal with this issue?
Can you evaluate debug logs carefully, together with web browser logs?
What happens there, what is precise flow of redirections? Visually this
effect in web browser can be due many reasons - up to situation where
everything works but your client is redirecting to Unity again as it
doesn't accept your new endpoint.
Best,
Krzysztof
|
|
From: Nikolaos E. <ni...@ad...> - 2018-07-04 11:48:01
|
Hello Krzysztof,
I don’t see any warns or errors in logs. In the browser if I try to login I will get this message “There is a SAML authentication going on already. Perhaps you used a Back button during authentication or authenticate in two browser windows? Either finish that login process or cancel it locally with the ''Cancel'' button before trying again.”
I tried to switch unity.endpoint.web.autoLogin to false and it works. Maybe I misconfigured something.
Here are all the changes I made:
1. Modified conf/unityServer.conf
unityServer.core.authenticators.marineWeb.authenticatorName=marineWeb
unityServer.core.authenticators.marineWeb.authenticatorType=saml2 with web-saml2
unityServer.core.authenticators.marineWeb.verificatorConfigurationFile=${CONF}/authenticators/marineAuth.properties
unityServer.core.authenticators.marineWeb.retrievalConfigurationFile=${CONF}/authenticators/marineAuth.properties
And
# Enables MarineID AS functionality
$include.marineAS=${CONF}/modules/marineAS.module
Both are copies of samlWeb and $include.oauthAS correspondingly.
2. Created authenticators/marineAuth.properties copy of remoteSamlAuth.properties
unity.saml.requester.requesterEntityId=https://unity.eudat-aai.fz-juelich.de:8443/unitygw/saml-sp-metadata
unity.saml.requester.metadataPath=metadata1
unity.saml.requester.requesterCredential=MAIN
unity.saml.requester.acceptedNameFormats.1=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
unity.saml.requester.acceptedNameFormats.2=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
unity.saml.requester.acceptedNameFormats.3=urn:oasis:names:tc:SAML:2.0:nameid-format:transient
unity.saml.requester.sloPath=slo1
unity.saml.requester.sloRealm=defaultRealm
unity.saml.requester.remoteIdp.marine.name=MarineID IdP
unity.saml.requester.remoteIdp.marine.address=https://idp.marine-id.org/idp/profile/SAML2/Redirect/SSO
unity.saml.requester.remoteIdp.marine.binding=HTTP_REDIRECT
unity.saml.requester.remoteIdp.marine.samlId=https://idp.marine-id.org/idp/shibboleth
unity.saml.requester.remoteIdp.marine.certificate=MARINEID
unity.saml.requester.remoteIdp.marine.translationProfile=marineID
unity.saml.requester.remoteIdp.marine.registrationFormForUnknown=marineID Registration Form
unity.saml.requester.remoteIdp.marine.enableAccountAssociation=false
unity.saml.requester.remoteIdp.marine.logoURI.en=https://www.marine-id.org/img/logo-noBG.svg
3. Created modules/oauthAS.module copy of oauthAS.module
unityServer.core.script.909.file=${CONF}/scripts/oauthDemoInitializer.groovy
unityServer.core.script.909.trigger=pre-init
unityServer.core.endpoints.marineOauth.endpointType=OAuth2Authz
unityServer.core.endpoints.marineOauth.endpointConfigurationFile=${CONF}/modules/oauth/oauth2-marine.properties
unityServer.core.endpoints.marineOauth.contextPath=/oauth2-marine
unityServer.core.endpoints.marineOauth.endpointName=MarineID OAuth2 Authorization Server
unityServer.core.endpoints.marineOauth.endpointRealm=defaultRealm
unityServer.core.endpoints.marineOauth.endpointAuthenticators=marineWeb
unityServer.core.endpoints.marineToken.endpointType=OAuth2Token
unityServer.core.endpoints.marineToken.endpointConfigurationFile=${CONF}/modules/oauth/oauth2-marine.properties
unityServer.core.endpoints.marineToken.contextPath=/marine
unityServer.core.endpoints.marineToken.endpointName=MarineID OAuth2 Token endpoint
unityServer.core.endpoints.marineToken.endpointRealm=defaultRealm
unityServer.core.endpoints.marineToken.endpointAuthenticators=pwdRest;certRest
4. Created modules/oauth/oauth2-marine.properties copy of modules/oauth/oauth2-as.properties
unity.oauth2.as.issuerUri=https://unity.eudat-aai.fz-juelich.de:8443/marine
unity.oauth2.as.signingCredential=MAIN
unity.oauth2.as.clientsGroup=/oauth-clients
unity.oauth2.as.usersGroup=/
unity.oauth2.as.translationProfile=marineIDout
unity.oauth2.as.accessTokenValidity=600
unity.oauth2.as.extendAccessTokenValidityUpTo=86400
unity.oauth2.as.refreshTokenValidity=0
# Definition of scopes
unity.oauth2.as.scopes.1.name=openid
unity.oauth2.as.scopes.1.description=Enables the OpenID Connect support
unity.oauth2.as.scopes.4.name=email
unity.oauth2.as.scopes.4.description=OpenID Connect Email Scope
unity.oauth2.as.scopes.4.attributes.1=email
unity.oauth2.as.scopes.5.name=profile
unity.oauth2.as.scopes.5.description=OpenID Connect user profile scope
unity.oauth2.as.scopes.5.attributes.1=name
unity.oauth2.as.scopes.2.name=USER_PROFILE
unity.oauth2.as.scopes.2.description=Provides access to the user's profile information
unity.oauth2.as.scopes.2.attributes.1=userName
unity.oauth2.as.scopes.2.attributes.2=email
unity.oauth2.as.scopes.2.attributes.3=groups
unity.oauth2.as.scopes.2.attributes.4=unity:persistent
unity.oauth2.as.scopes.2.attributes.5=urn:oid:2.5.4.49
unity.oauth2.as.scopes.2.attributes.6=name
unity.oauth2.as.scopes.2.attributes.7=cn
unity.oauth2.as.scopes.3.name=GENERATE_USER_CERTIFICATE
unity.oauth2.as.scopes.3.description=Generate User Certificate
unity.oauth2.as.scopes.3.attributes.1=userName
unity.oauth2.as.scopes.3.attributes.2=email
unity.oauth2.as.scopes.3.attributes.3=name
unity.oauth2.as.scopes.3.attributes.4=groups
#UI specific properties
unity.endpoint.web.enableRegistration=false
unity.endpoint.web.autoLogin=true
unity.endpoint.web.authenticationTiles.4.tileContents=oauthMarine
unity.endpoint.web.authenticationTiles.4.tileMode=table
unity.endpoint.web.authenticationTiles.4.tileName.en=Login with your MarineID
———————
Best regards,
Nick
> On 4 Jul 2018, at 10:06, Krzysztof Benedyczak <kb...@un...> wrote:
>
> W dniu 03.07.2018 o 16:22, Nikolaos Evangelou pisze:
>> Hello Krzysztof,
>>
>> I’m testing your suggestion to create a separate oauth authorization endpoint, but I got some issues. When I make an authentication request to the new endpoint, I go directly to the login page of my preselected IdP (as expected) but after the login I got stack to ${new_endpoint}/oauth2-authz-web-entry portal, and I’m asked to login again. Do you have any suggestion to deal with this issue?
>
> Can you evaluate debug logs carefully, together with web browser logs? What happens there, what is precise flow of redirections? Visually this effect in web browser can be due many reasons - up to situation where everything works but your client is redirecting to Unity again as it doesn't accept your new endpoint.
>
> Best,
> Krzysztof
|
|
From: Krzysztof B. <kb...@un...> - 2018-07-09 19:19:43
|
Hi Nikolaos,
I'm answering here for both recent emails. With this information I can
understand what you want to perform now.
Should work - at least the similar setup worked fine for me without a
problem a moment ago:
Site ---OAuth login-->Unity AS with autoLogin --SAML login-->SAML IdP on
Unity
More or less configured as below but there are still tons of places
where problems may happen.
First of all read the logs. Looking for warns/errors is not always
helpful. You should enable debug (or for this purpose even TRACE)
logging of SAML, OAuth and web subsystems. You will have information
(search for "Proxy") on auto login fact (or that it is skipped).
2nd thing to do is to compare this with browser log (Developer tools ->
Network tab, important: turn off persistent logs, otherwise each
redirect will clean the log).
With this information you should be able to precisely identify in which
moment your flow is not behaving as expected and perhaps what is the
reason.
HTH,
Krzysztof
W dniu 04.07.2018 o 13:47, Nikolaos Evangelou pisze:
> Hello Krzysztof,
>
> I don’t see any warns or errors in logs. In the browser if I try to login I will get this message “There is a SAML authentication going on already. Perhaps you used a Back button during authentication or authenticate in two browser windows? Either finish that login process or cancel it locally with the ''Cancel'' button before trying again.”
> I tried to switch unity.endpoint.web.autoLogin to false and it works. Maybe I misconfigured something.
>
> Here are all the changes I made:
> 1. Modified conf/unityServer.conf
> unityServer.core.authenticators.marineWeb.authenticatorName=marineWeb
> unityServer.core.authenticators.marineWeb.authenticatorType=saml2 with web-saml2
> unityServer.core.authenticators.marineWeb.verificatorConfigurationFile=${CONF}/authenticators/marineAuth.properties
> unityServer.core.authenticators.marineWeb.retrievalConfigurationFile=${CONF}/authenticators/marineAuth.properties
>
> And
>
> # Enables MarineID AS functionality
> $include.marineAS=${CONF}/modules/marineAS.module
>
> Both are copies of samlWeb and $include.oauthAS correspondingly.
>
> 2. Created authenticators/marineAuth.properties copy of remoteSamlAuth.properties
> unity.saml.requester.requesterEntityId=https://unity.eudat-aai.fz-juelich.de:8443/unitygw/saml-sp-metadata
> unity.saml.requester.metadataPath=metadata1
> unity.saml.requester.requesterCredential=MAIN
> unity.saml.requester.acceptedNameFormats.1=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
> unity.saml.requester.acceptedNameFormats.2=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
> unity.saml.requester.acceptedNameFormats.3=urn:oasis:names:tc:SAML:2.0:nameid-format:transient
>
> unity.saml.requester.sloPath=slo1
> unity.saml.requester.sloRealm=defaultRealm
>
> unity.saml.requester.remoteIdp.marine.name=MarineID IdP
> unity.saml.requester.remoteIdp.marine.address=https://idp.marine-id.org/idp/profile/SAML2/Redirect/SSO
> unity.saml.requester.remoteIdp.marine.binding=HTTP_REDIRECT
> unity.saml.requester.remoteIdp.marine.samlId=https://idp.marine-id.org/idp/shibboleth
> unity.saml.requester.remoteIdp.marine.certificate=MARINEID
> unity.saml.requester.remoteIdp.marine.translationProfile=marineID
> unity.saml.requester.remoteIdp.marine.registrationFormForUnknown=marineID Registration Form
> unity.saml.requester.remoteIdp.marine.enableAccountAssociation=false
> unity.saml.requester.remoteIdp.marine.logoURI.en=https://www.marine-id.org/img/logo-noBG.svg
>
> 3. Created modules/oauthAS.module copy of oauthAS.module
> unityServer.core.script.909.file=${CONF}/scripts/oauthDemoInitializer.groovy
> unityServer.core.script.909.trigger=pre-init
>
> unityServer.core.endpoints.marineOauth.endpointType=OAuth2Authz
> unityServer.core.endpoints.marineOauth.endpointConfigurationFile=${CONF}/modules/oauth/oauth2-marine.properties
> unityServer.core.endpoints.marineOauth.contextPath=/oauth2-marine
> unityServer.core.endpoints.marineOauth.endpointName=MarineID OAuth2 Authorization Server
> unityServer.core.endpoints.marineOauth.endpointRealm=defaultRealm
> unityServer.core.endpoints.marineOauth.endpointAuthenticators=marineWeb
>
> unityServer.core.endpoints.marineToken.endpointType=OAuth2Token
> unityServer.core.endpoints.marineToken.endpointConfigurationFile=${CONF}/modules/oauth/oauth2-marine.properties
> unityServer.core.endpoints.marineToken.contextPath=/marine
> unityServer.core.endpoints.marineToken.endpointName=MarineID OAuth2 Token endpoint
> unityServer.core.endpoints.marineToken.endpointRealm=defaultRealm
> unityServer.core.endpoints.marineToken.endpointAuthenticators=pwdRest;certRest
>
> 4. Created modules/oauth/oauth2-marine.properties copy of modules/oauth/oauth2-as.properties
> unity.oauth2.as.issuerUri=https://unity.eudat-aai.fz-juelich.de:8443/marine
>
> unity.oauth2.as.signingCredential=MAIN
>
> unity.oauth2.as.clientsGroup=/oauth-clients
> unity.oauth2.as.usersGroup=/
>
> unity.oauth2.as.translationProfile=marineIDout
> unity.oauth2.as.accessTokenValidity=600
> unity.oauth2.as.extendAccessTokenValidityUpTo=86400
> unity.oauth2.as.refreshTokenValidity=0
> # Definition of scopes
>
> unity.oauth2.as.scopes.1.name=openid
> unity.oauth2.as.scopes.1.description=Enables the OpenID Connect support
>
> unity.oauth2.as.scopes.4.name=email
> unity.oauth2.as.scopes.4.description=OpenID Connect Email Scope
> unity.oauth2.as.scopes.4.attributes.1=email
>
> unity.oauth2.as.scopes.5.name=profile
> unity.oauth2.as.scopes.5.description=OpenID Connect user profile scope
> unity.oauth2.as.scopes.5.attributes.1=name
>
> unity.oauth2.as.scopes.2.name=USER_PROFILE
> unity.oauth2.as.scopes.2.description=Provides access to the user's profile information
> unity.oauth2.as.scopes.2.attributes.1=userName
> unity.oauth2.as.scopes.2.attributes.2=email
> unity.oauth2.as.scopes.2.attributes.3=groups
> unity.oauth2.as.scopes.2.attributes.4=unity:persistent
> unity.oauth2.as.scopes.2.attributes.5=urn:oid:2.5.4.49
> unity.oauth2.as.scopes.2.attributes.6=name
> unity.oauth2.as.scopes.2.attributes.7=cn
>
>
> unity.oauth2.as.scopes.3.name=GENERATE_USER_CERTIFICATE
> unity.oauth2.as.scopes.3.description=Generate User Certificate
> unity.oauth2.as.scopes.3.attributes.1=userName
> unity.oauth2.as.scopes.3.attributes.2=email
> unity.oauth2.as.scopes.3.attributes.3=name
> unity.oauth2.as.scopes.3.attributes.4=groups
>
>
> #UI specific properties
> unity.endpoint.web.enableRegistration=false
> unity.endpoint.web.autoLogin=true
>
> unity.endpoint.web.authenticationTiles.4.tileContents=oauthMarine
> unity.endpoint.web.authenticationTiles.4.tileMode=table
> unity.endpoint.web.authenticationTiles.4.tileName.en=Login with your MarineID
>
> ———————
> Best regards,
> Nick
>
>> On 4 Jul 2018, at 10:06, Krzysztof Benedyczak <kb...@un...> wrote:
>>
>> W dniu 03.07.2018 o 16:22, Nikolaos Evangelou pisze:
>>> Hello Krzysztof,
>>>
>>> I’m testing your suggestion to create a separate oauth authorization endpoint, but I got some issues. When I make an authentication request to the new endpoint, I go directly to the login page of my preselected IdP (as expected) but after the login I got stack to ${new_endpoint}/oauth2-authz-web-entry portal, and I’m asked to login again. Do you have any suggestion to deal with this issue?
>> Can you evaluate debug logs carefully, together with web browser logs? What happens there, what is precise flow of redirections? Visually this effect in web browser can be due many reasons - up to situation where everything works but your client is redirecting to Unity again as it doesn't accept your new endpoint.
>>
>> Best,
>> Krzysztof
|
|
From: Nikolaos E. <ni...@ad...> - 2018-09-19 06:47:45
|
Hello Krzysztof,
After a long time I tried to enable auto login again and I managed to resolve my issue and I’m posting the solution.
The use case is: Site —> OAuth authorization request —> Unity AS with autoLogin & authenticator with one IdP —> SAML login —> SAML IdP on Unity
As I posted earlier I copied the current ${CONF}/modules/oauth/oauth2-as.properties for the new endpoint ${CONF}/modules/oauth/oauth2-sdc.properties.
The oauth2-as.properties has the following properties:
unity.endpoint.web.authenticationTiles.1.tileContents=pwd cert
unity.endpoint.web.authenticationTiles.2.tileContents=oauth
unity.endpoint.web.authenticationTiles.3.tileContents=saml
And oauth2-sdc.properties has:
unity.endpoint.web.authenticationTiles.1.tileContents=saml
With these properties the flow wasn’t working and when the user returned to Unity was stack in a loop where he/she was asked to login again.
Then I changed oauth2-sdc.properties authenticationTiles number from 1 to 11
unity.endpoint.web.authenticationTiles.11.tileContents=saml
And then everything worked smoothly.
I guess it was a conflict on authenticationTiles number id because both belong to the same endpoint type (OAuth2Authz/OAuth2Token)
Regards,
Nick
> On 9 Jul 2018, at 22:19, Krzysztof Benedyczak <kb...@un...> wrote:
>
> Hi Nikolaos,
>
> I'm answering here for both recent emails. With this information I can understand what you want to perform now.
> Should work - at least the similar setup worked fine for me without a problem a moment ago:
>
> Site ---OAuth login-->Unity AS with autoLogin --SAML login-->SAML IdP on Unity
>
> More or less configured as below but there are still tons of places where problems may happen.
>
> First of all read the logs. Looking for warns/errors is not always helpful. You should enable debug (or for this purpose even TRACE) logging of SAML, OAuth and web subsystems. You will have information (search for "Proxy") on auto login fact (or that it is skipped).
> 2nd thing to do is to compare this with browser log (Developer tools -> Network tab, important: turn off persistent logs, otherwise each redirect will clean the log).
>
> With this information you should be able to precisely identify in which moment your flow is not behaving as expected and perhaps what is the reason.
>
> HTH,
> Krzysztof
>
> W dniu 04.07.2018 o 13:47, Nikolaos Evangelou pisze:
>> Hello Krzysztof,
>>
>> I don’t see any warns or errors in logs. In the browser if I try to login I will get this message “There is a SAML authentication going on already. Perhaps you used a Back button during authentication or authenticate in two browser windows? Either finish that login process or cancel it locally with the ''Cancel'' button before trying again.”
>> I tried to switch unity.endpoint.web.autoLogin to false and it works. Maybe I misconfigured something.
>>
>> Here are all the changes I made:
>> 1. Modified conf/unityServer.conf
>> unityServer.core.authenticators.marineWeb.authenticatorName=marineWeb
>> unityServer.core.authenticators.marineWeb.authenticatorType=saml2 with web-saml2
>> unityServer.core.authenticators.marineWeb.verificatorConfigurationFile=${CONF}/authenticators/marineAuth.properties
>> unityServer.core.authenticators.marineWeb.retrievalConfigurationFile=${CONF}/authenticators/marineAuth.properties
>>
>> And
>>
>> # Enables MarineID AS functionality
>> $include.marineAS=${CONF}/modules/marineAS.module
>>
>> Both are copies of samlWeb and $include.oauthAS correspondingly.
>>
>> 2. Created authenticators/marineAuth.properties copy of remoteSamlAuth.properties
>> unity.saml.requester.requesterEntityId=https://unity.eudat-aai.fz-juelich.de:8443/unitygw/saml-sp-metadata
>> unity.saml.requester.metadataPath=metadata1
>> unity.saml.requester.requesterCredential=MAIN
>> unity.saml.requester.acceptedNameFormats.1=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
>> unity.saml.requester.acceptedNameFormats.2=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
>> unity.saml.requester.acceptedNameFormats.3=urn:oasis:names:tc:SAML:2.0:nameid-format:transient
>>
>> unity.saml.requester.sloPath=slo1
>> unity.saml.requester.sloRealm=defaultRealm
>>
>> unity.saml.requester.remoteIdp.marine.name=MarineID IdP
>> unity.saml.requester.remoteIdp.marine.address=https://idp.marine-id.org/idp/profile/SAML2/Redirect/SSO
>> unity.saml.requester.remoteIdp.marine.binding=HTTP_REDIRECT
>> unity.saml.requester.remoteIdp.marine.samlId=https://idp.marine-id.org/idp/shibboleth
>> unity.saml.requester.remoteIdp.marine.certificate=MARINEID
>> unity.saml.requester.remoteIdp.marine.translationProfile=marineID
>> unity.saml.requester.remoteIdp.marine.registrationFormForUnknown=marineID Registration Form
>> unity.saml.requester.remoteIdp.marine.enableAccountAssociation=false
>> unity.saml.requester.remoteIdp.marine.logoURI.en=https://www.marine-id.org/img/logo-noBG.svg
>>
>> 3. Created modules/oauthAS.module copy of oauthAS.module
>> unityServer.core.script.909.file=${CONF}/scripts/oauthDemoInitializer.groovy
>> unityServer.core.script.909.trigger=pre-init
>>
>> unityServer.core.endpoints.marineOauth.endpointType=OAuth2Authz
>> unityServer.core.endpoints.marineOauth.endpointConfigurationFile=${CONF}/modules/oauth/oauth2-marine.properties
>> unityServer.core.endpoints.marineOauth.contextPath=/oauth2-marine
>> unityServer.core.endpoints.marineOauth.endpointName=MarineID OAuth2 Authorization Server
>> unityServer.core.endpoints.marineOauth.endpointRealm=defaultRealm
>> unityServer.core.endpoints.marineOauth.endpointAuthenticators=marineWeb
>>
>> unityServer.core.endpoints.marineToken.endpointType=OAuth2Token
>> unityServer.core.endpoints.marineToken.endpointConfigurationFile=${CONF}/modules/oauth/oauth2-marine.properties
>> unityServer.core.endpoints.marineToken.contextPath=/marine
>> unityServer.core.endpoints.marineToken.endpointName=MarineID OAuth2 Token endpoint
>> unityServer.core.endpoints.marineToken.endpointRealm=defaultRealm
>> unityServer.core.endpoints.marineToken.endpointAuthenticators=pwdRest;certRest
>>
>> 4. Created modules/oauth/oauth2-marine.properties copy of modules/oauth/oauth2-as.properties
>> unity.oauth2.as.issuerUri=https://unity.eudat-aai.fz-juelich.de:8443/marine
>>
>> unity.oauth2.as.signingCredential=MAIN
>>
>> unity.oauth2.as.clientsGroup=/oauth-clients
>> unity.oauth2.as.usersGroup=/
>>
>> unity.oauth2.as.translationProfile=marineIDout
>> unity.oauth2.as.accessTokenValidity=600
>> unity.oauth2.as.extendAccessTokenValidityUpTo=86400
>> unity.oauth2.as.refreshTokenValidity=0
>> # Definition of scopes
>>
>> unity.oauth2.as.scopes.1.name=openid
>> unity.oauth2.as.scopes.1.description=Enables the OpenID Connect support
>>
>> unity.oauth2.as.scopes.4.name=email
>> unity.oauth2.as.scopes.4.description=OpenID Connect Email Scope
>> unity.oauth2.as.scopes.4.attributes.1=email
>>
>> unity.oauth2.as.scopes.5.name=profile
>> unity.oauth2.as.scopes.5.description=OpenID Connect user profile scope
>> unity.oauth2.as.scopes.5.attributes.1=name
>>
>> unity.oauth2.as.scopes.2.name=USER_PROFILE
>> unity.oauth2.as.scopes.2.description=Provides access to the user's profile information
>> unity.oauth2.as.scopes.2.attributes.1=userName
>> unity.oauth2.as.scopes.2.attributes.2=email
>> unity.oauth2.as.scopes.2.attributes.3=groups
>> unity.oauth2.as.scopes.2.attributes.4=unity:persistent
>> unity.oauth2.as.scopes.2.attributes.5=urn:oid:2.5.4.49
>> unity.oauth2.as.scopes.2.attributes.6=name
>> unity.oauth2.as.scopes.2.attributes.7=cn
>>
>>
>> unity.oauth2.as.scopes.3.name=GENERATE_USER_CERTIFICATE
>> unity.oauth2.as.scopes.3.description=Generate User Certificate
>> unity.oauth2.as.scopes.3.attributes.1=userName
>> unity.oauth2.as.scopes.3.attributes.2=email
>> unity.oauth2.as.scopes.3.attributes.3=name
>> unity.oauth2.as.scopes.3.attributes.4=groups
>>
>>
>> #UI specific properties
>> unity.endpoint.web.enableRegistration=false
>> unity.endpoint.web.autoLogin=true
>>
>> unity.endpoint.web.authenticationTiles.4.tileContents=oauthMarine
>> unity.endpoint.web.authenticationTiles.4.tileMode=table
>> unity.endpoint.web.authenticationTiles.4.tileName.en=Login with your MarineID
>>
>> ———————
>> Best regards,
>> Nick
>>
>>> On 4 Jul 2018, at 10:06, Krzysztof Benedyczak <kb...@un...> wrote:
>>>
>>> W dniu 03.07.2018 o 16:22, Nikolaos Evangelou pisze:
>>>> Hello Krzysztof,
>>>>
>>>> I’m testing your suggestion to create a separate oauth authorization endpoint, but I got some issues. When I make an authentication request to the new endpoint, I go directly to the login page of my preselected IdP (as expected) but after the login I got stack to ${new_endpoint}/oauth2-authz-web-entry portal, and I’m asked to login again. Do you have any suggestion to deal with this issue?
>>> Can you evaluate debug logs carefully, together with web browser logs? What happens there, what is precise flow of redirections? Visually this effect in web browser can be due many reasons - up to situation where everything works but your client is redirecting to Unity again as it doesn't accept your new endpoint.
>>>
>>> Best,
>>> Krzysztof
>
>
|
|
From: Nikolaos E. <ni...@ad...> - 2018-09-19 07:26:46
|
Little fix, to correct property is: unity.endpoint.web.authenticationTiles.11.tileContents=sdc Also the tileContents value should be unique On 19 Sep 2018, at 09:31, Nikolaos Evangelou <ni...@ad...<mailto:ni...@ad...>> wrote: Then I changed oauth2-sdc.properties authenticationTiles number from 1 to 11 unity.endpoint.web.authenticationTiles.11.tileContents=saml |
|
From: Krzysztof B. <kb...@un...> - 2018-09-24 06:22:15
|
Hi Nick,
W dniu 19.09.2018 o 08:31, Nikolaos Evangelou pisze:
> Hello Krzysztof,
>
> After a long time I tried to enable auto login again and I managed to resolve my issue and I’m posting the solution.
>
> The use case is: Site —> OAuth authorization request —> Unity AS with autoLogin & authenticator with one IdP —> SAML login —> SAML IdP on Unity
> As I posted earlier I copied the current ${CONF}/modules/oauth/oauth2-as.properties for the new endpoint ${CONF}/modules/oauth/oauth2-sdc.properties.
>
> The oauth2-as.properties has the following properties:
> unity.endpoint.web.authenticationTiles.1.tileContents=pwd cert
> unity.endpoint.web.authenticationTiles.2.tileContents=oauth
> unity.endpoint.web.authenticationTiles.3.tileContents=saml
>
> And oauth2-sdc.properties has:
> unity.endpoint.web.authenticationTiles.1.tileContents=saml
>
> With these properties the flow wasn’t working and when the user returned to Unity was stack in a loop where he/she was asked to login again.
>
> Then I changed oauth2-sdc.properties authenticationTiles number from 1 to 11
> unity.endpoint.web.authenticationTiles.11.tileContents=saml
>
> And then everything worked smoothly.
>
> I guess it was a conflict on authenticationTiles number id because both belong to the same endpoint type (OAuth2Authz/OAuth2Token)
I'm glad it is working. In the meantime there were some changes in that
feature, related to the major refactoring of how authN screen works.
Tiles are gone, the current way of configuring and presenting authN
options is much better. This triggered also an update of the auto-proxy
feature, which since 2.6.2 release should work in more reliable way
(triggering and return handling was changed to different, more stable
approach).
Thanks for the info,
KB
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X