Menu
▾
▴
unity-idm-discuss
|
From: Sander A. <sa....@fz...> - 2022-03-01 07:15:13
Attachments:
smime.p7s
|
Good morning Krzysztof, good morning Roman, sorry for the next topic I open here. Hopefully it is easy to answer/solve. We are testing the 2FA using OTP. So far it works fine. But we are looking how we could signal a service that 2FA was used. Is there a way to get this information within unity? Maybe fetching the credentials status and if it is enabled for the user could help. Another question which might be raised y the user is, how could I delete the 2FA instead of disabling it. Is this possible? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-03-01 16:24:24
|
hi, W dniu 01.03.2022 o 08:15, Sander Apweiler pisze: > Good morning Krzysztof, > good morning Roman, > > sorry for the next topic I open here. Hopefully it is easy to > answer/solve. We are testing the 2FA using OTP. So far it works fine. > But we are looking how we could signal a service that 2FA was used. Is > there a way to get this information within unity? Maybe fetching the > credentials status and if it is enabled for the user could help. Unfortunately it is not exposed in output profile context. There are authenticated identities but no info about factors used to authenticate. Adding that is basically one line of code (maybe two - there are two factors) - so no problem to deliver that quickly. > Another question which might be raised y the user is, how could I > delete the 2FA instead of disabling it. Is this possible? > We block this operation on HomeUI intentionally. It can be requested via admin (in console that's possible). In general that's very risky (user can lock herself out from service), and perhaps super rare operation. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-03-02 08:39:02
Attachments:
smime.p7s
|
Good morning Krzysztof, On Tue, 2022-03-01 at 17:24 +0100, Krzysztof Benedyczak wrote: > hi, > > W dniu 01.03.2022 o 08:15, Sander Apweiler pisze: > > Good morning Krzysztof, > > good morning Roman, > > > > sorry for the next topic I open here. Hopefully it is easy to > > answer/solve. We are testing the 2FA using OTP. So far it works > > fine. > > But we are looking how we could signal a service that 2FA was used. > > Is > > there a way to get this information within unity? Maybe fetching > > the > > credentials status and if it is enabled for the user could help. > > Unfortunately it is not exposed in output profile context. There are > authenticated identities but no info about factors used to > authenticate. > Adding that is basically one line of code (maybe two - there are two > factors) - so no problem to deliver that quickly. That would be great. In this case we could avoid having multiple Oauth or SAML one with mandatory 2FA and one with optional. > > > Another question which might be raised y the user is, how could I > > delete the 2FA instead of disabling it. Is this possible? > > > We block this operation on HomeUI intentionally. It can be requested > via > admin (in console that's possible). In general that's very risky > (user > can lock herself out from service), and perhaps super rare operation. OK. I understand it fully. So we would just document that this operation must be requested via ticket. Best regards, Sander > > Best, > Krzysztof > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-03-03 08:03:39
|
Hi, W dniu 02.03.2022 o 09:39, Sander Apweiler pisze: > Good morning Krzysztof, > > On Tue, 2022-03-01 at 17:24 +0100, Krzysztof Benedyczak wrote: >> hi, >> >> W dniu 01.03.2022 o 08:15, Sander Apweiler pisze: >>> Good morning Krzysztof, >>> good morning Roman, >>> >>> sorry for the next topic I open here. Hopefully it is easy to >>> answer/solve. We are testing the 2FA using OTP. So far it works >>> fine. >>> But we are looking how we could signal a service that 2FA was used. >>> Is >>> there a way to get this information within unity? Maybe fetching >>> the >>> credentials status and if it is enabled for the user could help. >> Unfortunately it is not exposed in output profile context. There are >> authenticated identities but no info about factors used to >> authenticate. >> Adding that is basically one line of code (maybe two - there are two >> factors) - so no problem to deliver that quickly. > That would be great. In this case we could avoid having multiple Oauth > or SAML one with mandatory 2FA and one with optional. No problem, I've opened a ticket to track that, should be in the next feature release. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-03-03 08:09:48
Attachments:
smime.p7s
|
Hi Krzysztof, great thanks! Best regards, Sander On Thu, 2022-03-03 at 09:03 +0100, Krzysztof Benedyczak wrote: > Hi, > > W dniu 02.03.2022 o 09:39, Sander Apweiler pisze: > > Good morning Krzysztof, > > > > On Tue, 2022-03-01 at 17:24 +0100, Krzysztof Benedyczak wrote: > > > hi, > > > > > > W dniu 01.03.2022 o 08:15, Sander Apweiler pisze: > > > > Good morning Krzysztof, > > > > good morning Roman, > > > > > > > > sorry for the next topic I open here. Hopefully it is easy to > > > > answer/solve. We are testing the 2FA using OTP. So far it works > > > > fine. > > > > But we are looking how we could signal a service that 2FA was > > > > used. > > > > Is > > > > there a way to get this information within unity? Maybe > > > > fetching > > > > the > > > > credentials status and if it is enabled for the user could > > > > help. > > > Unfortunately it is not exposed in output profile context. There > > > are > > > authenticated identities but no info about factors used to > > > authenticate. > > > Adding that is basically one line of code (maybe two - there are > > > two > > > factors) - so no problem to deliver that quickly. > > That would be great. In this case we could avoid having multiple > > Oauth > > or SAML one with mandatory 2FA and one with optional. > > No problem, I've opened a ticket to track that, should be in the next > feature release. > > Best, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2022-03-03 10:12:18
Attachments:
smime.p7s
|
Hi Krzysztof, sorry for extending the question, but it is related to this. Would it possible to signal this in the ACR claim in OIDC and section in SAML? This might be the best way for services to use this information. I do not expect that this will work in the next release. Best regards, Sander On Thu, 2022-03-03 at 09:03 +0100, Krzysztof Benedyczak wrote: > Hi, > > W dniu 02.03.2022 o 09:39, Sander Apweiler pisze: > > Good morning Krzysztof, > > > > On Tue, 2022-03-01 at 17:24 +0100, Krzysztof Benedyczak wrote: > > > hi, > > > > > > W dniu 01.03.2022 o 08:15, Sander Apweiler pisze: > > > > Good morning Krzysztof, > > > > good morning Roman, > > > > > > > > sorry for the next topic I open here. Hopefully it is easy to > > > > answer/solve. We are testing the 2FA using OTP. So far it works > > > > fine. > > > > But we are looking how we could signal a service that 2FA was > > > > used. > > > > Is > > > > there a way to get this information within unity? Maybe > > > > fetching > > > > the > > > > credentials status and if it is enabled for the user could > > > > help. > > > Unfortunately it is not exposed in output profile context. There > > > are > > > authenticated identities but no info about factors used to > > > authenticate. > > > Adding that is basically one line of code (maybe two - there are > > > two > > > factors) - so no problem to deliver that quickly. > > That would be great. In this case we could avoid having multiple > > Oauth > > or SAML one with mandatory 2FA and one with optional. > > No problem, I've opened a ticket to track that, should be in the next > feature release. > > Best, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-03-03 13:02:04
|
Hi, W dniu 03.03.2022 o 11:12, Sander Apweiler pisze: > Hi Krzysztof, > sorry for extending the question, but it is related to this. Would it > possible to signal this in the ACR claim in OIDC and section in SAML? > This might be the best way for services to use this information. I do > not expect that this will work in the next release. After the simple enhancement as discussed so far adding the acr claim should not be a big problem in output profile. As for SAML subject confirmations (or any dedicated support for ACRs in OIDC) - that's broader topic. We even have some old ticket about this in SAML context. Surely we would need to discuss requirements here. This is pretty fuzzy subject as number of standards, specs, and approaches used is very wide, and it is hard to design a solution working well for (at least) all the major use cases. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-03-03 13:30:36
Attachments:
smime.p7s
|
Hi Krzysztof, On Thu, 2022-03-03 at 14:01 +0100, Krzysztof Benedyczak wrote: > Hi, > > W dniu 03.03.2022 o 11:12, Sander Apweiler pisze: > > Hi Krzysztof, > > sorry for extending the question, but it is related to this. Would > > it > > possible to signal this in the ACR claim in OIDC and section in > > SAML? > > This might be the best way for services to use this information. I > > do > > not expect that this will work in the next release. > > After the simple enhancement as discussed so far adding the acr claim > should not be a big problem in output profile. That sounds great. > > As for SAML subject confirmations (or any dedicated support for ACRs > in > OIDC) - that's broader topic. We even have some old ticket about this > in > SAML context. Surely we would need to discuss requirements here. This > is > pretty fuzzy subject as number of standards, specs, and approaches > used > is very wide, and it is hard to design a solution working well for > (at > least) all the major use cases. No worry. We can this information pass via an attribute. Best regards, Sander > > Best, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2022-04-21 05:47:01
Attachments:
smime.p7s
|
Good morning Krzysztof, was this added to 3.9.0 release? If yes how do we configure this? At least I didn't find it in the manual. Best regards, Sander On Thu, 2022-03-03 at 09:03 +0100, Krzysztof Benedyczak wrote: > Hi, > > W dniu 02.03.2022 o 09:39, Sander Apweiler pisze: > > Good morning Krzysztof, > > > > On Tue, 2022-03-01 at 17:24 +0100, Krzysztof Benedyczak wrote: > > > hi, > > > > > > W dniu 01.03.2022 o 08:15, Sander Apweiler pisze: > > > > Good morning Krzysztof, > > > > good morning Roman, > > > > > > > > sorry for the next topic I open here. Hopefully it is easy to > > > > answer/solve. We are testing the 2FA using OTP. So far it works > > > > fine. > > > > But we are looking how we could signal a service that 2FA was > > > > used. > > > > Is > > > > there a way to get this information within unity? Maybe > > > > fetching > > > > the > > > > credentials status and if it is enabled for the user could > > > > help. > > > Unfortunately it is not exposed in output profile context. There > > > are > > > authenticated identities but no info about factors used to > > > authenticate. > > > Adding that is basically one line of code (maybe two - there are > > > two > > > factors) - so no problem to deliver that quickly. > > That would be great. In this case we could avoid having multiple > > Oauth > > or SAML one with mandatory 2FA and one with optional. > > No problem, I've opened a ticket to track that, should be in the next > feature release. > > Best, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-04-21 07:57:19
|
Hi Sander, W dniu 21.04.2022 o 07:47, Sander Apweiler pisze: > Good morning Krzysztof, > was this added to 3.9.0 release? If yes how do we configure this? At > least I didn't find it in the manual. Yes, it was :-) See https://www.unity-idm.eu/documentation/unity-3.9.0/manual.html#_output_translation in the mvel context you have new variables: 'mfa' and 'authenticatedWith'. HTH, Krzysztof > Best regards, > Sander > > On Thu, 2022-03-03 at 09:03 +0100, Krzysztof Benedyczak wrote: >> Hi, >> >> W dniu 02.03.2022 o 09:39, Sander Apweiler pisze: >>> Good morning Krzysztof, >>> >>> On Tue, 2022-03-01 at 17:24 +0100, Krzysztof Benedyczak wrote: >>>> hi, >>>> >>>> W dniu 01.03.2022 o 08:15, Sander Apweiler pisze: >>>>> Good morning Krzysztof, >>>>> good morning Roman, >>>>> >>>>> sorry for the next topic I open here. Hopefully it is easy to >>>>> answer/solve. We are testing the 2FA using OTP. So far it works >>>>> fine. >>>>> But we are looking how we could signal a service that 2FA was >>>>> used. >>>>> Is >>>>> there a way to get this information within unity? Maybe >>>>> fetching >>>>> the >>>>> credentials status and if it is enabled for the user could >>>>> help. >>>> Unfortunately it is not exposed in output profile context. There >>>> are >>>> authenticated identities but no info about factors used to >>>> authenticate. >>>> Adding that is basically one line of code (maybe two - there are >>>> two >>>> factors) - so no problem to deliver that quickly. >>> That would be great. In this case we could avoid having multiple >>> Oauth >>> or SAML one with mandatory 2FA and one with optional. >> No problem, I've opened a ticket to track that, should be in the next >> feature release. >> >> Best, >> Krzysztof >> |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X