We run OC/Manage for many customers and sometimes it's hard to distinguish them if you have many open tabs.
All tabs are named "Manage".. It would be really nice if the value from the product.name setting was used there so it's easier to distinguish the tabs.

I just ran into the situation where we had made a mistake during an IdP key-rollover and we accidentally put the old key in both certData and certData2 instead of putting the new key in certData2.
This made me wonder if we could get a trigger warning if any of the certData values are the same.

An indicator that marks expired and nearly expired keys would also be really nice to have and would probably also have prevented our mistake.

When importing SP-metadata using JSON import, where the metadata contains "state" : "prodaccepted", the whitelist dropdown will show entities for "testaccepted'.

The state is being displayed correctly on the 'Connections'-tab and flipping the state back&forth solves the glitch, so my guess is that the internal representation defaults to testaccepted instead of the imported JSON-value..

I recently upgraded from 3.2.13 to 4.0.11 and ran into an 'Unexpected error' while importing XML metadata of an AD FS IDP. Rolling back to 3.2.13 solved the issue, so something must have changed between those versions. I haven't had the time to further pinpoint this.

From the server logs:

Nov 4 14:25:34 MANAGE-DWR: [http-nio-9393-exec-1] org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping Returning handler method [public org.springframework.http.ResponseEntity<java.util.Map<java.lang.String, java.lang.Object>> manage.control.ErrorController.error(javax.servlet.http.HttpServletRequest)]
Nov 4 14:25:34 MANAGE-DWR: [http-nio-9393-exec-1] org.springframework.beans.factory.support.DefaultListableBeanFactory Returning cached instance of singleton bean 'errorController'
Nov 4 14:25:34 MANAGE-DWR: [http-nio-9393-exec-1] org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor Written [{timestamp=Mon Nov 04 14:25:34 CET 2019, status=500, error=Internal Server Error, exception=java.lang.NullPointerException, path=/manage/api/client/import/xml/saml20_idp}] as "application/json" using [org.springframework.http.converter.json.MappingJackson2HttpMessageConverter@57ac5227]

Some of my IDPs were replaced and got different entityIDs..
The old IDP trusts have been removed before cleaning up any whitelists configured on SPs.
This leads to warnings; "There are unknown entities connected to this Service Provider: " and it's really a hassle to get rid of that warning.

My suggestion would be to either refuse removal of entities that have active references or at least list and warn about the active references before removal.

Update: I didn't actually remove the old IDP entity, but set the state to testaccepted.. I think however my point here still holds..

When setting coin:institution_id to 1 and then searching for it using the following command;

curl -H 'Content-Type: application/json' -u test:test -X POST -d '{"metaDataFields.coin:institution_id":"1", "ALL_ATTRIBUTES":true}' 'http://localhost:9393/internal/search/saml20_idp'

will return nothing. When the institution ID is changed to test and the query is changed to reflect that, I do get a result. It appears that the search API doesn't deal with numeric values well.

I should be able to set coin:signature_method for IDPs too, but it will not push to EB.. It is simply not included in the JSON output and therefore EB will default to SHA-1

When searching for Service Providers with search-query * it is supposed to show all possible entities, but I noticed there is always one missing (the last one added).

This same issue does not seem to exist when searching for Identity Providers.

Adding a new 'test' SP reveals the missing entry, but then the new 'test' SP doesn't show in the list. Appears to be an 'off-by-one' bug.

v7.2.9 was used

I'm trying to bootstrap OC-dashboard, but both metadata-import (tested both XML and URL) fail with an error-message that doesn't make much sense to me:

Aug 18 15:57:10 webapp-4.ext.moo-archive.nl MANAGE: [http-nio-9393-exec-9] org.springframework.boot.actuate.endpoint.mvc.EndpointHandlerMapping Looking up handler method for path /client/import/endpoint/xml/saml20_sp
Aug 18 15:57:10 webapp-4.ext.moo-archive.nl MANAGE: [http-nio-9393-exec-9] org.springframework.boot.actuate.endpoint.mvc.EndpointHandlerMapping Did not find handler method for [/client/import/endpoint/xml/saml20_sp]
Aug 18 15:57:10 webapp-4.ext.moo-archive.nl MANAGE: [http-nio-9393-exec-9] org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping Looking up handler method for path /client/import/endpoint/xml/saml20_sp
Aug 18 15:57:10 webapp-4.ext.moo-archive.nl MANAGE: [http-nio-9393-exec-9] org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping Returning handler method [public java.util.Map<java.lang.String, java.lang.Object> manage.control.ImportController.importXMLUrl(java.lang.String,manage.model.Import)]
Aug 18 15:57:10 webapp-4.ext.moo-archive.nl MANAGE: [http-nio-9393-exec-9] org.springframework.beans.factory.support.DefaultListableBeanFactory Returning cached instance of singleton bean 'importController'
Aug 18 15:57:10 webapp-4.ext.moo-archive.nl MANAGE: [http-nio-9393-exec-9] org.springframework.web.servlet.mvc.method.annotation.RequestResponseBodyMethodProcessor Read [class manage.model.Import] as "application/json;charset=UTF-8" with [org.springframework.http.converter.json.MappingJackson2HttpMessageConverter@67ab1c47]
Aug 18 15:57:10 webapp-4.ext.moo-archive.nl MANAGE: [http-nio-9393-exec-9] org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver Resolving exception from handler [public java.util.Map<java.lang.String, java.lang.Object> manage.control.ImportController.importXMLUrl(java.lang.String,manage.model.Import)]: java.lang.IllegalStateException: Duplicate key urn:mace:dir:attribute-def:displayName
Aug 18 15:57:10 webapp-4.ext.moo-archive.nl MANAGE: [http-nio-9393-exec-9] org.springframework.web.servlet.mvc.annotation.ResponseStatusExceptionResolver Resolving exception from handler [public java.util.Map<java.lang.String, java.lang.Object> manage.control.ImportController.importXMLUrl(java.lang.String,manage.model.Import)]: java.lang.IllegalStateException: Duplicate key urn:mace:dir:attribute-def:displayName
Aug 18 15:57:10 webapp-4.ext.moo-archive.nl MANAGE: [http-nio-9393-exec-9] org.springframework.web.servlet.mvc.support.DefaultHandlerExceptionResolver Resolving exception from handler [public java.util.Map<java.lang.String, java.lang.Object> manage.control.ImportController.importXMLUrl(java.lang.String,manage.model.Import)]: java.lang.IllegalStateException: Duplicate key urn:mace:dir:attribute-def:displayName
Aug 18 15:57:10 webapp-4.ext.moo-archive.nl MANAGE: [http-nio-9393-exec-9] org.springframework.web.servlet.DispatcherServlet Could not complete request
Aug 18 15:57:10 webapp-4.ext.moo-archive.nl MANAGE: [http-nio-9393-exec-9] org.springframework.boot.web.filter.OrderedRequestContextFilter Cleared thread-bound request context: org.apache.catalina.connector.RequestFacade@792c583a
Aug 18 15:57:10 webapp-4.ext.moo-archive.nl MANAGE: [http-nio-9393-exec-9] org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/manage/api].[dispatcherServlet] Servlet.service() for servlet [dispatcherServlet] in context with path [/manage/api] threw exception [Request processing failed; nested exception is java.lang.IllegalStateException: Duplicate key urn:mace:dir:attribute-def:displayName] with root cause
Aug 18 15:57:10 webapp-4.ext.moo-archive.nl MANAGE: [http-nio-9393-exec-9] org.springframework.web.servlet.DispatcherServlet DispatcherServlet with name 'dispatcherServlet' processing POST request for [/manage/api/error]

I've attached a copy of the metadata I'm trying to import:
Metadata.txt

There are still a bunch of references to the setting 'attribute_aggregation_required', which was removed from EB in 5.7.2.
https://github.com/OpenConext/OpenConext-manage/search?q=attribute_aggregation_required&unscoped_q=attribute_aggregation_required

It would be really nice to be able to add additional states without having to manipulate code.
Right now, I have to edit manage-gui/src/components/metadata/SelectState.jsx, add translations for in in manage-gui/src/locale/en.js and rebuild..

Introduce the concept of a "basic service" in Manage. Such a Service should be automatically connected to all IdPs (except when an IdP is explicitly opted-out, for example, because it is poart of an idP migration).

This allow us to define a set of basic services (like Dashboard, Community stuff, Event system, etc) to which all SURFconext IdPs should be connected.

@thijskh

Can't seem to check the checkbox for setting 'no_consent_required'.. Others can be checked fine.. Several browsers have been used to verify, but the result remains.

After upgrading to 3.0.1 I am no longer able to create a new IdP connection:

Jul 6 18:42:14 MANAGE: [http-nio-9393-exec-7] org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver Resolving exception from handler [public manage.model.MetaData manage.control.MetaDataController.post(manage.model.MetaData,manage.shibboleth.FederatedUser) throws com.fasterxml.jackson.core.JsonProcessingException]: java.lang.NullPointerException
Jul 6 18:42:14 MANAGE: [http-nio-9393-exec-7] org.springframework.web.servlet.mvc.annotation.ResponseStatusExceptionResolver Resolving exception from handler [public manage.model.MetaData manage.control.MetaDataController.post(manage.model.MetaData,manage.shibboleth.FederatedUser) throws com.fasterxml.jackson.core.JsonProcessingException]: java.lang.NullPointerException
Jul 6 18:42:14 MANAGE: [http-nio-9393-exec-7] org.springframework.web.servlet.mvc.support.DefaultHandlerExceptionResolver Resolving exception from handler [public manage.model.MetaData manage.control.MetaDataController.post(manage.model.MetaData,manage.shibboleth.FederatedUser) throws com.fasterxml.jackson.core.JsonProcessingException]: java.lang.NullPointerException
Jul 6 18:42:14 MANAGE: [http-nio-9393-exec-7] org.springframework.web.servlet.DispatcherServlet Could not complete request

Dear developers,

I, Rezvan Mahdavi Hezaveh ([email protected]), and my colleague, Nirav Ajmeri ([email protected]), software engineering researchers from North Carolina State University are conducting an academic study of feature toggles and technical debt.

In our investigations on GitHub repositories, we noticed that you are using feature toggles in your repository. For instance, in this commit a new feature toggle is added. In some of the changed files in this commit, two feature toggles named show_oidc_rp and exclude_oidc_rp are added with inverse values, two toggles for one purpose. It seems a redundancy in defining feature toggles.

We would appreciate your collaboration in this study by answering an anonymous survey based upon your experience with the feature toggles. This survey has 20 questions and the estimated time to answer these questions is 10 minutes.

The link to the survey is here: https://ncsu.qualtrics.com/jfe/form/SV_5BGE3wNDUtFQqMd

Once you start answering the survey questionnaire, you will have 24 hours to finish it.
As an appreciation for your time, we will conduct a random drawing and give $25 Amazon gift cards to five selected survey respondents. Also, we will share our results with you.

Thanks

Appears to be a JS-incompatibility

I have an OC-instance that doesn't use OIDC, so I removed metadata_configuration/oidc10_rp.schema.json so it doesn't show up as a menu-item (tab).
Now, when I try to save something that didn't really change anything (i.e. I replace certData with the exact same content and then try to save), I get a nasty error:

The event is also logged;

May  8 16:33:43 MANAGE-IDPB-JENV: [http-nio-9302-exec-10] org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/].[dispatcherServlet] Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is java.lang.IllegalArgumentException: The oidc10_rp schema does not exists] with root cause
May  8 16:33:43 MANAGE-IDPB-JENV: [http-nio-9302-exec-2] manage.control.UserController {"userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","message":"Error: Internal Server Error","url":"https://manage.example.org/static/js/main.d3a04cab.js","line":2,"col":2665610,"error":"Internal Server Error","stack":"Or/<@https://manage.example.org/static/js/main.d3a04cab.js:2:2665610\n","targetUrl":"https://manage.example.org/manage/api/client/metadata","status":500,"dateTime":"02024-33-08 04:33:43","machine":"myMachine","user":{"username":"urn:collab:person:example.org:tim","authorities":[{"authority":"ROLE_ADMIN"},{"authority":"ROLE_USER"}],"accountNonExpired":true,"accountNonLocked":true,"credentialsNonExpired":true,"enabled":true,"uid":"urn:collab:person:example.org:tim","displayName":"Dijen, Tim van","schacHomeOrganization":"","featureToggles":["PUSH","VALIDATION","PUSH_PREVIEW","ORPHANS"],"product":{"organization":"OpenConext","name":"Manage IDPB JenV","serviceProviderFeedUrl":"http://localhost:8000/edugain.xml","showOidcRp":true},"push":{"url":"https://engine-api.example.org/api/connections","name":"OpenConext EngineBlock","oidcUrl":"https://oidc.example.org/manage/connections","oidcName":"OpenConext OIDC-NG","excludeOidcRP":true},"name":"urn:collab:person:example.org:tim","guest":false,"apiuser":false}}

Now, when I put back the configuration template and repeat this action, I get a nice red bar telling me "No data is changed".
I believe that leaving config-templates away is the way to enable/disable features in Manage, so leaving out a file shouldn't be causing this exception.

I'm having an issue with the way attributes are displayed in the ARP-tab..
Let's say we have the following configuration in metadata_configuration/saml20_sp.schema.json:

            "urn:example.org:customer-x:app-x:employeeId": {
              "$ref": "#/definitions/ArpAttribute",
              "alias": "urn:oid:a.b.c"
            },
            "urn:example.org:customer-y:app-y:employeeId": {
              "$ref": "#/definitions/ArpAttribute",
              "alias": "urn:oid:k.l.m"
            },

Both attributes will be displayed in the ARP-tab as employeeId because of the following line of code:

Now, I know this could be solved by standardizing attributes, but that's just now how my clientele's boats float.. It would be very nice to have a way to provide a displayName for attributes, so I can see the full attribute name instead of the cutoff version. Could be a configuration setting to not cutoff any names at all, to keep it simple stupid

Several times I have found myself in the situation where on the whitelist-tab the checkbox was false and no IDP was selected, leading to 'No organizations found'.
It usually happens when using a JSON-import containing whitelist-entries that do not exist on the receiving environment.

Since this is a detectable state, that AFAIK doesn't really serve a purpose, would it be possible to show a warning on saving the entity? That would allow me to fix it before hitting the Push-button.

After updating from 4.0.4 > 4.0.11 PDP breaks with the following exception:

Nov 18 21:34:18 webapp-4 #011java.util.NoSuchElementException: null
Nov 18 21:34:18 webapp-4 #011at java.util.HashMap$HashIterator.nextNode(HashMap.java:1447)
Nov 18 21:34:18 webapp-4 #011at java.util.HashMap$KeyIterator.next(HashMap.java:1469)
Nov 18 21:34:18 webapp-4 #011at pdp.access.FederatedUserBuilder.getSpEntities(FederatedUserBuilder.java:92)
Nov 18 21:34:18 webapp-4 #011at pdp.access.FederatedUserBuilder.shibUser(FederatedUserBuilder.java:83)
Nov 18 21:34:18 webapp-4 #011at pdp.shibboleth.ShibbolethPreAuthenticatedProcessingFilter.getPreAuthenticatedPrincipal(ShibbolethPreAuthenticatedProcessingFilter.java:33)

Whenever you open a metadata-set, click on the certData input-field and then click somewhere else, an unexpected error is raised.
On the background the page seems to be reloaded endlessly and a JS error appears in the console log:

Seems like an input-validation issue

Manage permissions are now relatively flat:

• For the GUI, all users that have authenticated have admin privileges (can do everything)
• For the API, there's a number of permissions per account (READ, WRITE, ADMIN, PUSH)

Because of the limited possibilities quite some use cases have too wide permissions:

• SP dashboard has admin permissions so can write to anything, including IdPs
• Anyone with a support role (and also SP dashboard) can create attribute manipulations. Attribute manipulations are arguably one of the most "dangerous" platform features when used unauthorized.

Proposal:

• Create new permission specifically to be able to change AM's, because it's so different from the other functionality. Only users with this permission (team membership) will be able to do this. Only the users that actually need this will get this permission. So not first line support or (an adversary that has compromised) SP Dashboard.
• Create more fine grained permission for use by SP dashboard, that its api account can only change SP/RP/RS and not IdP (which is much more dangerous)