Skip to content

Commit 60de803

Browse files
committed
update documentation to 3.0; put maven central repo as the first one to
check
1 parent 359ed9d commit 60de803

15 files changed

Lines changed: 188 additions & 149 deletions

documentation/src/main/doc/authentication.txt

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@ authenticator works as follows:
6363
an information about the logged user.
6464
2. If the remote login was successful the remotely provided data is mapped to the local representation
6565
(translated, enhanced, filtered...) using an _input translation profile_ which is assigned to the
66-
authenticator. Input translation profiles are discussed in <<translation>>. In effect of translation:
66+
authenticator. Input translation profiles are discussed in <<input-translation>>. In effect of translation:
6767
* The remote user may be mapped to an existing account (at not-the-first login
6868
or when it is possible to automatically map remote user to local account using some attribute as email).
6969
In such case authentication is finished just after the translation.
@@ -84,6 +84,10 @@ for the first time.
8484
Account association is enabled by default. It requires additional login to the existing account in a
8585
popup window. It can be turned off in authenticator settings.
8686

87+
88+
include::input-translation.txt[]
89+
90+
8791
=== Step-up and repeated authentication
8892

8993
For certain sensitive operations Unity may be configured (and by default is) to require additional or step-up
@@ -125,3 +129,4 @@ to 600s then user won't need to perform additional authentication for one minute
125129
if there is no applicable additional authentication authenticator for the user (what typically means that system
126130
is misconfigured).
127131

132+

documentation/src/main/doc/branding.txt

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -181,11 +181,14 @@ screen. See the main server reference documentation: <<configuration>>.
181181

182182
Unity offers internationalization (i18) features out of the box. However, the list of available languages
183183
is hardcoded and currently includes only English (en), Polish (pl) and German (de) locales. English locale is
184-
the default one and all default messages are in this language. The Polish and German translations are mostly complete with the
185-
exception of the Admin UI. Administrator can configure which of the supported locale are enabled (see +unityServer.conf+ documentation).
184+
the default one and all default messages are in this language. Couple of other translations are mostly complete with the
185+
exception of the Admin Console which is English only.
186+
Administrator can configure which of the supported languages are enabled
187+
(see +unityServer.conf+ documentation for up to date list of allowed ones in <<configuration>>).
186188

187189
If you would like to have other locale supported please contact us via the mailing list - there is no problem to add
188-
them or to allow for admin-configured locales outside from those predefined in distribution.
190+
them or to allow for admin-configured locales outside from those predefined in distribution. We also use Weblate at
191+
https://hosted.weblate.org/projects/unity-idm for collecting open source improvements to existing translations.
189192

190193
Actual translations are fully controlled by Unity administrator.
191194
In the +i18n/+ subfolder of the configuration directory a copy of all system messages is stored.

documentation/src/main/doc/config/notifications.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ ${VARIABLE_NAME}
3333

3434
Besides variables, message template may also include other templates which are set as "generic" fragments.
3535

36-
Message templates are configured using Admin UI (Server management->Message templates).
36+
Message templates are configured using Admin Console (Setting->Message templates).
3737
It is also possible to configure them with configuration file (by default +msgTemplates.properties+).
3838

3939
Variables are replaced dynamically with concrete values when a message is prepared to be sent. Naturally

documentation/src/main/doc/config/storage.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ The following option allows to select the database backend:
1414
unityServer.storage.engine=rdbms # 'hz' is another possible option
1515
----
1616

17-
Note that the Admin UI provides a possibility to create a dump JSON dump of the complete server state and to restore
17+
Note that the Admin Console provides a possibility to create a dump JSON dump of the complete server state and to restore
1818
the system from such dump regardless of the selected storage engine.
1919

2020

documentation/src/main/doc/contents-management.txt

Lines changed: 6 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -140,7 +140,7 @@ attribute: +sys:AuthorizationRole+. The attribute is of enumeration type, and th
140140

141141
By assigning this attribute to entities, those entities are granted some roles and therefore are authorized to perform
142142
certain operations in Unity. The detailed information on what is allowed for each role holder is provided
143-
in attribute type description (see Schema Management->Attribute Types). The two most important roles are:
143+
in attribute type description (see Directory setup->Attribute types). The two most important roles are:
144144

145145
. +System manager+ who is authorized to perform all actions and
146146
. +Regular user+ who can perform all the typical operations reserved for users, i.e. read information about itself.
@@ -193,28 +193,17 @@ To enable confirmations the following basic elements needs to be configured:
193193
. There must be a message template (or templates) suitable for use with confirmation facility. See <<notifications>>.
194194
. To confirm attributes at least one attribute type must be defined which will use the +verifiableEmail+ syntax.
195195
What's more each such attribute type must have confirmations enabled and configured by selecting a proper
196-
message template (see below).
196+
message template in its definition.
197197
. To confirm email identities, identity confirmations must be enabled and configured by selecting a proper
198-
message template (see below).
199-
200-
The configuration of confirmations (for identities and for each email attribute type) is performed in the
201-
Server management -> Confirmations configuration tab of the Admin UI. It is rather simplistic as the only
202-
really variable property is the template to be used.
203-
204-
Note that Unity contains a convenient initializer script which can be enabled in the +unityServer.conf+ to load
205-
default confirmation configurations on startup:
206-
207-
----
208-
unityServer.core.script.1.file=scripts/confirmationsInitializer.groovy
209-
unityServer.core.script.1.trigger=pre-init
210-
----
198+
message template in its definition.
211199

212200
Later in this section we assume that the confirmations were set up as described above.
213201

214202
==== When confirmations are sent?
215203

216204
Whenever an email attribute or identity is created or changed manually in Unity interface
217-
the confirmation message is sent. The sole exception is a change of an attribute by administrator via the Admin UI:
205+
it is assumed to be not confirmed and the confirmation message is sent.
206+
The exception is a change of an attribute by administrator via the Admin Console:
218207
it is possible to control whether the attribute value should be added as confirmed or not.
219208

220209
Confirmations are also sent whenever a registration request is submitted, with an e-mail attribute or identity which
@@ -231,7 +220,7 @@ Unity also takes care not to resent a confirmation if the same e-mail address wa
231220
identity and attribute (or multiple attributes). Then only a single confirmation is sent and is used to
232221
confirm all elements.
233222

234-
It is also possible to reset a confirmation state by the administrator (from Admin UI)
223+
It is also possible to reset a confirmation state by the administrator (from Admin Console)
235224
by setting the unconfirmed state of an attribute value.
236225

237226
==== Registration forms and confirmations
Lines changed: 3 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,9 @@
1-
=== Web Admin UI endpoint
1+
=== Web Admin UI endpoint (deprecated)
22

33
Endpoint type:: +WebAdminUI+
44
Binding:: Web
55
Exposed paths:: +/admin+
66
Default path:: +/admin+
77

8-
Web Admin UI is the first place to visit after server installation and startup as it offers
9-
a administrator oriented management interface.
10-
By default it is accessible under the link: +pass:[https://localhost:2443/ENDPOINT-CONFIGURED-CONTEXT/admin]+
11-
or simply +pass:[https://localhost:2443/ENDPOINT-CONFIGURED-CONTEXT]+ as the +/admin+ path is the default.
12-
13-
The features of the Web Admin interface are covered in the <<contents-management>> section.
14-
15-
Currently the Admin UI endpoint offers the same options as the Home endpoint naturally including the options common
16-
for all web endpoints. The Home endpoint's options
17-
can usually be left unchanged as are used only to control the logged user's profile screen, which is also available
18-
for administrator's convenience in the Admin UI.
8+
Web Admin UI is a legacy administrative interface, a predecessor of Admin Console. This endpoint is going to be dropped in one
9+
subsequent releases, so switching to Admin Console is highly suggested. Admin Console offers a better and more capable UI.
Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
=== Web Admin Console endpoint
2+
3+
Endpoint type:: +WebConsoleUI+
4+
Binding:: Web
5+
Exposed paths:: +/console+
6+
Default path:: +/console+
7+
8+
Web Admin Console is the first place to visit after server installation and startup as it offers
9+
an administrator oriented management interface.
10+
By default it is accessible under the link: +pass:[https://localhost:2443/ENDPOINT-CONFIGURED-CONTEXT/console]+
11+
or simply +pass:[https://localhost:2443/ENDPOINT-CONFIGURED-CONTEXT]+ as the +/console+ path is the default.
12+
13+
The features of the Console interface are covered in the <<contents-management>> section.
14+
15+
Currently the Admin Console endpoint offers only options common for all web endpoints.

documentation/src/main/doc/endpoint-upman.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ other actions taken for those users as configured in the forms. However, project
4242
re-configure any of the project forms, therefore in a sense a person controlling the forms, also have some
4343
general responsibility and control over the project.
4444

45-
As it can be guessed from the above description that all UpMan triggered changes are visible in Admin UI,
45+
As it can be guessed from the above description that all UpMan triggered changes are visible in Admin Console,
4646
including project subgroups, project members, registration requests etc.
4747

4848
==== Using UpMan

documentation/src/main/doc/endpoints.txt

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -185,8 +185,10 @@ the authentication and what data will be shared with the requesting service. Det
185185
IdP endpoints, e.g. OAuth endpoint shows requested scopes, while SAML endpoint doesn't. Users can save the consent
186186
decision and then consent is skipped for them. It is also possible to turn off the consent screen completely.
187187

188+
include::output-translation.txt[]
188189

189-
include::endpoint-admin.txt[]
190+
191+
include::endpoint-console.txt[]
190192

191193
include::endpoint-home.txt[]
192194

@@ -203,6 +205,6 @@ include::endpoint-restadmin.txt[]
203205
include::endpoint-wellknown.txt[]
204206

205207

206-
208+
include::endpoint-admin.txt[]
207209

208210

documentation/src/main/doc/translation.txt renamed to documentation/src/main/doc/input-translation.txt

Lines changed: 17 additions & 107 deletions
Original file line numberDiff line numberDiff line change
@@ -1,22 +1,15 @@
1-
[[translation]]
2-
== Translation profiles configuration
1+
[[input-translation]]
2+
=== Input translation
33

44
Translation profile is a named, ordered list of conditional rules. The rules are used to
5-
modify the information about a principal being processed by Unity. Such situation occurs when:
6-
7-
. Remote user was externally authenticated and its data is consumed by Unity. In this case
8-
translation is performed by so called _input translation profiles_.
9-
. Information about Unity's entity is being exposed to outside world with an IdP-like endpoint
10-
as SAML web endpoint. In this case translation is performed by so called _output translation profiles_.
5+
modify the information about a principal being processed by Unity. Input translation profile is used when
6+
a remote user was externally authenticated and its data is consumed by Unity.
117

128
For instance, an input translation profile can change remote attribute 'size' name to
139
'width' and insert a remotely authenticated user to the local database (to a desired group)
14-
if the user is not yet there. An output profile can return an additional dynamic identity named 'email'
15-
with a value of an email attribute.
10+
if the user is not yet there.
1611

17-
The following subsections cover both types of translation profiles in details. Though many of the features
18-
are common. The profiles are managed with the Admin UI in the Server management->Translation profiles tab.
19-
The profile has a name and a list of rules. Each rule has a condition and an action.
12+
A profile consists of a list of rules. Each rule has a condition and an action.
2013

2114
Conditions are used to dynamically turn action execution on or off. Conditions (as well as some of the arguments
2215
of translation actions have) have to be specified as _MVEL expressions_. Such expressions allow for a powerful,
@@ -35,14 +28,8 @@ the most popular condition is simply: +true+.
3528
Actions are different for each type of the profile. The editor provides you with helpful interface to create them.
3629

3730

38-
39-
[[input-translation]]
40-
=== Input translation
41-
4231
An input translation profile is always associated with a _remote authenticator in its configuration_.
43-
It is a mandatory setting, all remote authenticators must have one profile associated. This is because it is
44-
typically not possible to provide a sensible default mapping of remote data to the configurable schema used in
45-
Unity.
32+
It is a mandatory setting, all remote authenticators must have one profile associated.
4633

4734
Input translation profile (both conditions and rules) operate on a data structure which is initially
4835
filled by the protocol specific component. The structure can contain:
@@ -87,26 +74,17 @@ to remove all stale data: attributes, group memberships, identities. The data is
8774
was previously created by the same profile, basing on input from the same remote IdP
8875
and which was not reproduced during the current invocation of the profile.
8976

90-
==== Translation profile creation wizard and dry-run
91-
92-
Unity provides two sophisticated features helping in input translation profile management. First of all it is possible
93-
to use a translation profile creation *wizard*.
77+
==== Translation profile testing
9478

95-
The wizard can be activated from the Server management->Translation profiles view. Currently the wizard can be used
96-
to create a profile basing on an available remote authenticator, so you need to configure it first in a regular way.
97-
However any (even empty) translation profile can be initially set for this authenticator.
98-
99-
After launching the wizard a popup window appears allowing you to select any of the remote authenticators available
100-
in the system (regardless of their assignment to endpoints). The authentication is performed in a sandbox environment
101-
so it is not influencing the running system. After finishing the remote authentication the popup window disappears
102-
and a visual translation profile editor is displayed. The whole information received from the remote IdP is shown,
103-
and can be dragged into expressions of the profile being created. After the profile is configured it must be saved
104-
and can be assigned to the authenticator.
105-
106-
Besides the wizard it is also possible to perform a detailed testing of an already existing translation profile.
107-
This *dry run* feature is available from the same menu as the wizard and begins in the same way: with a sandboxed
108-
authentication. However, the last step is different: instead of an editor a detailed information on the profile's
109-
application to the data provided by remote IdP is presented, including even the relevant server's log.
79+
Unity provides a sophisticated feature helping to work with input translation profile.
80+
81+
Testing can be performed on an existing remote authenticator with some profile configured.
82+
This feature is available from the Authentication -> Facilities main view (Test button).
83+
Test begins with a sandboxed authentication in a popup window, where one can select any of the remote
84+
authentication options available in the system.
85+
After authentication (failed or successful) a detailed information on the profile's
86+
application to the data provided by remote IdP (and naturally the data itself) is presented,
87+
including even a relevant server's internal log.
11088

11189

11290
==== Reference
@@ -209,71 +187,3 @@ Finally the value of the identity provided by remote IdP is available as follows
209187
id
210188
----
211189

212-
213-
214-
215-
216-
217-
=== Output translation
218-
219-
An output translation profile can be associated with an IdP-like endpoint as the SAML endpoints.
220-
It can be used to filter the data being exposed (so called attribute release policies can be implemented
221-
with output profiles). Also it can dynamically create additional data to be returned. It is even possible to
222-
store the dynamically created data back into the local Unity database, so it becomes a regular data.
223-
224-
Configuration of output profiles is optional. If no profile is manually installed on an endpoint, then a so called
225-
_default output profile_ is used. The default profile is simplistic: it doesn't filter anything and anly adds
226-
one additional attribute: +memberOf+ with all groups of the principal as value.
227-
228-
Output translation profile operate on a data structure which is initially
229-
filled by Unity with all attributes and identities of the queried principal. Attributes are from the group configured
230-
in the endpoint.
231-
232-
MVEL context used in conditions and as value of some action parameters can use the following variables:
233-
234-
. +protocol+ Name of the protocol being used
235-
. +protocolSubtype+ Name of the protocol variant
236-
. +requester+ Name of the requester
237-
. +usedGroup+ Unity group from which attributes are served
238-
. +subGroups+ All sub groups of the Unity group from which attributes are served
239-
. +attr+ Map indexed with principal's attribute names. Value of each entry is a single value of the attribute.
240-
If the attribute is multi-valued then the first value is returned.
241-
If the attribute has no value then empty string is returned.
242-
. +attrs+ Map indexed with attribute names. Value of each entry is a list of the attribute values.
243-
. +attrObj+ Map indexed with attribute names. Value of each entry is a list of all values provided as
244-
objects with attribute-type specific contents. Useful for inspecting complex types like email and accessing its confirmation status.
245-
. +requesterAttr+, +requesterAttrs+ and +requesterObj+ attributes of the requester,
246-
if it is represented by an entity in Unity. This is the case for OAuth authentication.
247-
. +idsByType+ Map of identity values indexed by type.
248-
. +groups+ List of all groups the user is a member.
249-
. +authenticatedWith+ List of identities that were used to authenticate the user.
250-
If remote authentication was used the list contains a single identity that was used
251-
to map the remote user to the local entity (as chosen by the input translation profile).
252-
The list can have two elements when MFA was used.
253-
. +importStatus+ Map indexed with importer names which are enabled for the endpoint on which output profile
254-
is executed. Status of each importer is value of map entries. The following values are possible: +notApplicable+ and
255-
+success+.
256-
. +idp+ Identifier of a remote IdP that was used to authenticate the current user's session.
257-
In case when only a local authentication was used, the value is set to +_LOCAL+.
258-
259-
260-
Example output profile:
261-
------
262-
1: Condition: idsByType contains 'userName'
263-
Action: createAttribute
264-
Action parameters:
265-
attributeName = userid
266-
expression = idsByType['userName']
267-
268-
2: Condition: true
269-
Action: filterAttribute
270-
Action parameters:
271-
unityAttribute = email
272-
------
273-
274-
The above profile in the first action creates a new attribute +userid+ with a value of user's identity
275-
of the +userName+ type. The attribute is added only if the principal has such identity.
276-
The second rule hides the email attribute unconditionally.
277-
278-
Additional examples of expressions and conditions can be found in the <<input-translation>> above. Note however
279-
that only the variables from the output MVEL context can be used.

0 commit comments

Comments
 (0)