Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] [eduroam-ot] NameID urn:oasis:names:tc:SAML:2.0:nameid-format:persistent instead of eduPersonTargetedID attribute

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] [eduroam-ot] NameID urn:oasis:names:tc:SAML:2.0:nameid-format:persistent instead of eduPersonTargetedID attribute


Chronological Thread 
  • From: Miroslav Milinovic <miro AT srce.hr>
  • To: Zenon Mousmoulas <zmousm AT noc.grnet.gr>
  • Cc: eduroam-ot AT lists.geant.org, cat-users AT geant.net, "monitor AT eduroam.org" <monitor AT eduroam.org>
  • Subject: Re: [[cat-users]] [eduroam-ot] NameID urn:oasis:names:tc:SAML:2.0:nameid-format:persistent instead of eduPersonTargetedID attribute
  • Date: Sat, 11 Feb 2017 13:28:10 +0100

Zenon,

Sadly, but no. This change has not been implemented, yet. We plan to
finally announce this change not later than the end of this month.

It appears there are some non-trivial challenges with SSP (may be you've
seen discussions on refeds and ssp list) so we are double checking our
set-up in order to avoid problems in transition.

Miro

p.s. Having in mind that we run a production service we do our best to
announce all the changes to the public lists (before and after the action)

On 11.2.2017. 13:10, Zenon Mousmoulas wrote:
> Hi Miro,
>
> quite recently we updated our SAML IdP software and disabled
> eduPersonTargetedID (attribute) in favor of persistent NameID (subject)
> generation. Today I tried to login to eduroam.org SP and arrived to the
> following error. I had the impression this scenario would be gracefully
> handled (since August last year), allowing for the case where no epTID
> attribute is released, but judging from the exception I am not sure that
> is indeed so?
>
> Please advise.
>
> Thanks,
> Z.
>
> SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
>
> Backtrace:
> 0 /var/www/html/monitor-ssl/simplesamlphp-1.13.2-sp/www/module.php:179
> (N/A)
> Caused by: SimpleSAML_Error_Exception: This service needs at least one
> of the following
> attributes to identity users: eduPersonTargetedID,
> facebook_targetedID, google_eppn, linkedin_targetedID,
> twitter_targetedID. Unfortunately not
> one of them was detected. Please ask your institution
> administrator to release one of
> them, or try using another identity provider.
> Backtrace:
> 11
> /var/www/html/monitor-ssl/simplesamlphp-1.13.2-sp/modules/smartattributes/lib/Auth/Process/SmartID.php:95
> (sspmod_smartattributes_Auth_Process_SmartID::addID)
> 10
> /var/www/html/monitor-ssl/simplesamlphp-1.13.2-sp/modules/smartattributes/lib/Auth/Process/SmartID.php:113
> (sspmod_smartattributes_Auth_Process_SmartID::process)
> 9
> /var/www/html/monitor-ssl/simplesamlphp-1.13.2-sp/lib/SimpleSAML/Auth/ProcessingChain.php:194
> (SimpleSAML_Auth_ProcessingChain::processState)
> 8
> /var/www/html/monitor-ssl/simplesamlphp-1.13.2-sp/lib/SimpleSAML/IdP.php:309
> (SimpleSAML_IdP::postAuth)
> 7 [builtin] (call_user_func)
> 6
> /var/www/html/monitor-ssl/simplesamlphp-1.13.2-sp/lib/SimpleSAML/Auth/Default.php:133
> (SimpleSAML_Auth_Default::loginCompleted)
> 5 [builtin] (call_user_func)
> 4
> /var/www/html/monitor-ssl/simplesamlphp-1.13.2-sp/lib/SimpleSAML/Auth/Source.php:139
> (SimpleSAML_Auth_Source::completeAuth)
> 3
> /var/www/html/monitor-ssl/simplesamlphp-1.13.2-sp/modules/saml/lib/Auth/Source/SP.php:613
> (sspmod_saml_Auth_Source_SP::onProcessingCompleted)
> 2
> /var/www/html/monitor-ssl/simplesamlphp-1.13.2-sp/modules/saml/lib/Auth/Source/SP.php:563
> (sspmod_saml_Auth_Source_SP::handleResponse)
> 1
> /var/www/html/monitor-ssl/simplesamlphp-1.13.2-sp/modules/saml/www/sp/saml2-acs.php:203
> (require)
> 0 /var/www/html/monitor-ssl/simplesamlphp-1.13.2-sp/www/module.php:134
> (N/A)
>
>
>
> On 2016-06-28 17:46, Miroslav Milinovic wrote:
>> Hi Simon, all!
>>
>> We plan to implement this feature and put it into production by the
>> beginning of August 2016 (so in about one month from now).
>>
>> Best regards
>>
>> Miroslav Milinovic
>> eduroam service manager, GEANT
>>
>> ----- Original Message ----- From: "Simon Lundström"
>> <simlu AT su.se>
>> To:
>> <cat-users AT lists.geant.org>
>> Sent: Monday, June 27, 2016 3:50 PM
>> Subject: [[cat-users]] NameID
>> urn:oasis:names:tc:SAML:2.0:nameid-format:persistent instead of
>> eduPersonTargetedID attribute
>>
>>
>>> Hi!
>>>
>>> We've recently upgraded our IDPs Shibboleth v3 since v2 is going to be
>>> (or already has been) depreciated.
>>>
>>> According to e.g. Scott Cantor using eduPersonTargetedId as an attribute
>>> and not as NameID is discouraged and depreciated, see:
>>> <https://wiki.shibboleth.net/confluence/display/IDP30/StoredIdConnector>
>>> <http://thread.gmane.org/gmane.comp.web.shibboleth.user/46825/focus=46856>
>>>
>>> <http://article.gmane.org/gmane.comp.web.shibboleth.user/39696/>
>>>
>>> So when Shibboleth IDP removes the StoredIdConnector none of us will be
>>> able to use your service.
>>>
>>> When are you going to use the
>>> urn:oasis:names:tc:SAML:2.0:nameid-format:persistent NameID instead?
>>>
>>> BR,
>>> - Simon
>>>
>>> ____________________________________
>>>
>>> Simon Lundström
>>> Section for Infrastructure
>>>
>>> IT Services
>>> Stockholm University
>>> SE-106 91 Stockholm, Sweden
>>>
>>> www.su.se/english/staff-info/it
>>> To unsubscribe, send this message:
>>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>>> Or use the following link:
>>> https://lists.geant.org/sympa/sigrequest/cat-users
>>>
>>
>> To unsubscribe, send this message:
>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>> Or use the following link:
>> https://lists.geant.org/sympa/sigrequest/cat-users
>



  • Re: [[cat-users]] [eduroam-ot] NameID urn:oasis:names:tc:SAML:2.0:nameid-format:persistent instead of eduPersonTargetedID attribute, Miroslav Milinovic, 02/11/2017

Archive powered by MHonArc 2.6.19.

Top of Page