Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] [[cat-devel]] Upgrade of SP authentication proxy for eduroam CAT and monitoring services - completed

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] [[cat-devel]] Upgrade of SP authentication proxy for eduroam CAT and monitoring services - completed


Chronological Thread 
  • From: Zenon Mousmoulas <zmousm AT noc.grnet.gr>
  • To: Dubravko Voncina <dubravko.voncina AT srce.hr>
  • Cc: eduroam CAT Feedback <cat-users AT lists.geant.org>, monitor AT eduroam.org, eduroam OT <eduroam-ot AT lists.geant.org>
  • Subject: Re: [[cat-users]] [[cat-devel]] Upgrade of SP authentication proxy for eduroam CAT and monitoring services - completed
  • Date: Mon, 20 Feb 2017 16:36:41 +0200
  • Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass (1024-bit key) header.d=noc.grnet.gr

Hi Dubravko,

oops, that is indeed the case; however that happens because your SP explicitly requests such a NameIDFormat in the request. Here is the evidence:

<?xml version="1.0"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_e9c20361363e09485492f00b323bea0d9a1454e3d0" Version="2.0" IssueInstant="2017-02-20T14:26:41Z" Destination="https://idp.admin.grnet.gr/idp/profile/SAML2/POST/SSO"; AssertionConsumerServiceURL="https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-acs.php/default-sp"; ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
<saml:Issuer>https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_e9c20361363e09485492f00b323bea0d9a1454e3d0">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>WW3ERx65XaUrQSZme0oriQ/mXjM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue><!--[...]--></ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate><!--[...]--></ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/>
<samlp:Scoping>
<samlp:RequesterID>https://cat.eduroam.org/localhost/module.php/saml/sp/metadata.php/default-sp</samlp:RequesterID>
</samlp:Scoping>
</samlp:AuthnRequest>


I believe it would be wise to set this to null:

saml:NameIDPolicy
The format of the NameID we request from the IdP. Defaults to the transient format if unspecified.

Regards,
Z.

On 2017-02-20 15:12, Dubravko Voncina wrote:
Hello Zenon,

I'm afraid that your IdP doesn't provide persistent NameID in the subject:

<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_fcf113333e4a4953fceda8868f0ce92b"
IssueInstant="2017-02-20T11:26:35.622Z" Version="2.0">
<saml2:Issuer>https://idp.admin.grnet.gr/idp/shibboleth</saml2:Issuer>
<saml2:Subject>
<saml2:NameID
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="https://idp.admin.grnet.gr/idp/shibboleth";
SPNameQualifier="https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp";>AAhzZWNyZXQxMTzq787eaH4dVeRaUP46bYj80P2AU1vcFavM36k3J4jFbFIhk/Nie6JcQc+AI3fatRUPnEOECi1Csirr9E5HO+whbUmO+uNPflNJ/okTqza2QbKFIeJW9CJyW+4I2Xe1bY+vO1Co0jqrIxmxcBe0px4bduZG9+P9PxoZWhMR1Vr+mstiqmQ=</saml2:NameID>
...

Regards,

Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko.voncina AT srce.hr,
tel: +385 98 219273, fax: +385 1 6165559




On 20 Feb 2017, at 13:59, Zenon Mousmoulas <zmousm AT noc.grnet.gr> wrote:

Logging in via an eduGAIN IdP, all seems fine when eduPersonTargetedID is released as an attribute, but login breaks when the identifier is only released as persistent NameID in the subject:

Backtrace:
0 /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/www/module.php:180 (N/A)
Caused by: SimpleSAML_Error_Exception: This service needs at least one of the following
attributes to identity users: eduPersonTargetedID, facebook_targetedID, google_eppn, linkedin_targetedID, twitter_targetedID. Unfortunately not
one of them was detected. Please ask your institution administrator to release one of
them, or try using another identity provider.
Backtrace:
11 /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/modules/smartattributes/lib/Auth/Process/SmartID.php:95 (sspmod_smartattributes_Auth_Process_SmartID::addID)
10 /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/modules/smartattributes/lib/Auth/Process/SmartID.php:113 (sspmod_smartattributes_Auth_Process_SmartID::process)
9 /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/lib/SimpleSAML/Auth/ProcessingChain.php:195 (SimpleSAML_Auth_ProcessingChain::processState)
8 /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/lib/SimpleSAML/IdP.php:331 (SimpleSAML_IdP::postAuth)
7 [builtin] (call_user_func)
6 /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/lib/SimpleSAML/Auth/Source.php:229 (SimpleSAML_Auth_Source::loginCompleted)
5 [builtin] (call_user_func)
4 /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/lib/SimpleSAML/Auth/Source.php:145 (SimpleSAML_Auth_Source::completeAuth)
3 /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/modules/saml/lib/Auth/Source/SP.php:637 (sspmod_saml_Auth_Source_SP::onProcessingCompleted)
2 /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/modules/saml/lib/Auth/Source/SP.php:564 (sspmod_saml_Auth_Source_SP::handleResponse)
1 /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/modules/saml/www/sp/saml2-acs.php:227 (require)
0 /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/www/module.php:137 (N/A)


Such was the behavior until last week.

Regards,
Z.

On 2017-02-20 11:58, Dubravko Voncina wrote:
Hi all,
We've had some problems with eduGAIN SP proxy during the weekend.
Can you please try if authentication to eduroam monitoring/CAT
services is working for you now?
Best regards,
Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko.voncina AT srce.hr,
tel: +385 98 219273, fax: +385 1 6165559
On 17 Feb 2017, at 11:09, Dubravko Voncina <dubravko.voncina AT srce.hr> wrote:
Hi again,
Upgrade of eduGAIN SP authentication proxy for eduroam CAT and monitoring services is completed. In theory, this upgrade should be (almost) completely transparent for users. In practice, there is a chance that I screwed something up so if you notice any problems during the authentication process, please let me know.
Best regards,
Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko.voncina AT srce.hr,
tel: +385 98 219273, fax: +385 1 6165559
To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users




Archive powered by MHonArc 2.6.19.

Top of Page