The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Dubravko Voncina <dubravko.voncina AT srce.hr>]

Hello Zenon,

Can you please verify that your IdP recieves appropriate NameIDFormat in the 
AuthNRequest now?

Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko.voncina AT srce.hr,
 tel: +385 98 219273, fax: +385 1 6165559




> On 20 Feb 2017, at 15:36, Zenon Mousmoulas 
> <zmousm AT noc.grnet.gr>
>  wrote:
> 
> Hi Dubravko,
> 
> oops, that is indeed the case; however that happens because your SP 
> explicitly requests such a NameIDFormat in the request. Here is the 
> evidence:
> 
> <?xml version="1.0"?>
> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
> ID="_e9c20361363e09485492f00b323bea0d9a1454e3d0" Version="2.0" 
> IssueInstant="2017-02-20T14:26:41Z" 
> Destination="https://idp.admin.grnet.gr/idp/profile/SAML2/POST/SSO"; 
> AssertionConsumerServiceURL="https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-acs.php/default-sp";
>  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
>  
> <saml:Issuer>https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
>  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>    <ds:SignedInfo>
>      <ds:CanonicalizationMethod 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>      <ds:SignatureMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>      <ds:Reference URI="#_e9c20361363e09485492f00b323bea0d9a1454e3d0">
>        <ds:Transforms>
>          <ds:Transform 
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>        </ds:Transforms>
>        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>        <ds:DigestValue>WW3ERx65XaUrQSZme0oriQ/mXjM=</ds:DigestValue>
>      </ds:Reference>
>    </ds:SignedInfo>
>    <ds:SignatureValue><!--[...]--></ds:SignatureValue>
>    <ds:KeyInfo>
>      <ds:X509Data>
>        <ds:X509Certificate><!--[...]--></ds:X509Certificate>
>      </ds:X509Data>
>    </ds:KeyInfo>
>  </ds:Signature>
>  <samlp:NameIDPolicy 
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" 
> AllowCreate="true"/>
>  <samlp:Scoping>
>    
> <samlp:RequesterID>https://cat.eduroam.org/localhost/module.php/saml/sp/metadata.php/default-sp</samlp:RequesterID>
>  </samlp:Scoping>
> </samlp:AuthnRequest>
> 
> 
> I believe it would be wise to set this to null:
> 
> saml:NameIDPolicy
>    The format of the NameID we request from the IdP. Defaults to the 
> transient format if unspecified.
> 
> Regards,
> Z.
> 
> On 2017-02-20 15:12, Dubravko Voncina wrote:
>> Hello Zenon,
>> I'm afraid that your IdP doesn't provide persistent NameID in the subject:
>> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>> ID="_fcf113333e4a4953fceda8868f0ce92b"
>> IssueInstant="2017-02-20T11:26:35.622Z" Version="2.0">
>>    <saml2:Issuer>https://idp.admin.grnet.gr/idp/shibboleth</saml2:Issuer>
>>    <saml2:Subject>
>>        <saml2:NameID
>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
>> NameQualifier="https://idp.admin.grnet.gr/idp/shibboleth";
>> SPNameQualifier="https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp";>AAhzZWNyZXQxMTzq787eaH4dVeRaUP46bYj80P2AU1vcFavM36k3J4jFbFIhk/Nie6JcQc+AI3fatRUPnEOECi1Csirr9E5HO+whbUmO+uNPflNJ/okTqza2QbKFIeJW9CJyW+4I2Xe1bY+vO1Co0jqrIxmxcBe0px4bduZG9+P9PxoZWhMR1Vr+mstiqmQ=</saml2:NameID>
>> ...
>> Regards,
>> Dubravko Voncina
>> Middleware and Data Services Department
>> University of Zagreb, University Computing Centre, www.srce.unizg.hr
>> dubravko.voncina AT srce.hr,
>>  tel: +385 98 219273, fax: +385 1 6165559
>>> On 20 Feb 2017, at 13:59, Zenon Mousmoulas 
>>> <zmousm AT noc.grnet.gr>
>>>  wrote:
>>> Logging in via an eduGAIN IdP, all seems fine when eduPersonTargetedID is 
>>> released as an attribute, but login breaks when the identifier is only 
>>> released as persistent NameID in the subject:
>>> Backtrace:
>>> 0 
>>> /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/www/module.php:180
>>>  (N/A)
>>> Caused by: SimpleSAML_Error_Exception: This service needs at least one of 
>>> the following
>>>             attributes to identity users: eduPersonTargetedID, 
>>> facebook_targetedID, google_eppn, linkedin_targetedID, 
>>> twitter_targetedID. Unfortunately not
>>>             one of them was detected. Please ask your institution 
>>> administrator to release one of
>>>             them, or try using another identity provider.
>>> Backtrace:
>>> 11 
>>> /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/modules/smartattributes/lib/Auth/Process/SmartID.php:95
>>>  (sspmod_smartattributes_Auth_Process_SmartID::addID)
>>> 10 
>>> /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/modules/smartattributes/lib/Auth/Process/SmartID.php:113
>>>  (sspmod_smartattributes_Auth_Process_SmartID::process)
>>> 9 
>>> /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/lib/SimpleSAML/Auth/ProcessingChain.php:195
>>>  (SimpleSAML_Auth_ProcessingChain::processState)
>>> 8 
>>> /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/lib/SimpleSAML/IdP.php:331
>>>  (SimpleSAML_IdP::postAuth)
>>> 7 [builtin] (call_user_func)
>>> 6 
>>> /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/lib/SimpleSAML/Auth/Source.php:229
>>>  (SimpleSAML_Auth_Source::loginCompleted)
>>> 5 [builtin] (call_user_func)
>>> 4 
>>> /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/lib/SimpleSAML/Auth/Source.php:145
>>>  (SimpleSAML_Auth_Source::completeAuth)
>>> 3 
>>> /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/modules/saml/lib/Auth/Source/SP.php:637
>>>  (sspmod_saml_Auth_Source_SP::onProcessingCompleted)
>>> 2 
>>> /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/modules/saml/lib/Auth/Source/SP.php:564
>>>  (sspmod_saml_Auth_Source_SP::handleResponse)
>>> 1 
>>> /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/modules/saml/www/sp/saml2-acs.php:227
>>>  (require)
>>> 0 
>>> /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/www/module.php:137
>>>  (N/A)
>>> Such was the behavior until last week.
>>> Regards,
>>> Z.
>>> On 2017-02-20 11:58, Dubravko Voncina wrote:
>>>> Hi all,
>>>> We've had some problems with eduGAIN SP proxy during the weekend.
>>>> Can you please try if authentication to eduroam monitoring/CAT
>>>> services is working for you now?
>>>> Best regards,
>>>> Dubravko Voncina
>>>> Middleware and Data Services Department
>>>> University of Zagreb, University Computing Centre, www.srce.unizg.hr
>>>> dubravko.voncina AT srce.hr,
>>>>  tel: +385 98 219273, fax: +385 1 6165559
>>>>> On 17 Feb 2017, at 11:09, Dubravko Voncina 
>>>>> <dubravko.voncina AT srce.hr>
>>>>>  wrote:
>>>>> Hi again,
>>>>> Upgrade of eduGAIN SP authentication proxy for eduroam CAT and 
>>>>> monitoring services is completed. In theory, this upgrade should be 
>>>>> (almost) completely transparent for users. In practice, there is a 
>>>>> chance that I screwed something up so if you notice any problems during 
>>>>> the authentication process, please let me know.
>>>>> Best regards,
>>>>> Dubravko Voncina
>>>>> Middleware and Data Services Department
>>>>> University of Zagreb, University Computing Centre, www.srce.unizg.hr
>>>>> dubravko.voncina AT srce.hr,
>>>>>  tel: +385 98 219273, fax: +385 1 6165559
>>>>> To unsubscribe, send this message: 
>>>>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>>>>> Or use the following link: 
>>>>> https://lists.geant.org/sympa/sigrequest/cat-users
>>> To unsubscribe, send this message: 
>>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>>> Or use the following link: 
>>> https://lists.geant.org/sympa/sigrequest/cat-users
>