Skip to Content.
Sympa Menu

cat-users - [[cat-users]] Fwd: [[cat-devel]] Upgrade of SP authentication proxy for eduroam CAT and monitoring services - completed

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

[[cat-users]] Fwd: [[cat-devel]] Upgrade of SP authentication proxy for eduroam CAT and monitoring services - completed


Chronological Thread 
  • From: Dubravko Voncina <dubravko.voncina AT srce.hr>
  • To: Zenon Mousmoulas <zmousm AT noc.grnet.gr>
  • Cc: eduroam CAT Feedback <cat-users AT lists.geant.org>
  • Subject: [[cat-users]] Fwd: [[cat-devel]] Upgrade of SP authentication proxy for eduroam CAT and monitoring services - completed
  • Date: Tue, 21 Feb 2017 16:57:18 +0100

Hello again Zenon,

I'm afraid this won't work :-(
When I set required NameID policy to
"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", we start receiving
error messages "Required NameID format not supported" from many IdPs.
Until this issue is solved, we have to leave transient NameID policy as
default.

Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko.voncina AT srce.hr,
tel: +385 98 219273, fax: +385 1 6165559




> Begin forwarded message:
>
> From: Dubravko Voncina
> <dubravko.voncina AT srce.hr>
> Subject: Re: [[cat-users]] [[cat-devel]] Upgrade of SP authentication proxy
> for eduroam CAT and monitoring services - completed
> Date: 21 February 2017 at 14:50:47 GMT+1
> To: Zenon Mousmoulas
> <zmousm AT noc.grnet.gr>
> Cc: eduroam CAT Feedback
> <cat-users AT lists.geant.org>
>
> Hello Zenon,
>
> Can you please verify that your IdP recieves appropriate NameIDFormat in
> the AuthNRequest now?
>
> Dubravko Voncina
> Middleware and Data Services Department
> University of Zagreb, University Computing Centre, www.srce.unizg.hr
> dubravko.voncina AT srce.hr,
> tel: +385 98 219273, fax: +385 1 6165559
>
>
>
>
>> On 20 Feb 2017, at 15:36, Zenon Mousmoulas
>> <zmousm AT noc.grnet.gr>
>> wrote:
>>
>> Hi Dubravko,
>>
>> oops, that is indeed the case; however that happens because your SP
>> explicitly requests such a NameIDFormat in the request. Here is the
>> evidence:
>>
>> <?xml version="1.0"?>
>> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>> ID="_e9c20361363e09485492f00b323bea0d9a1454e3d0" Version="2.0"
>> IssueInstant="2017-02-20T14:26:41Z"
>> Destination="https://idp.admin.grnet.gr/idp/profile/SAML2/POST/SSO";
>> AssertionConsumerServiceURL="https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-acs.php/default-sp";
>> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
>> <saml:Issuer>https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>> <ds:SignedInfo>
>> <ds:CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> <ds:SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>> <ds:Reference URI="#_e9c20361363e09485492f00b323bea0d9a1454e3d0">
>> <ds:Transforms>
>> <ds:Transform
>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> </ds:Transforms>
>> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <ds:DigestValue>WW3ERx65XaUrQSZme0oriQ/mXjM=</ds:DigestValue>
>> </ds:Reference>
>> </ds:SignedInfo>
>> <ds:SignatureValue><!--[...]--></ds:SignatureValue>
>> <ds:KeyInfo>
>> <ds:X509Data>
>> <ds:X509Certificate><!--[...]--></ds:X509Certificate>
>> </ds:X509Data>
>> </ds:KeyInfo>
>> </ds:Signature>
>> <samlp:NameIDPolicy
>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
>> AllowCreate="true"/>
>> <samlp:Scoping>
>>
>> <samlp:RequesterID>https://cat.eduroam.org/localhost/module.php/saml/sp/metadata.php/default-sp</samlp:RequesterID>
>> </samlp:Scoping>
>> </samlp:AuthnRequest>
>>
>>
>> I believe it would be wise to set this to null:
>>
>> saml:NameIDPolicy
>> The format of the NameID we request from the IdP. Defaults to the
>> transient format if unspecified.
>>
>> Regards,
>> Z.
>>
>> On 2017-02-20 15:12, Dubravko Voncina wrote:
>>> Hello Zenon,
>>> I'm afraid that your IdP doesn't provide persistent NameID in the subject:
>>> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>>> ID="_fcf113333e4a4953fceda8868f0ce92b"
>>> IssueInstant="2017-02-20T11:26:35.622Z" Version="2.0">
>>> <saml2:Issuer>https://idp.admin.grnet.gr/idp/shibboleth</saml2:Issuer>
>>> <saml2:Subject>
>>> <saml2:NameID
>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
>>> NameQualifier="https://idp.admin.grnet.gr/idp/shibboleth";
>>> SPNameQualifier="https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp";>AAhzZWNyZXQxMTzq787eaH4dVeRaUP46bYj80P2AU1vcFavM36k3J4jFbFIhk/Nie6JcQc+AI3fatRUPnEOECi1Csirr9E5HO+whbUmO+uNPflNJ/okTqza2QbKFIeJW9CJyW+4I2Xe1bY+vO1Co0jqrIxmxcBe0px4bduZG9+P9PxoZWhMR1Vr+mstiqmQ=</saml2:NameID>
>>> ...
>>> Regards,
>>> Dubravko Voncina
>>> Middleware and Data Services Department
>>> University of Zagreb, University Computing Centre, www.srce.unizg.hr
>>> dubravko.voncina AT srce.hr,
>>> tel: +385 98 219273, fax: +385 1 6165559
>>>> On 20 Feb 2017, at 13:59, Zenon Mousmoulas
>>>> <zmousm AT noc.grnet.gr>
>>>> wrote:
>>>> Logging in via an eduGAIN IdP, all seems fine when eduPersonTargetedID
>>>> is released as an attribute, but login breaks when the identifier is
>>>> only released as persistent NameID in the subject:
>>>> Backtrace:
>>>> 0
>>>> /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/www/module.php:180
>>>> (N/A)
>>>> Caused by: SimpleSAML_Error_Exception: This service needs at least one
>>>> of the following
>>>> attributes to identity users: eduPersonTargetedID,
>>>> facebook_targetedID, google_eppn, linkedin_targetedID,
>>>> twitter_targetedID. Unfortunately not
>>>> one of them was detected. Please ask your institution
>>>> administrator to release one of
>>>> them, or try using another identity provider.
>>>> Backtrace:
>>>> 11
>>>> /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/modules/smartattributes/lib/Auth/Process/SmartID.php:95
>>>> (sspmod_smartattributes_Auth_Process_SmartID::addID)
>>>> 10
>>>> /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/modules/smartattributes/lib/Auth/Process/SmartID.php:113
>>>> (sspmod_smartattributes_Auth_Process_SmartID::process)
>>>> 9
>>>> /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/lib/SimpleSAML/Auth/ProcessingChain.php:195
>>>> (SimpleSAML_Auth_ProcessingChain::processState)
>>>> 8
>>>> /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/lib/SimpleSAML/IdP.php:331
>>>> (SimpleSAML_IdP::postAuth)
>>>> 7 [builtin] (call_user_func)
>>>> 6
>>>> /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/lib/SimpleSAML/Auth/Source.php:229
>>>> (SimpleSAML_Auth_Source::loginCompleted)
>>>> 5 [builtin] (call_user_func)
>>>> 4
>>>> /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/lib/SimpleSAML/Auth/Source.php:145
>>>> (SimpleSAML_Auth_Source::completeAuth)
>>>> 3
>>>> /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/modules/saml/lib/Auth/Source/SP.php:637
>>>> (sspmod_saml_Auth_Source_SP::onProcessingCompleted)
>>>> 2
>>>> /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/modules/saml/lib/Auth/Source/SP.php:564
>>>> (sspmod_saml_Auth_Source_SP::handleResponse)
>>>> 1
>>>> /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/modules/saml/www/sp/saml2-acs.php:227
>>>> (require)
>>>> 0
>>>> /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/www/module.php:137
>>>> (N/A)
>>>> Such was the behavior until last week.
>>>> Regards,
>>>> Z.
>>>> On 2017-02-20 11:58, Dubravko Voncina wrote:
>>>>> Hi all,
>>>>> We've had some problems with eduGAIN SP proxy during the weekend.
>>>>> Can you please try if authentication to eduroam monitoring/CAT
>>>>> services is working for you now?
>>>>> Best regards,
>>>>> Dubravko Voncina
>>>>> Middleware and Data Services Department
>>>>> University of Zagreb, University Computing Centre, www.srce.unizg.hr
>>>>> dubravko.voncina AT srce.hr,
>>>>> tel: +385 98 219273, fax: +385 1 6165559
>>>>>> On 17 Feb 2017, at 11:09, Dubravko Voncina
>>>>>> <dubravko.voncina AT srce.hr>
>>>>>> wrote:
>>>>>> Hi again,
>>>>>> Upgrade of eduGAIN SP authentication proxy for eduroam CAT and
>>>>>> monitoring services is completed. In theory, this upgrade should be
>>>>>> (almost) completely transparent for users. In practice, there is a
>>>>>> chance that I screwed something up so if you notice any problems
>>>>>> during the authentication process, please let me know.
>>>>>> Best regards,
>>>>>> Dubravko Voncina
>>>>>> Middleware and Data Services Department
>>>>>> University of Zagreb, University Computing Centre, www.srce.unizg.hr
>>>>>> dubravko.voncina AT srce.hr,
>>>>>> tel: +385 98 219273, fax: +385 1 6165559
>>>>>> To unsubscribe, send this message:
>>>>>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>>>>>> Or use the following link:
>>>>>> https://lists.geant.org/sympa/sigrequest/cat-users
>>>> To unsubscribe, send this message:
>>>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>>>> Or use the following link:
>>>> https://lists.geant.org/sympa/sigrequest/cat-users
>>
>




Archive powered by MHonArc 2.6.19.

Top of Page