Skip to Content.

cat-users - Re: [[cat-users]] Fwd: [[cat-devel]] Upgrade of SP authentication proxy for eduroam CAT and monitoring services - completed

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive


Re: [[cat-users]] Fwd: [[cat-devel]] Upgrade of SP authentication proxy for eduroam CAT and monitoring services - completed


Chronological Thread 
    < Chronological >      < Thread >
  • From: Zenon Mousmoulas <zmousm AT noc.grnet.gr>
  • To: Dubravko Voncina <dubravko.voncina AT srce.hr>
  • Cc: eduroam CAT Feedback <cat-users AT lists.geant.org>
  • Subject: Re: [[cat-users]] Fwd: [[cat-devel]] Upgrade of SP authentication proxy for eduroam CAT and monitoring services - completed
  • Date: Tue, 21 Feb 2017 18:22:39 +0200
  • Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass (1024-bit key) header.d=noc.grnet.gr
Hi,

sorry for not getting back to you earlier.

I tested again just now and I see the SAML request that gets sent to my IdP still has a NameIDPolicy[@Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"].

What I suggested before was to set (in SSPHP settings) saml:NameIDPolicy to null (not persistent), so that it does not specify at all a NameIDPolicy in the request but rather lets the IdP decide what to send back. That is, of course, if you are willing to accept any NameIDFormat in the response, also provided the SP is capable to fall back to looking for a eduPersonTargetedID attribute to use as an identifier.

I also noticed the first SAML request[1], which also carries such a NameIDPolicy. I'm not sure how the above would work with your backend SP in the proxy scheme, but I would guess you might also need to apply the same saml:NameIDPolicy there.

Regards,
Z.

[1] from https://cat.eduroam.org/localhost/module.php/saml/sp/metadata.php/default-sp to https://monitor.eduroam.org/sp/saml2/idp/SSOService.php

On 2017-02-21 17:57, Dubravko Voncina wrote:
Hello again Zenon,

I'm afraid this won't work :-(
When I set required NameID policy to
"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", we start
receiving error messages "Required NameID format not supported" from
many IdPs.
Until this issue is solved, we have to leave transient NameID policy as default.

Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko.voncina AT srce.hr,
tel: +385 98 219273, fax: +385 1 6165559




Begin forwarded message:

From: Dubravko Voncina
<dubravko.voncina AT srce.hr>
Subject: Re: [[cat-users]] [[cat-devel]] Upgrade of SP authentication proxy for eduroam CAT and monitoring services - completed
Date: 21 February 2017 at 14:50:47 GMT+1
To: Zenon Mousmoulas
<zmousm AT noc.grnet.gr>
Cc: eduroam CAT Feedback
<cat-users AT lists.geant.org>

Hello Zenon,

Can you please verify that your IdP recieves appropriate NameIDFormat in the AuthNRequest now?

Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko.voncina AT srce.hr,
tel: +385 98 219273, fax: +385 1 6165559




On 20 Feb 2017, at 15:36, Zenon Mousmoulas <zmousm AT noc.grnet.gr> wrote:

Hi Dubravko,

oops, that is indeed the case; however that happens because your SP explicitly requests such a NameIDFormat in the request. Here is the evidence:

<?xml version="1.0"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_e9c20361363e09485492f00b323bea0d9a1454e3d0" Version="2.0" IssueInstant="2017-02-20T14:26:41Z" Destination="https://idp.admin.grnet.gr/idp/profile/SAML2/POST/SSO"; AssertionConsumerServiceURL="https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-acs.php/default-sp"; ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
<saml:Issuer>https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_e9c20361363e09485492f00b323bea0d9a1454e3d0">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>WW3ERx65XaUrQSZme0oriQ/mXjM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue><!--[...]--></ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate><!--[...]--></ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/>
<samlp:Scoping>
<samlp:RequesterID>https://cat.eduroam.org/localhost/module.php/saml/sp/metadata.php/default-sp</samlp:RequesterID>
</samlp:Scoping>
</samlp:AuthnRequest>


I believe it would be wise to set this to null:

saml:NameIDPolicy
The format of the NameID we request from the IdP. Defaults to the transient format if unspecified.

Regards,
Z.

On 2017-02-20 15:12, Dubravko Voncina wrote:
Hello Zenon,
I'm afraid that your IdP doesn't provide persistent NameID in the subject:
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_fcf113333e4a4953fceda8868f0ce92b"
IssueInstant="2017-02-20T11:26:35.622Z" Version="2.0">
<saml2:Issuer>https://idp.admin.grnet.gr/idp/shibboleth</saml2:Issuer>
<saml2:Subject>
<saml2:NameID
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="https://idp.admin.grnet.gr/idp/shibboleth";
SPNameQualifier="https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp";>AAhzZWNyZXQxMTzq787eaH4dVeRaUP46bYj80P2AU1vcFavM36k3J4jFbFIhk/Nie6JcQc+AI3fatRUPnEOECi1Csirr9E5HO+whbUmO+uNPflNJ/okTqza2QbKFIeJW9CJyW+4I2Xe1bY+vO1Co0jqrIxmxcBe0px4bduZG9+P9PxoZWhMR1Vr+mstiqmQ=</saml2:NameID>
...
Regards,
Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko.voncina AT srce.hr,
tel: +385 98 219273, fax: +385 1 6165559
On 20 Feb 2017, at 13:59, Zenon Mousmoulas <zmousm AT noc.grnet.gr> wrote:
Logging in via an eduGAIN IdP, all seems fine when eduPersonTargetedID is released as an attribute, but login breaks when the identifier is only released as persistent NameID in the subject:
Backtrace:
0 /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/www/module.php:180 (N/A)
Caused by: SimpleSAML_Error_Exception: This service needs at least one of the following
attributes to identity users: eduPersonTargetedID, facebook_targetedID, google_eppn, linkedin_targetedID, twitter_targetedID. Unfortunately not
one of them was detected. Please ask your institution administrator to release one of
them, or try using another identity provider.
Backtrace:
11 /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/modules/smartattributes/lib/Auth/Process/SmartID.php:95 (sspmod_smartattributes_Auth_Process_SmartID::addID)
10 /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/modules/smartattributes/lib/Auth/Process/SmartID.php:113 (sspmod_smartattributes_Auth_Process_SmartID::process)
9 /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/lib/SimpleSAML/Auth/ProcessingChain.php:195 (SimpleSAML_Auth_ProcessingChain::processState)
8 /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/lib/SimpleSAML/IdP.php:331 (SimpleSAML_IdP::postAuth)
7 [builtin] (call_user_func)
6 /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/lib/SimpleSAML/Auth/Source.php:229 (SimpleSAML_Auth_Source::loginCompleted)
5 [builtin] (call_user_func)
4 /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/lib/SimpleSAML/Auth/Source.php:145 (SimpleSAML_Auth_Source::completeAuth)
3 /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/modules/saml/lib/Auth/Source/SP.php:637 (sspmod_saml_Auth_Source_SP::onProcessingCompleted)
2 /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/modules/saml/lib/Auth/Source/SP.php:564 (sspmod_saml_Auth_Source_SP::handleResponse)
1 /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/modules/saml/www/sp/saml2-acs.php:227 (require)
0 /var/www/html/monitor-ssl/simplesamlphp-1.14.11-monitor-sp/www/module.php:137 (N/A)
Such was the behavior until last week.
Regards,
Z.
On 2017-02-20 11:58, Dubravko Voncina wrote:
Hi all,
We've had some problems with eduGAIN SP proxy during the weekend.
Can you please try if authentication to eduroam monitoring/CAT
services is working for you now?
Best regards,
Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko.voncina AT srce.hr,
tel: +385 98 219273, fax: +385 1 6165559
On 17 Feb 2017, at 11:09, Dubravko Voncina <dubravko.voncina AT srce.hr> wrote:
Hi again,
Upgrade of eduGAIN SP authentication proxy for eduroam CAT and monitoring services is completed. In theory, this upgrade should be (almost) completely transparent for users. In practice, there is a chance that I screwed something up so if you notice any problems during the authentication process, please let me know.
Best regards,
Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko.voncina AT srce.hr, tel: +385 98 219273, fax: +385 1 6165559
To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users
To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users




Archive powered by MHonArc 2.6.19.

Top of Page