cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Dubravko Voncina <dubravko.voncina AT srce.hr>
- To: Michael Naylor <MNaylor AT wooster.edu>
- Cc: Stefan Winter <stefan.winter AT restena.lu>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
- Subject: Re: [[cat-users]] CAT errors
- Date: Mon, 13 Mar 2017 14:07:48 +0100
Hello Michael,
From what I can see, eduroam SP proxy throws some unusual errors after
someone authenticates through IdP https://idp.wooster.edu/idp/shibboleth.
According to our SP logs, your IdP provides many attributes, but it doesn't
provide the only one required to access CAT service, which is
eduPersonTargetedID (urn:oid:1.3.6.1.4.1.5923.1.1.1.10).
Alternativelly, if your IdP doesn't provide attribute eduPersonTargetedID,
eduroam SP proxy can use persistent NameID from <Subject> ... </Subject> part
of your IdP AuthnResponse as your unique identifier. Unfortunatelly, your IdP
doesn't provide NameID parameter at all. For example, Subject part of
AuthnResponse usually looks like:
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://idp.cpe.fr/idp/shibboleth";
SPNameQualifier="https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp";>some_value</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="134.214.49.140"
InResponseTo="_9897255e02261902a6594b5bdb6e421d0df41d1ab3"
NotOnOrAfter="2017-03-13T12:53:02.713Z"
Recipient="https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-acs.php/default-sp"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
but Subject part of your IdP AuthnResponse looks like:
<saml2:Subject>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="140.103.32.91"
InResponseTo="_cac7ff94553b9507d35e7b9db19a83d403b66eaa56"
NotOnOrAfter="2017-03-10T15:39:59.810Z"
Recipient="https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-acs.php/default-sp"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
To cut a long story short, your IdP should either provide eduPersonTargetedID
attribute or persistent NameID parameter within a Subject field of
AuthnResponse message.
Best regards,
Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko.voncina AT srce.hr,
tel: +385 98 219273, fax: +385 1 6165559
> On 10 Mar 2017, at 17:12, Michael Naylor
> <MNaylor AT wooster.edu>
> wrote:
>
> Our IDP is idp.wooster.edu. Does that help?
>
> -----Original Message-----
> From: Stefan Winter
> [mailto:stefan.winter AT restena.lu]
>
> Sent: Friday, March 10, 2017 11:00 AM
> To: Michael Naylor
> <MNaylor AT wooster.edu>;
>
> cat-users AT lists.geant.org
> Subject: Re: [[cat-users]] CAT errors
>
> Hello,
>
>> We are in the process of becoming an eduroam member. I was sent an invite
>> to CAT but I'm having issues logging in and the anyroam folks sent me
>> here. When I login at https://cat.eduroam.org/admin/ I seem to
>> authenticate fine but am sent to
>> https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-acs.php/default-sp
>> with an HTTP 500 error. Any help is appreciated as we would like to move
>> forward with this project.
>
> thanks for your interest in CAT!
>
> I've just logged in myself and things worked fine.
>
> But this is not actually a CAT problem - the server monitor.eduroam.org is
> the authentication endpoint for all eduroam Operations Support Services,
> which include but are not limited to CAT, and managed independently.
>
> I have forwarded your mail to the eduroam Operations Team who will follow
> up with you.
>
> It may be helpful to tell us though with which Identity Provider you were
> trying to log in; this may be relevant in fault-finding.
>
> Greetings,
>
> Stefan Winter
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
> la Recherche 2, avenue de l'Université
> L-4365 Esch-sur-Alzette
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users
- [[cat-users]] CAT errors, Michael Naylor, 03/10/2017
- Re: [[cat-users]] CAT errors, Stefan Winter, 03/10/2017
- RE: [[cat-users]] CAT errors, Michael Naylor, 03/10/2017
- Re: [[cat-users]] CAT errors, Dubravko Voncina, 03/13/2017
- Message not available
- RE: [[cat-users]] CAT errors, Roger Dills, 03/16/2017
- Re: [[cat-users]] CAT errors, Dubravko Voncina, 03/17/2017
- RE: [[cat-users]] CAT errors, Roger Dills, 03/16/2017
- Message not available
- Re: [[cat-users]] CAT errors, Dubravko Voncina, 03/13/2017
- RE: [[cat-users]] CAT errors, Michael Naylor, 03/10/2017
- Re: [[cat-users]] CAT errors, Stefan Winter, 03/10/2017
Archive powered by MHonArc 2.6.19.