The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Roger Dills <rdills AT wooster.edu>]

Hello Dubravko,

We've added "eduPersonTargetedID" as a released attribute. We can see the 
logins are successful and attributes are all released. Unfortunately, the 
"monitor.eduroam.org" website still reports a 500 error.

We've had Philippe Hanset at Anyroam issue a new login token, so the 
expiration shouldn't currently be an issue.

If you could take another look at the logs and decipher where the error is 
now occurring, it would be appreciated.

Thank you!

Roger Dills
Senior Systems Administrator
Technology Services
The College of Wooster


-----Original Message-----
From: Michael Naylor 
Sent: Monday, March 13, 2017 9:38 AM
To: Roger Dills; Vincent T. DiScipio
Subject: FW: [[cat-users]] CAT errors



-----Original Message-----
From: Dubravko Voncina [mailto: ] 
Sent: Monday, March 13, 2017 9:08 AM
To: Michael Naylor 
<MNaylor AT wooster.edu>
Cc: Stefan Winter 
<stefan.winter AT restena.lu>;
 
cat-users AT lists.geant.org
Subject: Re: [[cat-users]] CAT errors

Hello Michael,

From what I can see, eduroam SP proxy throws some unusual errors after 
someone authenticates through IdP https://idp.wooster.edu/idp/shibboleth.
According to our SP logs, your IdP provides many attributes, but it doesn't 
provide the only one required to access CAT service, which is 
eduPersonTargetedID (urn:oid:1.3.6.1.4.1.5923.1.1.1.10).
Alternativelly, if your IdP doesn't provide attribute eduPersonTargetedID, 
eduroam SP proxy can use persistent NameID from <Subject> ... </Subject> part 
of your IdP AuthnResponse as your unique identifier. Unfortunatelly, your IdP 
doesn't provide NameID parameter at all. For example, Subject part of 
AuthnResponse usually looks like:

<saml2:Subject>
    <saml2:NameID 
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" 
NameQualifier="https://idp.cpe.fr/idp/shibboleth"; 
SPNameQualifier="https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp";>some_value</saml2:NameID>
    <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml2:SubjectConfirmationData Address="134.214.49.140" 
InResponseTo="_9897255e02261902a6594b5bdb6e421d0df41d1ab3" 
NotOnOrAfter="2017-03-13T12:53:02.713Z" 
Recipient="https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-acs.php/default-sp"/>
    </saml2:SubjectConfirmation>
</saml2:Subject>

but Subject part of your IdP AuthnResponse looks like:

<saml2:Subject>
    <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml2:SubjectConfirmationData Address="140.103.32.91" 
InResponseTo="_cac7ff94553b9507d35e7b9db19a83d403b66eaa56" 
NotOnOrAfter="2017-03-10T15:39:59.810Z" 
Recipient="https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-acs.php/default-sp"/>
    </saml2:SubjectConfirmation>
</saml2:Subject>

To cut a long story short, your IdP should either provide eduPersonTargetedID 
attribute or persistent NameID parameter within a Subject field of 
AuthnResponse message.

Best regards,

Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr 
dubravko.voncina AT srce.hr,
 tel: +385 98 219273, fax: +385 1 6165559