cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Roger Dills <rdills AT wooster.edu>
- To: "dubravko.voncina AT srce.hr" <dubravko.voncina AT srce.hr>
- Cc: Michael Naylor <MNaylor AT wooster.edu>, "'stefan.winter AT restena.lu" <'stefan.winter AT restena.lu>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
- Subject: RE: [[cat-users]] CAT errors
- Date: Thu, 16 Mar 2017 14:33:22 +0000
- Accept-language: en-US
- Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass (1024-bit key) header.d=livewooster.onmicrosoft.com
- Authentication-results: srce.hr; dkim=none (message not signed) header.d=none;srce.hr; dmarc=none action=none header.from=wooster.edu;
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
Hello Dubravko,
We've added "eduPersonTargetedID" as a released attribute. We can see the
logins are successful and attributes are all released. Unfortunately, the
"monitor.eduroam.org" website still reports a 500 error.
We've had Philippe Hanset at Anyroam issue a new login token, so the
expiration shouldn't currently be an issue.
If you could take another look at the logs and decipher where the error is
now occurring, it would be appreciated.
Thank you!
Roger Dills
Senior Systems Administrator
Technology Services
The College of Wooster
-----Original Message-----
From: Michael Naylor
Sent: Monday, March 13, 2017 9:38 AM
To: Roger Dills; Vincent T. DiScipio
Subject: FW: [[cat-users]] CAT errors
-----Original Message-----
From: Dubravko Voncina [mailto: ]
Sent: Monday, March 13, 2017 9:08 AM
To: Michael Naylor
<MNaylor AT wooster.edu>
Cc: Stefan Winter
<stefan.winter AT restena.lu>;
cat-users AT lists.geant.org
Subject: Re: [[cat-users]] CAT errors
Hello Michael,
From what I can see, eduroam SP proxy throws some unusual errors after
someone authenticates through IdP https://idp.wooster.edu/idp/shibboleth.
According to our SP logs, your IdP provides many attributes, but it doesn't
provide the only one required to access CAT service, which is
eduPersonTargetedID (urn:oid:1.3.6.1.4.1.5923.1.1.1.10).
Alternativelly, if your IdP doesn't provide attribute eduPersonTargetedID,
eduroam SP proxy can use persistent NameID from <Subject> ... </Subject> part
of your IdP AuthnResponse as your unique identifier. Unfortunatelly, your IdP
doesn't provide NameID parameter at all. For example, Subject part of
AuthnResponse usually looks like:
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://idp.cpe.fr/idp/shibboleth"
SPNameQualifier="https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp">some_value</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="134.214.49.140"
InResponseTo="_9897255e02261902a6594b5bdb6e421d0df41d1ab3"
NotOnOrAfter="2017-03-13T12:53:02.713Z"
Recipient="https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-acs.php/default-sp"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
but Subject part of your IdP AuthnResponse looks like:
<saml2:Subject>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="140.103.32.91"
InResponseTo="_cac7ff94553b9507d35e7b9db19a83d403b66eaa56"
NotOnOrAfter="2017-03-10T15:39:59.810Z"
Recipient="https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-acs.php/default-sp"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
To cut a long story short, your IdP should either provide eduPersonTargetedID
attribute or persistent NameID parameter within a Subject field of
AuthnResponse message.
Best regards,
Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko.voncina AT srce.hr,
tel: +385 98 219273, fax: +385 1 6165559
- [[cat-users]] CAT errors, Michael Naylor, 03/10/2017
- Re: [[cat-users]] CAT errors, Stefan Winter, 03/10/2017
- RE: [[cat-users]] CAT errors, Michael Naylor, 03/10/2017
- Re: [[cat-users]] CAT errors, Dubravko Voncina, 03/13/2017
- Message not available
- RE: [[cat-users]] CAT errors, Roger Dills, 03/16/2017
- Re: [[cat-users]] CAT errors, Dubravko Voncina, 03/17/2017
- RE: [[cat-users]] CAT errors, Roger Dills, 03/16/2017
- Message not available
- Re: [[cat-users]] CAT errors, Dubravko Voncina, 03/13/2017
- RE: [[cat-users]] CAT errors, Michael Naylor, 03/10/2017
- Re: [[cat-users]] CAT errors, Stefan Winter, 03/10/2017
Archive powered by MHonArc 2.6.19.