The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Dubravko Voncina <dubravko.voncina AT srce.hr>]

Hello Roger,

I did some more research. It looks like problem occurs because your IdP 
doesn't provide NameID parameter in the Subject part of SAML AuthnResponse.
In theory, NameID parameter is not required by our SP if your IdP provides 
attribute eduPersonTargetedID, but our SP is based on SimpleSAMLphp which 
apparently uses NameID as a reference to SSO session. Without this parameter, 
reference to SSO session is null which causes an error during authentication 
process.
Would it be possible for you to configure your IdP to force sending NameID, 
even if it's not specified in SP metadata? 

Best regards,

Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko.voncina AT srce.hr,
 tel: +385 98 219273, fax: +385 1 6165559




> On 16 Mar 2017, at 15:33, Roger Dills 
> <rdills AT wooster.edu>
>  wrote:
> 
> Hello Dubravko,
> 
> We've added "eduPersonTargetedID" as a released attribute. We can see the 
> logins are successful and attributes are all released. Unfortunately, the 
> "monitor.eduroam.org" website still reports a 500 error.
> 
> We've had Philippe Hanset at Anyroam issue a new login token, so the 
> expiration shouldn't currently be an issue.
> 
> If you could take another look at the logs and decipher where the error is 
> now occurring, it would be appreciated.
> 
> Thank you!
> 
> Roger Dills
> Senior Systems Administrator
> Technology Services
> The College of Wooster
> 
> 
> -----Original Message-----
> From: Michael Naylor 
> Sent: Monday, March 13, 2017 9:38 AM
> To: Roger Dills; Vincent T. DiScipio
> Subject: FW: [[cat-users]] CAT errors
> 
> 
> 
> -----Original Message-----
> From: Dubravko Voncina [mailto: ] 
> Sent: Monday, March 13, 2017 9:08 AM
> To: Michael Naylor 
> <MNaylor AT wooster.edu>
> Cc: Stefan Winter 
> <stefan.winter AT restena.lu>;
>  
> cat-users AT lists.geant.org
> Subject: Re: [[cat-users]] CAT errors
> 
> Hello Michael,
> 
> From what I can see, eduroam SP proxy throws some unusual errors after 
> someone authenticates through IdP https://idp.wooster.edu/idp/shibboleth.
> According to our SP logs, your IdP provides many attributes, but it doesn't 
> provide the only one required to access CAT service, which is 
> eduPersonTargetedID (urn:oid:1.3.6.1.4.1.5923.1.1.1.10).
> Alternativelly, if your IdP doesn't provide attribute eduPersonTargetedID, 
> eduroam SP proxy can use persistent NameID from <Subject> ... </Subject> 
> part of your IdP AuthnResponse as your unique identifier. Unfortunatelly, 
> your IdP doesn't provide NameID parameter at all. For example, Subject part 
> of AuthnResponse usually looks like:
> 
> <saml2:Subject>
>    <saml2:NameID 
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" 
> NameQualifier="https://idp.cpe.fr/idp/shibboleth"; 
> SPNameQualifier="https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp";>some_value</saml2:NameID>
>    <saml2:SubjectConfirmation 
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>        <saml2:SubjectConfirmationData Address="134.214.49.140" 
> InResponseTo="_9897255e02261902a6594b5bdb6e421d0df41d1ab3" 
> NotOnOrAfter="2017-03-13T12:53:02.713Z" 
> Recipient="https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-acs.php/default-sp"/>
>    </saml2:SubjectConfirmation>
> </saml2:Subject>
> 
> but Subject part of your IdP AuthnResponse looks like:
> 
> <saml2:Subject>
>    <saml2:SubjectConfirmation 
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>        <saml2:SubjectConfirmationData Address="140.103.32.91" 
> InResponseTo="_cac7ff94553b9507d35e7b9db19a83d403b66eaa56" 
> NotOnOrAfter="2017-03-10T15:39:59.810Z" 
> Recipient="https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-acs.php/default-sp"/>
>    </saml2:SubjectConfirmation>
> </saml2:Subject>
> 
> To cut a long story short, your IdP should either provide 
> eduPersonTargetedID attribute or persistent NameID parameter within a 
> Subject field of AuthnResponse message.
> 
> Best regards,
> 
> Dubravko Voncina
> Middleware and Data Services Department
> University of Zagreb, University Computing Centre, www.srce.unizg.hr 
> dubravko.voncina AT srce.hr,
>  tel: +385 98 219273, fax: +385 1 6165559 
> 
> To unsubscribe, send this message: 
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link: 
> https://lists.geant.org/sympa/sigrequest/cat-users