The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

> As seen from the email thread directly below, we have tried your suggestion 
> but the problem still persists
> Is there anything else you can check on your side?

TL;DR: seeing the actual message would really help :-)

Long version:

No disrespect intended, but the reply from your colleagues is not a
profound argument countering what Dubravko hinted at.

"The login was successful, no errors" merely means that your IdP at the
sending side sent a message it was happy with.

That doesn't mean the recipient is happy with what it gets.

Specifically, Dubravko pinpointed that there is a <Subject> element
without a <NameID>.

According to the SAML 2.0 specification, the <Subject> element, if
present, has to carry an identifer, or at least one SubjectConfirmation,
or both of these.

Identifier above means any of the tags <BaseID>, <NameID> or <EncryptedID>.

So, the question to ask is: does the message that your IdP generate
contain any of these three IDs, or alternatively a <SubjectConfirmation>
element?

We are not done yet at that point, unfortunately: as discussed above,
<NameID> is only one alternative, and it does not /necessarily/ have to
be in the Subject.

But the "Interoperable SAML 2.0 Profile" (SAML2Int) goes further and
requires that at least the transient variant of NameIDs MUST be
supported (it can be at other places in the SAML message though, not
necessarily in the Subject).

Which leads to the second question to ask: does the message that your
IdP generate contain a <NameID> anywhere in the message?

If the message does conform to SAML 2.0 and SAML2Int, then it is an
error on the receiving side; otherwise, it's rather the sending side.

Greetings,

Stefan Winter

> 
> Many Thanks
> 
> Daniel
> 
> 
> -----Original Message-----
> From: Barker, Adrian 
> Sent: 14 July 2017 13:33
> To: Ansong, Daniel
> Cc: Cardinal-Richards, Emma; mss
> Subject: RE: [[cat-users]] Eduroam CAT tool for UCL (Ref:IN:00189393)
> 
> 
> Hi Daniel,
> 
> 
> I've tried this, and according to the logs on our IDP, the  login was 
> successful - there are no error reports. So, the problem is at the 
> eduroam.org side. They will need to check the logs to see what the problem 
> is.
> 
> 
> Adrian.
> 
> 
> -----Original Message-----
> From: Ansong, Daniel
> Sent: 12 July 2017 11:00
> To: Barker, Adrian
> Cc: Cardinal-Richards, Emma; mss
> Subject: FW: [[cat-users]] Eduroam CAT tool for UCL (Ref:IN:00189393)
> 
> Hi Adrian,
> 
> Is this something you can help with?
> 
> Please see Dubravkos message directly below, relating to the issue we are 
> having trying to access our eduroam CAT tool following these steps:
> 
> 1. Log on to: https://cat.eduroam.org/   
> 
> 2. Select: eduroam admin: mange your idp
> 
> 3. Click login 
> 
> 4. Select UCL (University College London)
> 
> This is where it gets stuck on
> at 
> https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-acs.php/default-sp
> 
> 
> Regards
> 
> Daniel
> 
> -----Original Message-----
> From: Dubravko Voncina 
> [mailto:dubravko.voncina AT srce.hr]
> Sent: 11 July 2017 20:03
> To: Ansong, Daniel
> Cc: Stefan Winter; 
> cat-users AT lists.geant.org
> Subject: Re: [[cat-users]] Eduroam CAT tool for UCL (Ref:IN:00189393)
> 
> Hello Daniel,
> 
> I apologize for a bit late response, I'm very busy trying to solve several 
> different problems these days.
> I think that problem might be caused by your IdP not providing NameID 
> Format value in 
> 
> <saml2:Subject>...</saml2:Subject> 
> 
> part of autentication response message.
> 
> Since your IdP provides attribute eduPersonTargetedID, NameID Format value 
> is actually not important, but it still has to be provided in Subject part 
> of AuthNResponse message. Otherwise our SP can't parse AuthNResponse 
> message properly.
> 
> Kind regards,
> 
> Dubravko Voncina
> Middleware and Data Services Department
> University of Zagreb, University Computing Centre, www.srce.unizg.hr 
> dubravko.voncina AT srce.hr,
>  tel: +385 98 219273, fax: +385 1 6165559
> 
> 
> 
> 
>> On 10 Jul 2017, at 17:07, Ansong, Daniel 
>> <d.ansong AT ucl.ac.uk>
>>  wrote:
>>
>> Hi Stefan,
>>
>> Thanks for chasing this up, but am yet to hear back from the 
>> Operations team
>>
>> Regards
>>
>> Daniel
>>
>> -----Original Message-----
>> From: Stefan Winter 
>> [mailto:stefan.winter AT restena.lu]
>> Sent: 07 July 2017 08:04
>> To: Ansong, Daniel; 
>> cat-users AT lists.geant.org
>> Subject: Re: [[cat-users]] Eduroam CAT tool for UCL (Ref:IN:00189393)
>>
>> Hello,
>>
>>> Apologies for the lack of info in the first email I’m a bit new to 
>>> this stuff so bear with me.
>>>
>>> Please see answers to your questions below
>>
>> Thank you for that!
>>
>>
>>>> If you do not, what is the error you are getting / evidence you are 
>>>> seeing?
>>>
>>> *Once I authenticat**e through our local shibboleth service**, it 
>>> gets stuck on a blank screen at address:*
>>>
>>> *https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-acs.php/defa
>>> u
>>> lt-sp*
>>
>> eduroam CAT does not have its own user authentication. We send admin login 
>> authentication requests to a central auth server for all eduroam 
>> Operations Support Services (the "eduroam SP proxy") running on 
>> monitor.eduroam.org. That is the URL you are seeing.
>>
>> Since this particular box is not under CAT control, I will forward this 
>> request to the eduroam Operations Team. They will get back to you - 
>> probably they need a timestamp of your unsuccessful login attempt to find 
>> the issue in the logs...
>>
>> Greetings,
>>
>> Stefan Winter
>> To unsubscribe, send this message: 
>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>> Or use the following link: 
>> https://lists.geant.org/sympa/sigrequest/cat-users
> 
> To unsubscribe, send this message: 
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link: 
> https://lists.geant.org/sympa/sigrequest/cat-users
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature