The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Jon Agland <Jon.Agland AT jisc.ac.uk>]

Hi All,

This is Jon Agland from the UK federation team at Jisc.

The IdP for UCL (University College London) is registered in our federation, 
if we can be of any assistance to Adrian as the operator of the IdP, then 
please raise a call with us by mailing 
service AT ukfederation.org.uk.

Initially, I would suggest contacting us after trying to use our test SP at 
https://test.ukfederation.org.uk, using one or both of the SAML2 tests listed 
there.  In theory the 'Show SAML assertions' section of our test page/SP, may 
reveal or not the elements that Stefan and Dubravko are referring to.

Kind regards,

Jon
-- 
Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT

No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower
Hill, Bristol, BS2 0JA. T 0203 697 5800.
 
Jisc Services Limited is a wholly owned Jisc subsidiary and a company
limited by guarantee which is registered in England under company
number 2881024, VAT number GB 197 0632 86. The registered office is:
One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.





On Fri, 2017-07-14 at 15:33 +0200, Stefan Winter wrote:
> Hi,
> 
> > 
> > As seen from the email thread directly below, we have tried your
> > suggestion but the problem still persists
> > Is there anything else you can check on your side?
> TL;DR: seeing the actual message would really help :-)
> 
> Long version:
> 
> No disrespect intended, but the reply from your colleagues is not a
> profound argument countering what Dubravko hinted at.
> 
> "The login was successful, no errors" merely means that your IdP at
> the
> sending side sent a message it was happy with.
> 
> That doesn't mean the recipient is happy with what it gets.
> 
> Specifically, Dubravko pinpointed that there is a <Subject> element
> without a <NameID>.
> 
> According to the SAML 2.0 specification, the <Subject> element, if
> present, has to carry an identifer, or at least one
> SubjectConfirmation,
> or both of these.
> 
> Identifier above means any of the tags <BaseID>, <NameID> or
> <EncryptedID>.
> 
> So, the question to ask is: does the message that your IdP generate
> contain any of these three IDs, or alternatively a
> <SubjectConfirmation>
> element?
> 
> We are not done yet at that point, unfortunately: as discussed above,
> <NameID> is only one alternative, and it does not /necessarily/ have
> to
> be in the Subject.
> 
> But the "Interoperable SAML 2.0 Profile" (SAML2Int) goes further and
> requires that at least the transient variant of NameIDs MUST be
> supported (it can be at other places in the SAML message though, not
> necessarily in the Subject).
> 
> Which leads to the second question to ask: does the message that your
> IdP generate contain a <NameID> anywhere in the message?
> 
> If the message does conform to SAML 2.0 and SAML2Int, then it is an
> error on the receiving side; otherwise, it's rather the sending side.
> 
> Greetings,
> 
> Stefan Winter
> 
> > 
> > 
> > Many Thanks
> > 
> > Daniel
> > 
> > 
> > -----Original Message-----
> > From: Barker, Adrian 
> > Sent: 14 July 2017 13:33
> > To: Ansong, Daniel
> > Cc: Cardinal-Richards, Emma; mss
> > Subject: RE: [[cat-users]] Eduroam CAT tool for UCL
> > (Ref:IN:00189393)
> > 
> > 
> > Hi Daniel,
> > 
> > 
> > I've tried this, and according to the logs on our IDP, the  login
> > was successful - there are no error reports. So, the problem is at
> > the eduroam.org side. They will need to check the logs to see what
> > the problem is.
> > 
> > 
> > Adrian.
> > 
> > 
> > -----Original Message-----
> > From: Ansong, Daniel
> > Sent: 12 July 2017 11:00
> > To: Barker, Adrian
> > Cc: Cardinal-Richards, Emma; mss
> > Subject: FW: [[cat-users]] Eduroam CAT tool for UCL
> > (Ref:IN:00189393)
> > 
> > Hi Adrian,
> > 
> > Is this something you can help with?
> > 
> > Please see Dubravkos message directly below, relating to the issue
> > we are having trying to access our eduroam CAT tool following these
> > steps:
> > 
> > 1. Log on to: https://cat.eduroam.org/   
> > 
> > 2. Select: eduroam admin: mange your idp
> > 
> > 3. Click login 
> > 
> > 4. Select UCL (University College London)
> > 
> > This is where it gets stuck on
> > at https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-acs.php/
> > default-sp
> > 
> > 
> > Regards
> > 
> > Daniel
> > 
> > -----Original Message-----
> > From: Dubravko Voncina 
> > [mailto:dubravko.voncina AT srce.hr]
> > Sent: 11 July 2017 20:03
> > To: Ansong, Daniel
> > Cc: Stefan Winter; 
> > cat-users AT lists.geant.org
> > Subject: Re: [[cat-users]] Eduroam CAT tool for UCL
> > (Ref:IN:00189393)
> > 
> > Hello Daniel,
> > 
> > I apologize for a bit late response, I'm very busy trying to solve
> > several different problems these days.
> > I think that problem might be caused by your IdP not providing
> > NameID Format value in 
> > 
> > <saml2:Subject>...</saml2:Subject> 
> > 
> > part of autentication response message.
> > 
> > Since your IdP provides attribute eduPersonTargetedID, NameID
> > Format value is actually not important, but it still has to be
> > provided in Subject part of AuthNResponse message. Otherwise our SP
> > can't parse AuthNResponse message properly.
> > 
> > Kind regards,
> > 
> > Dubravko Voncina
> > Middleware and Data Services Department
> > University of Zagreb, University Computing Centre,
> > www.srce.unizg.hr 
> > dubravko.voncina AT srce.hr,
> >  tel: +385 98 219273,
> > fax: +385 1 6165559
> > 
> > 
> > 
> > 
> > > 
> > > On 10 Jul 2017, at 17:07, Ansong, Daniel 
> > > <d.ansong AT ucl.ac.uk>
> > > wrote:
> > > 
> > > Hi Stefan,
> > > 
> > > Thanks for chasing this up, but am yet to hear back from the 
> > > Operations team
> > > 
> > > Regards
> > > 
> > > Daniel
> > > 
> > > -----Original Message-----
> > > From: Stefan Winter 
> > > [mailto:stefan.winter AT restena.lu]
> > > Sent: 07 July 2017 08:04
> > > To: Ansong, Daniel; 
> > > cat-users AT lists.geant.org
> > > Subject: Re: [[cat-users]] Eduroam CAT tool for UCL
> > > (Ref:IN:00189393)
> > > 
> > > Hello,
> > > 
> > > > 
> > > > Apologies for the lack of info in the first email I’m a bit new
> > > > to 
> > > > this stuff so bear with me.
> > > > 
> > > > Please see answers to your questions below
> > > Thank you for that!
> > > 
> > > 
> > > > 
> > > > > 
> > > > > If you do not, what is the error you are getting / evidence
> > > > > you are seeing?
> > > > *Once I authenticat**e through our local shibboleth service**,
> > > > it 
> > > > gets stuck on a blank screen at address:*
> > > > 
> > > > *https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-acs.ph
> > > > p/defa
> > > > u
> > > > lt-sp*
> > > eduroam CAT does not have its own user authentication. We send
> > > admin login authentication requests to a central auth server for
> > > all eduroam Operations Support Services (the "eduroam SP proxy")
> > > running on monitor.eduroam.org. That is the URL you are seeing.
> > > 
> > > Since this particular box is not under CAT control, I will
> > > forward this request to the eduroam Operations Team. They will
> > > get back to you - probably they need a timestamp of your
> > > unsuccessful login attempt to find the issue in the logs...
> > > 
> > > Greetings,
> > > 
> > > Stefan Winter
> > > To unsubscribe, send this message: 
> > > mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> > > Or use the following link: 
> > > https://lists.geant.org/sympa/sigrequest/cat-users
> > To unsubscribe, send this message: 
> > mailto:sympa AT lists.geant.org?sub
> > ject=unsubscribe%20cat-users
> > Or use the following link: https://lists.geant.org/sympa/sigrequest
> > /cat-users
> > 
>

Attachment: smime.p7s
Description: S/MIME cryptographic signature