The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Dubravko Voncina <dubravko.voncina AT srce.hr>]

Hello all,

According to our SP log, UCL IdP still doesn't provide NameID Format value 
within <Subject></Subject> field:

<saml2:Issuer>https://shib-idp.ucl.ac.uk/shibboleth</saml2:Issuer>
 <saml2:Subject>
   <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
     <saml2:SubjectConfirmationData Address="128.40.223.152" 
InResponseTo="_473b16dd49f055833f88e0b668b731f7581b2e5591" 
NotOnOrAfter="2017-07-14T12:29:51.518Z" 
Recipient="https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-acs.php/default-sp"/>
   </saml2:SubjectConfirmation>
</saml2:Subject>
...

Unfortunatelly, although UCL IdP releases attribute eduPersonTargetedID which 
should be sufficient for user authorization, current authorization workflow 
requires IdP to also provide NameID Format value within <Subject></Subject> 
part of the AuthNResponse message.

I'll check if I can improve authorization process, but considering my other 
obligations, it will take me at least couple of weeks to find a solution that 
will suit everyone.

Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko.voncina AT srce.hr,
 tel: +385 98 219273, fax: +385 1 6165559




> On 14 Jul 2017, at 16:12, Jon Agland 
> <Jon.Agland AT jisc.ac.uk>
>  wrote:
> 
> Hi All,
> 
> This is Jon Agland from the UK federation team at Jisc.
> 
> The IdP for UCL (University College London) is registered in our 
> federation, if we can be of any assistance to Adrian as the operator of the 
> IdP, then please raise a call with us by mailing 
> service AT ukfederation.org.uk.
> 
> Initially, I would suggest contacting us after trying to use our test SP at 
> https://test.ukfederation.org.uk, using one or both of the SAML2 tests 
> listed there.  In theory the 'Show SAML assertions' section of our test 
> page/SP, may reveal or not the elements that Stefan and Dubravko are 
> referring to.
> 
> Kind regards,
> 
> Jon
> -- 
> Jisc is a registered charity (number 1149740) and a company limited by
> guarantee which is registered in England under Company No. 5747339, VAT
> 
> No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower
> Hill, Bristol, BS2 0JA. T 0203 697 5800.
>  
> Jisc Services Limited is a wholly owned Jisc subsidiary and a company
> limited by guarantee which is registered in England under company
> number 2881024, VAT number GB 197 0632 86. The registered office is:
> One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
> 
> 
> 
> 
> 
> On Fri, 2017-07-14 at 15:33 +0200, Stefan Winter wrote:
>> Hi,
>> 
>>> 
>>> As seen from the email thread directly below, we have tried your
>>> suggestion but the problem still persists
>>> Is there anything else you can check on your side?
>> TL;DR: seeing the actual message would really help :-)
>> 
>> Long version:
>> 
>> No disrespect intended, but the reply from your colleagues is not a
>> profound argument countering what Dubravko hinted at.
>> 
>> "The login was successful, no errors" merely means that your IdP at
>> the
>> sending side sent a message it was happy with.
>> 
>> That doesn't mean the recipient is happy with what it gets.
>> 
>> Specifically, Dubravko pinpointed that there is a <Subject> element
>> without a <NameID>.
>> 
>> According to the SAML 2.0 specification, the <Subject> element, if
>> present, has to carry an identifer, or at least one
>> SubjectConfirmation,
>> or both of these.
>> 
>> Identifier above means any of the tags <BaseID>, <NameID> or
>> <EncryptedID>.
>> 
>> So, the question to ask is: does the message that your IdP generate
>> contain any of these three IDs, or alternatively a
>> <SubjectConfirmation>
>> element?
>> 
>> We are not done yet at that point, unfortunately: as discussed above,
>> <NameID> is only one alternative, and it does not /necessarily/ have
>> to
>> be in the Subject.
>> 
>> But the "Interoperable SAML 2.0 Profile" (SAML2Int) goes further and
>> requires that at least the transient variant of NameIDs MUST be
>> supported (it can be at other places in the SAML message though, not
>> necessarily in the Subject).
>> 
>> Which leads to the second question to ask: does the message that your
>> IdP generate contain a <NameID> anywhere in the message?
>> 
>> If the message does conform to SAML 2.0 and SAML2Int, then it is an
>> error on the receiving side; otherwise, it's rather the sending side.
>> 
>> Greetings,
>> 
>> Stefan Winter
>> 
>>> 
>>> 
>>> Many Thanks
>>> 
>>> Daniel
>>> 
>>> 
>>> -----Original Message-----
>>> From: Barker, Adrian 
>>> Sent: 14 July 2017 13:33
>>> To: Ansong, Daniel
>>> Cc: Cardinal-Richards, Emma; mss
>>> Subject: RE: [[cat-users]] Eduroam CAT tool for UCL
>>> (Ref:IN:00189393)
>>> 
>>> 
>>> Hi Daniel,
>>> 
>>> 
>>> I've tried this, and according to the logs on our IDP, the  login
>>> was successful - there are no error reports. So, the problem is at
>>> the eduroam.org side. They will need to check the logs to see what
>>> the problem is.
>>> 
>>> 
>>> Adrian.
>>> 
>>> 
>>> -----Original Message-----
>>> From: Ansong, Daniel
>>> Sent: 12 July 2017 11:00
>>> To: Barker, Adrian
>>> Cc: Cardinal-Richards, Emma; mss
>>> Subject: FW: [[cat-users]] Eduroam CAT tool for UCL
>>> (Ref:IN:00189393)
>>> 
>>> Hi Adrian,
>>> 
>>> Is this something you can help with?
>>> 
>>> Please see Dubravkos message directly below, relating to the issue
>>> we are having trying to access our eduroam CAT tool following these
>>> steps:
>>> 
>>> 1. Log on to: https://cat.eduroam.org/   
>>> 
>>> 2. Select: eduroam admin: mange your idp
>>> 
>>> 3. Click login 
>>> 
>>> 4. Select UCL (University College London)
>>> 
>>> This is where it gets stuck on
>>> at https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-acs.php/
>>> default-sp
>>> 
>>> 
>>> Regards
>>> 
>>> Daniel
>>> 
>>> -----Original Message-----
>>> From: Dubravko Voncina 
>>> [mailto:dubravko.voncina AT srce.hr]
>>> Sent: 11 July 2017 20:03
>>> To: Ansong, Daniel
>>> Cc: Stefan Winter; 
>>> cat-users AT lists.geant.org
>>> Subject: Re: [[cat-users]] Eduroam CAT tool for UCL
>>> (Ref:IN:00189393)
>>> 
>>> Hello Daniel,
>>> 
>>> I apologize for a bit late response, I'm very busy trying to solve
>>> several different problems these days.
>>> I think that problem might be caused by your IdP not providing
>>> NameID Format value in 
>>> 
>>> <saml2:Subject>...</saml2:Subject> 
>>> 
>>> part of autentication response message.
>>> 
>>> Since your IdP provides attribute eduPersonTargetedID, NameID
>>> Format value is actually not important, but it still has to be
>>> provided in Subject part of AuthNResponse message. Otherwise our SP
>>> can't parse AuthNResponse message properly.
>>> 
>>> Kind regards,
>>> 
>>> Dubravko Voncina
>>> Middleware and Data Services Department
>>> University of Zagreb, University Computing Centre,
>>> www.srce.unizg.hr 
>>> dubravko.voncina AT srce.hr,
>>>  tel: +385 98 219273,
>>> fax: +385 1 6165559
>>> 
>>> 
>>> 
>>> 
>>>> 
>>>> On 10 Jul 2017, at 17:07, Ansong, Daniel 
>>>> <d.ansong AT ucl.ac.uk>
>>>> wrote:
>>>> 
>>>> Hi Stefan,
>>>> 
>>>> Thanks for chasing this up, but am yet to hear back from the 
>>>> Operations team
>>>> 
>>>> Regards
>>>> 
>>>> Daniel
>>>> 
>>>> -----Original Message-----
>>>> From: Stefan Winter 
>>>> [mailto:stefan.winter AT restena.lu]
>>>> Sent: 07 July 2017 08:04
>>>> To: Ansong, Daniel; 
>>>> cat-users AT lists.geant.org
>>>> Subject: Re: [[cat-users]] Eduroam CAT tool for UCL
>>>> (Ref:IN:00189393)
>>>> 
>>>> Hello,
>>>> 
>>>>> 
>>>>> Apologies for the lack of info in the first email I’m a bit new
>>>>> to 
>>>>> this stuff so bear with me.
>>>>> 
>>>>> Please see answers to your questions below
>>>> Thank you for that!
>>>> 
>>>> 
>>>>> 
>>>>>> 
>>>>>> If you do not, what is the error you are getting / evidence
>>>>>> you are seeing?
>>>>> *Once I authenticat**e through our local shibboleth service**,
>>>>> it 
>>>>> gets stuck on a blank screen at address:*
>>>>> 
>>>>> *https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-acs.ph
>>>>> p/defa
>>>>> u
>>>>> lt-sp*
>>>> eduroam CAT does not have its own user authentication. We send
>>>> admin login authentication requests to a central auth server for
>>>> all eduroam Operations Support Services (the "eduroam SP proxy")
>>>> running on monitor.eduroam.org. That is the URL you are seeing.
>>>> 
>>>> Since this particular box is not under CAT control, I will
>>>> forward this request to the eduroam Operations Team. They will
>>>> get back to you - probably they need a timestamp of your
>>>> unsuccessful login attempt to find the issue in the logs...
>>>> 
>>>> Greetings,
>>>> 
>>>> Stefan Winter
>>>> To unsubscribe, send this message: 
>>>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>>>> Or use the following link: 
>>>> https://lists.geant.org/sympa/sigrequest/cat-users
>>> To unsubscribe, send this message: 
>>> mailto:sympa AT lists.geant.org?sub
>>> ject=unsubscribe%20cat-users
>>> Or use the following link: https://lists.geant.org/sympa/sigrequest
>>> /cat-users
>>>