Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] Eduroam CAT tool for UCL (Ref:IN:00189393)

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] Eduroam CAT tool for UCL (Ref:IN:00189393)


Chronological Thread 
  • From: Dubravko Voncina <dubravko.voncina AT srce.hr>
  • To: Jon Agland <Jon.Agland AT jisc.ac.uk>
  • Cc: "a.barker AT ucl.ac.uk" <a.barker AT ucl.ac.uk>, "d.ansong AT ucl.ac.uk" <d.ansong AT ucl.ac.uk>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>, "e.cardinal-richards AT ucl.ac.uk" <e.cardinal-richards AT ucl.ac.uk>, "stefan.winter AT restena.lu" <stefan.winter AT restena.lu>, "a.uhde AT ucl.ac.uk" <a.uhde AT ucl.ac.uk>
  • Subject: Re: [[cat-users]] Eduroam CAT tool for UCL (Ref:IN:00189393)
  • Date: Mon, 17 Jul 2017 16:16:19 +0200

Hello all,

According to our SP log, UCL IdP still doesn't provide NameID Format value
within <Subject></Subject> field:

<saml2:Issuer>https://shib-idp.ucl.ac.uk/shibboleth</saml2:Issuer>
<saml2:Subject>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="128.40.223.152"
InResponseTo="_473b16dd49f055833f88e0b668b731f7581b2e5591"
NotOnOrAfter="2017-07-14T12:29:51.518Z"
Recipient="https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-acs.php/default-sp"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
...

Unfortunatelly, although UCL IdP releases attribute eduPersonTargetedID which
should be sufficient for user authorization, current authorization workflow
requires IdP to also provide NameID Format value within <Subject></Subject>
part of the AuthNResponse message.

I'll check if I can improve authorization process, but considering my other
obligations, it will take me at least couple of weeks to find a solution that
will suit everyone.

Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko.voncina AT srce.hr,
tel: +385 98 219273, fax: +385 1 6165559




> On 14 Jul 2017, at 16:12, Jon Agland
> <Jon.Agland AT jisc.ac.uk>
> wrote:
>
> Hi All,
>
> This is Jon Agland from the UK federation team at Jisc.
>
> The IdP for UCL (University College London) is registered in our
> federation, if we can be of any assistance to Adrian as the operator of the
> IdP, then please raise a call with us by mailing
> service AT ukfederation.org.uk.
>
> Initially, I would suggest contacting us after trying to use our test SP at
> https://test.ukfederation.org.uk, using one or both of the SAML2 tests
> listed there. In theory the 'Show SAML assertions' section of our test
> page/SP, may reveal or not the elements that Stefan and Dubravko are
> referring to.
>
> Kind regards,
>
> Jon
> --
> Jisc is a registered charity (number 1149740) and a company limited by
> guarantee which is registered in England under Company No. 5747339, VAT
>
> No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower
> Hill, Bristol, BS2 0JA. T 0203 697 5800.
>
> Jisc Services Limited is a wholly owned Jisc subsidiary and a company
> limited by guarantee which is registered in England under company
> number 2881024, VAT number GB 197 0632 86. The registered office is:
> One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
>
>
>
>
>
> On Fri, 2017-07-14 at 15:33 +0200, Stefan Winter wrote:
>> Hi,
>>
>>>
>>> As seen from the email thread directly below, we have tried your
>>> suggestion but the problem still persists
>>> Is there anything else you can check on your side?
>> TL;DR: seeing the actual message would really help :-)
>>
>> Long version:
>>
>> No disrespect intended, but the reply from your colleagues is not a
>> profound argument countering what Dubravko hinted at.
>>
>> "The login was successful, no errors" merely means that your IdP at
>> the
>> sending side sent a message it was happy with.
>>
>> That doesn't mean the recipient is happy with what it gets.
>>
>> Specifically, Dubravko pinpointed that there is a <Subject> element
>> without a <NameID>.
>>
>> According to the SAML 2.0 specification, the <Subject> element, if
>> present, has to carry an identifer, or at least one
>> SubjectConfirmation,
>> or both of these.
>>
>> Identifier above means any of the tags <BaseID>, <NameID> or
>> <EncryptedID>.
>>
>> So, the question to ask is: does the message that your IdP generate
>> contain any of these three IDs, or alternatively a
>> <SubjectConfirmation>
>> element?
>>
>> We are not done yet at that point, unfortunately: as discussed above,
>> <NameID> is only one alternative, and it does not /necessarily/ have
>> to
>> be in the Subject.
>>
>> But the "Interoperable SAML 2.0 Profile" (SAML2Int) goes further and
>> requires that at least the transient variant of NameIDs MUST be
>> supported (it can be at other places in the SAML message though, not
>> necessarily in the Subject).
>>
>> Which leads to the second question to ask: does the message that your
>> IdP generate contain a <NameID> anywhere in the message?
>>
>> If the message does conform to SAML 2.0 and SAML2Int, then it is an
>> error on the receiving side; otherwise, it's rather the sending side.
>>
>> Greetings,
>>
>> Stefan Winter
>>
>>>
>>>
>>> Many Thanks
>>>
>>> Daniel
>>>
>>>
>>> -----Original Message-----
>>> From: Barker, Adrian
>>> Sent: 14 July 2017 13:33
>>> To: Ansong, Daniel
>>> Cc: Cardinal-Richards, Emma; mss
>>> Subject: RE: [[cat-users]] Eduroam CAT tool for UCL
>>> (Ref:IN:00189393)
>>>
>>>
>>> Hi Daniel,
>>>
>>>
>>> I've tried this, and according to the logs on our IDP, the login
>>> was successful - there are no error reports. So, the problem is at
>>> the eduroam.org side. They will need to check the logs to see what
>>> the problem is.
>>>
>>>
>>> Adrian.
>>>
>>>
>>> -----Original Message-----
>>> From: Ansong, Daniel
>>> Sent: 12 July 2017 11:00
>>> To: Barker, Adrian
>>> Cc: Cardinal-Richards, Emma; mss
>>> Subject: FW: [[cat-users]] Eduroam CAT tool for UCL
>>> (Ref:IN:00189393)
>>>
>>> Hi Adrian,
>>>
>>> Is this something you can help with?
>>>
>>> Please see Dubravkos message directly below, relating to the issue
>>> we are having trying to access our eduroam CAT tool following these
>>> steps:
>>>
>>> 1. Log on to: https://cat.eduroam.org/
>>>
>>> 2. Select: eduroam admin: mange your idp
>>>
>>> 3. Click login
>>>
>>> 4. Select UCL (University College London)
>>>
>>> This is where it gets stuck on
>>> at https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-acs.php/
>>> default-sp
>>>
>>>
>>> Regards
>>>
>>> Daniel
>>>
>>> -----Original Message-----
>>> From: Dubravko Voncina
>>> [mailto:dubravko.voncina AT srce.hr]
>>> Sent: 11 July 2017 20:03
>>> To: Ansong, Daniel
>>> Cc: Stefan Winter;
>>> cat-users AT lists.geant.org
>>> Subject: Re: [[cat-users]] Eduroam CAT tool for UCL
>>> (Ref:IN:00189393)
>>>
>>> Hello Daniel,
>>>
>>> I apologize for a bit late response, I'm very busy trying to solve
>>> several different problems these days.
>>> I think that problem might be caused by your IdP not providing
>>> NameID Format value in
>>>
>>> <saml2:Subject>...</saml2:Subject>
>>>
>>> part of autentication response message.
>>>
>>> Since your IdP provides attribute eduPersonTargetedID, NameID
>>> Format value is actually not important, but it still has to be
>>> provided in Subject part of AuthNResponse message. Otherwise our SP
>>> can't parse AuthNResponse message properly.
>>>
>>> Kind regards,
>>>
>>> Dubravko Voncina
>>> Middleware and Data Services Department
>>> University of Zagreb, University Computing Centre,
>>> www.srce.unizg.hr
>>> dubravko.voncina AT srce.hr,
>>> tel: +385 98 219273,
>>> fax: +385 1 6165559
>>>
>>>
>>>
>>>
>>>>
>>>> On 10 Jul 2017, at 17:07, Ansong, Daniel
>>>> <d.ansong AT ucl.ac.uk>
>>>> wrote:
>>>>
>>>> Hi Stefan,
>>>>
>>>> Thanks for chasing this up, but am yet to hear back from the
>>>> Operations team
>>>>
>>>> Regards
>>>>
>>>> Daniel
>>>>
>>>> -----Original Message-----
>>>> From: Stefan Winter
>>>> [mailto:stefan.winter AT restena.lu]
>>>> Sent: 07 July 2017 08:04
>>>> To: Ansong, Daniel;
>>>> cat-users AT lists.geant.org
>>>> Subject: Re: [[cat-users]] Eduroam CAT tool for UCL
>>>> (Ref:IN:00189393)
>>>>
>>>> Hello,
>>>>
>>>>>
>>>>> Apologies for the lack of info in the first email I’m a bit new
>>>>> to
>>>>> this stuff so bear with me.
>>>>>
>>>>> Please see answers to your questions below
>>>> Thank you for that!
>>>>
>>>>
>>>>>
>>>>>>
>>>>>> If you do not, what is the error you are getting / evidence
>>>>>> you are seeing?
>>>>> *Once I authenticat**e through our local shibboleth service**,
>>>>> it
>>>>> gets stuck on a blank screen at address:*
>>>>>
>>>>> *https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-acs.ph
>>>>> p/defa
>>>>> u
>>>>> lt-sp*
>>>> eduroam CAT does not have its own user authentication. We send
>>>> admin login authentication requests to a central auth server for
>>>> all eduroam Operations Support Services (the "eduroam SP proxy")
>>>> running on monitor.eduroam.org. That is the URL you are seeing.
>>>>
>>>> Since this particular box is not under CAT control, I will
>>>> forward this request to the eduroam Operations Team. They will
>>>> get back to you - probably they need a timestamp of your
>>>> unsuccessful login attempt to find the issue in the logs...
>>>>
>>>> Greetings,
>>>>
>>>> Stefan Winter
>>>> To unsubscribe, send this message:
>>>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>>>> Or use the following link:
>>>> https://lists.geant.org/sympa/sigrequest/cat-users
>>> To unsubscribe, send this message:
>>> mailto:sympa AT lists.geant.org?sub
>>> ject=unsubscribe%20cat-users
>>> Or use the following link: https://lists.geant.org/sympa/sigrequest
>>> /cat-users
>>>




Archive powered by MHonArc 2.6.19.

Top of Page