The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

["Barker, Adrian" <a.barker AT ucl.ac.uk>]

Hi Daniel,


The UK Federation is helping us with this. I sent them our config files 
yesterday.


Adrian.

> -----Original Message-----
> From: Ansong, Daniel
> Sent: Wednesday, July 26, 2017 8:19 AM
> To: Barker, Adrian
> Cc: 
> cat-users AT lists.geant.org;
>  Cardinal-Richards, Emma;
> stefan.winter AT restena.lu;
>  Uhde, Alex; Dubravko Voncina; Jon Agland;
> Pickett, Melanie
> Subject: RE: [[cat-users]] Eduroam CAT tool for UCL (Ref:IN:00189393)
> 
> Hi Adrian,
> 
> Let me know if you  have been able to look at this issue?
> 
> Kind Regards
> 
> Daniel
> 
> -----Original Message-----
> From: Barker, Adrian
> Sent: 17 July 2017 15:26
> To: Dubravko Voncina; Jon Agland
> Cc: Ansong, Daniel; 
> cat-users AT lists.geant.org;
>  Cardinal-Richards, Emma;
> stefan.winter AT restena.lu;
>  Uhde, Alex
> Subject: RE: [[cat-users]] Eduroam CAT tool for UCL (Ref:IN:00189393)
> 
> Hi,
> 
> We have not yet looked at this problem. We are extremely busy at the
> moment, and are also in the middle of moving offices.
> 
> 
> 
> Adrian Barker,
> Web Technologies,
> University College London.
> 
> 
> 
> -----Original Message-----
> From: Dubravko Voncina 
> [mailto:dubravko.voncina AT srce.hr]
> Sent: 17 July 2017 15:16
> To: Jon Agland
> Cc: Barker, Adrian; Ansong, Daniel; 
> cat-users AT lists.geant.org;
>  Cardinal-
> Richards, Emma; 
> stefan.winter AT restena.lu;
>  Uhde, Alex
> Subject: Re: [[cat-users]] Eduroam CAT tool for UCL (Ref:IN:00189393)
> 
> Hello all,
> 
> According to our SP log, UCL IdP still doesn't provide NameID Format value
> within <Subject></Subject> field:
> 
> <saml2:Issuer>https://shib-idp.ucl.ac.uk/shibboleth</saml2:Issuer>
>  <saml2:Subject>
>    <saml2:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>      <saml2:SubjectConfirmationData Address="128.40.223.152"
> InResponseTo="_473b16dd49f055833f88e0b668b731f7581b2e5591"
> NotOnOrAfter="2017-07-14T12:29:51.518Z"
> Recipient="https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-
> acs.php/default-sp"/>
>    </saml2:SubjectConfirmation>
> </saml2:Subject>
> ...
> 
> Unfortunatelly, although UCL IdP releases attribute eduPersonTargetedID
> which should be sufficient for user authorization, current authorization
> workflow requires IdP to also provide NameID Format value within
> <Subject></Subject> part of the AuthNResponse message.
> 
> I'll check if I can improve authorization process, but considering my other
> obligations, it will take me at least couple of weeks to find a solution 
> that will
> suit everyone.
> 
> Dubravko Voncina
> Middleware and Data Services Department
> University of Zagreb, University Computing Centre, www.srce.unizg.hr
> dubravko.voncina AT srce.hr,
>  tel: +385 98 219273, fax: +385 1 6165559
> 
> 
> 
> 
> > On 14 Jul 2017, at 16:12, Jon Agland 
> > <Jon.Agland AT jisc.ac.uk>
> >  wrote:
> >
> > Hi All,
> >
> > This is Jon Agland from the UK federation team at Jisc.
> >
> > The IdP for UCL (University College London) is registered in our
> > federation, if we can be of any assistance to Adrian as the operator of 
> > the
> IdP, then please raise a call with us by mailing 
> service AT ukfederation.org.uk.
> >
> > Initially, I would suggest contacting us after trying to use our test SP 
> > at
> https://test.ukfederation.org.uk, using one or both of the SAML2 tests 
> listed
> there.  In theory the 'Show SAML assertions' section of our test page/SP,
> may reveal or not the elements that Stefan and Dubravko are referring to.
> >
> > Kind regards,
> >
> > Jon
> > --
> > Jisc is a registered charity (number 1149740) and a company limited by
> > guarantee which is registered in England under Company No. 5747339,
> > VAT
> >
> > No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower
> > Hill, Bristol, BS2 0JA. T 0203 697 5800.
> >
> > Jisc Services Limited is a wholly owned Jisc subsidiary and a company
> > limited by guarantee which is registered in England under company
> > number 2881024, VAT number GB 197 0632 86. The registered office is:
> > One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
> >
> >
> >
> >
> >
> > On Fri, 2017-07-14 at 15:33 +0200, Stefan Winter wrote:
> >> Hi,
> >>
> >>>
> >>> As seen from the email thread directly below, we have tried your
> >>> suggestion but the problem still persists Is there anything else you
> >>> can check on your side?
> >> TL;DR: seeing the actual message would really help :-)
> >>
> >> Long version:
> >>
> >> No disrespect intended, but the reply from your colleagues is not a
> >> profound argument countering what Dubravko hinted at.
> >>
> >> "The login was successful, no errors" merely means that your IdP at
> >> the sending side sent a message it was happy with.
> >>
> >> That doesn't mean the recipient is happy with what it gets.
> >>
> >> Specifically, Dubravko pinpointed that there is a <Subject> element
> >> without a <NameID>.
> >>
> >> According to the SAML 2.0 specification, the <Subject> element, if
> >> present, has to carry an identifer, or at least one
> >> SubjectConfirmation, or both of these.
> >>
> >> Identifier above means any of the tags <BaseID>, <NameID> or
> >> <EncryptedID>.
> >>
> >> So, the question to ask is: does the message that your IdP generate
> >> contain any of these three IDs, or alternatively a
> >> <SubjectConfirmation> element?
> >>
> >> We are not done yet at that point, unfortunately: as discussed above,
> >> <NameID> is only one alternative, and it does not /necessarily/ have
> >> to be in the Subject.
> >>
> >> But the "Interoperable SAML 2.0 Profile" (SAML2Int) goes further and
> >> requires that at least the transient variant of NameIDs MUST be
> >> supported (it can be at other places in the SAML message though, not
> >> necessarily in the Subject).
> >>
> >> Which leads to the second question to ask: does the message that your
> >> IdP generate contain a <NameID> anywhere in the message?
> >>
> >> If the message does conform to SAML 2.0 and SAML2Int, then it is an
> >> error on the receiving side; otherwise, it's rather the sending side.
> >>
> >> Greetings,
> >>
> >> Stefan Winter
> >>
> >>>
> >>>
> >>> Many Thanks
> >>>
> >>> Daniel
> >>>
> >>>
> >>> -----Original Message-----
> >>> From: Barker, Adrian
> >>> Sent: 14 July 2017 13:33
> >>> To: Ansong, Daniel
> >>> Cc: Cardinal-Richards, Emma; mss
> >>> Subject: RE: [[cat-users]] Eduroam CAT tool for UCL
> >>> (Ref:IN:00189393)
> >>>
> >>>
> >>> Hi Daniel,
> >>>
> >>>
> >>> I've tried this, and according to the logs on our IDP, the  login
> >>> was successful - there are no error reports. So, the problem is at
> >>> the eduroam.org side. They will need to check the logs to see what
> >>> the problem is.
> >>>
> >>>
> >>> Adrian.
> >>>
> >>>
> >>> -----Original Message-----
> >>> From: Ansong, Daniel
> >>> Sent: 12 July 2017 11:00
> >>> To: Barker, Adrian
> >>> Cc: Cardinal-Richards, Emma; mss
> >>> Subject: FW: [[cat-users]] Eduroam CAT tool for UCL
> >>> (Ref:IN:00189393)
> >>>
> >>> Hi Adrian,
> >>>
> >>> Is this something you can help with?
> >>>
> >>> Please see Dubravkos message directly below, relating to the issue
> >>> we are having trying to access our eduroam CAT tool following these
> >>> steps:
> >>>
> >>> 1. Log on to: https://cat.eduroam.org/
> >>>
> >>> 2. Select: eduroam admin: mange your idp
> >>>
> >>> 3. Click login
> >>>
> >>> 4. Select UCL (University College London)
> >>>
> >>> This is where it gets stuck on
> >>> at https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-
> acs.php/
> >>> default-sp
> >>>
> >>>
> >>> Regards
> >>>
> >>> Daniel
> >>>
> >>> -----Original Message-----
> >>> From: Dubravko Voncina 
> >>> [mailto:dubravko.voncina AT srce.hr]
> >>> Sent: 11 July 2017 20:03
> >>> To: Ansong, Daniel
> >>> Cc: Stefan Winter; 
> >>> cat-users AT lists.geant.org
> >>> Subject: Re: [[cat-users]] Eduroam CAT tool for UCL
> >>> (Ref:IN:00189393)
> >>>
> >>> Hello Daniel,
> >>>
> >>> I apologize for a bit late response, I'm very busy trying to solve
> >>> several different problems these days.
> >>> I think that problem might be caused by your IdP not providing
> >>> NameID Format value in
> >>>
> >>> <saml2:Subject>...</saml2:Subject>
> >>>
> >>> part of autentication response message.
> >>>
> >>> Since your IdP provides attribute eduPersonTargetedID, NameID Format
> >>> value is actually not important, but it still has to be provided in
> >>> Subject part of AuthNResponse message. Otherwise our SP can't parse
> >>> AuthNResponse message properly.
> >>>
> >>> Kind regards,
> >>>
> >>> Dubravko Voncina
> >>> Middleware and Data Services Department University of Zagreb,
> >>> University Computing Centre, www.srce.unizg.hr
> >>> dubravko.voncina AT srce.hr,
> >>>  tel: +385 98 219273,
> >>> fax: +385 1 6165559
> >>>
> >>>
> >>>
> >>>
> >>>>
> >>>> On 10 Jul 2017, at 17:07, Ansong, Daniel 
> >>>> <d.ansong AT ucl.ac.uk>
> >>>> wrote:
> >>>>
> >>>> Hi Stefan,
> >>>>
> >>>> Thanks for chasing this up, but am yet to hear back from the
> >>>> Operations team
> >>>>
> >>>> Regards
> >>>>
> >>>> Daniel
> >>>>
> >>>> -----Original Message-----
> >>>> From: Stefan Winter 
> >>>> [mailto:stefan.winter AT restena.lu]
> >>>> Sent: 07 July 2017 08:04
> >>>> To: Ansong, Daniel; 
> >>>> cat-users AT lists.geant.org
> >>>> Subject: Re: [[cat-users]] Eduroam CAT tool for UCL
> >>>> (Ref:IN:00189393)
> >>>>
> >>>> Hello,
> >>>>
> >>>>>
> >>>>> Apologies for the lack of info in the first email I’m a bit new to
> >>>>> this stuff so bear with me.
> >>>>>
> >>>>> Please see answers to your questions below
> >>>> Thank you for that!
> >>>>
> >>>>
> >>>>>
> >>>>>>
> >>>>>> If you do not, what is the error you are getting / evidence you
> >>>>>> are seeing?
> >>>>> *Once I authenticat**e through our local shibboleth service**, it
> >>>>> gets stuck on a blank screen at address:*
> >>>>>
> >>>>> *https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-
> acs.ph
> >>>>> p/defa
> >>>>> u
> >>>>> lt-sp*
> >>>> eduroam CAT does not have its own user authentication. We send
> >>>> admin login authentication requests to a central auth server for
> >>>> all eduroam Operations Support Services (the "eduroam SP proxy")
> >>>> running on monitor.eduroam.org. That is the URL you are seeing.
> >>>>
> >>>> Since this particular box is not under CAT control, I will forward
> >>>> this request to the eduroam Operations Team. They will get back to
> >>>> you - probably they need a timestamp of your unsuccessful login
> >>>> attempt to find the issue in the logs...
> >>>>
> >>>> Greetings,
> >>>>
> >>>> Stefan Winter
> >>>> To unsubscribe, send this message:
> >>>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> >>>> Or use the following link:
> >>>> https://lists.geant.org/sympa/sigrequest/cat-users
> >>> To unsubscribe, send this message: 
> >>> mailto:sympa AT lists.geant.org?sub
> >>> ject=unsubscribe%20cat-users Or use the following link:
> >>> https://lists.geant.org/sympa/sigrequest
> >>> /cat-users
> >>>