Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] Problem logging in to CAT

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] Problem logging in to CAT


Chronological Thread 
  • From: Dubravko Voncina <dubravko.voncina AT srce.hr>
  • To: Nik Mitev <nik.mitev AT jisc.ac.uk>
  • Cc: eduroam CAT Feedback <cat-users AT lists.geant.org>
  • Subject: Re: [[cat-users]] Problem logging in to CAT
  • Date: Thu, 3 May 2018 16:35:40 +0200

Hello again Nik,

I believe I've found the cause of your problem. Apparently, your IdP provides
string value of an attribute 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10'
(eduPersonTargetedID) which is invalid eduPersonTargetedID value format.
This was tolerated in SimpleSAMLphp versions prior to 1.15, but latest stable
version of SimpleSAMLphp requires eduPersonTargetedID to be provided as an
XML construct.

For example, your IdP provides SAML authentication response which contains
following attribute statement:


<saml:AttributeStatement>
<saml:Attribute Name="urn:oid:2.16.840.1.113730.3.1.241"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">Nik
Mitev</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue
xsi:type="xs:string">some_value</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue
xsi:type="xs:string">some_value</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>


but instead, your IdP should provide attribute statement that roughly looks
like:


<saml:AttributeStatement>
<saml:Attribute Name="urn:oid:2.16.840.1.113730.3.1.241"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">Nik
Mitev</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue
xsi:type="xs:string">some_value</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>
<saml:NameID NameQualifier="https://gidp.geant.net";
SPNameQualifier="https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp";

Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">some_value</saml:NameID>
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>


I'm afraid there's not much we can do about it, this problem will have to be
fixed at the IdP side.

Best Regards,

Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko.voncina AT srce.hr,
tel: +385 98 219273, fax: +385 1 6165559




> On 03 May 2018, at 14:24, Nik Mitev
> <nik.mitev AT jisc.ac.uk>
> wrote:
>
> He had logged in earlier yes. And I certainly have logged in earlier too :)
>
> Nik
>
> -------- Original Message --------
> From: Stefan Winter
> Sent: Thursday, May 3, 2018 12:59 PM BST
> To:
> cat-users AT lists.geant.org
> Subject: [[cat-users]] Problem logging in to CAT
>
> Hi,
>
> I have a ticket from a user who reports he is failing to log in to CAT,
> and when I tried to log in myself to see if there is anything obvious my
> login failed as well with the message "An unhandled exception was
> thrown." and a tracking id of b80f6f0c25
>
> Debug: SAML2\Exception\RuntimeException: A
> "urn:oid:1.3.6.1.4.1.5923.1.1.1.10" (EPTI) attribute value must be a
> NameID, none found for value no. "0
>
> Let me know if you need any further info.
>
> This coincides suspiciously with the maintenance work Miro announced for
> earlier today.
>
> Did the user log in successfully earlier, or is it a brand new user? The
> latter could mean a misconfigured IdP is at fault, the former would
> suggest it's more like an update problem on the SP side.
>
> Greetings,
>
> Stefan
>
>
>
> --
> Nik Mitev
> eduroam(UK) Development Specialist, Jisc
> www.eduroam.ac.uk
> Twitter @eduroamuk – for news, information, pictures and fun
>
> When replying to this e-mail is it essential to preserve the
> (Ref:IN:xxxxxxxx) text in the subject line and to always use 'Reply All'
>
>




Archive powered by MHonArc 2.6.19.

Top of Page