cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Dubravko Voncina <dubravko.voncina AT srce.hr>
- To: Thomas Andersen <than AT itu.dk>
- Cc: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
- Subject: Re: [[cat-users]] WAYF login broken?
- Date: Sat, 5 May 2018 19:36:38 +0200
Hello Thomas,
Apparently, your authentication service (IdP) provides a string value of an attribute 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10' (eduPersonTargetedID) which is an invalid, deprecated eduPersonTargetedID value format.
On thursday we upgraded the version of SimpleSAMLphp which we use as a SAML IdP Proxy for eduroam Configuration Assistant Tool. Providing attribute 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10' as a string was tolerated in SimpleSAMLphp versions prior to 1.15, but the latest stable version of SimpleSAMLphp requires eduPersonTargetedID to be provided as an XML construct.
For example, your IdP provides SAML authentication response which contains following attribute statement:
<saml:AttributeStatement>
<saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">some_value</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">Thomas Andersen</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">WAYF-DK-some_value</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
but instead, your IdP should provide attribute statement that roughly looks like:
<saml:AttributeStatement>
<saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">some_value</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">Thomas Andersen</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>
<saml:NameID NameQualifier="https://birk.wayf.dk/birk.php/wayf.itu.dk/saml2/idp/metadata.php" SPNameQualifier="https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">WAYF-DK-some_value</saml:NameID>
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
Unfortunatelly, there's not much we can do about it, as this problem has to be fixed at the IdP side.
Best Regards,
Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko.voncina AT srce.hr, tel: +385 98 219273, fax: +385 1 6165559
On 04 May 2018, at 20:10, Thomas Andersen <than AT itu.dk> wrote:Hi,I’ve been trying to login to cat.eduroam.org with wayf, as always – but It fails.Trace id: debe94c599SimpleSAML_Error_Error: UNHANDLEDEXCEPTIONBacktrace:1 www/_include.php:45 (SimpleSAML_exception_handler)0 [builtin] (N/A)Caused by: SAML2\Exception\RuntimeException: A "urn:oid:1.3.6.1.4.1.5923.1.1.1.10" (EPTI) attribute value must be a NameID, none found for value no. "0"Backtrace:7 vendor/simplesamlphp/saml2/src/SAML2/Assertion.php:558 (SAML2\Assertion::parseAttributeValue)6 vendor/simplesamlphp/saml2/src/SAML2/Assertion.php:540 (SAML2\Assertion::parseAttributes)5 vendor/simplesamlphp/saml2/src/SAML2/Assertion.php:298 (SAML2\Assertion::__construct)4 vendor/simplesamlphp/saml2/src/SAML2/Response.php:38 (SAML2\Response::__construct)3 vendor/simplesamlphp/saml2/src/SAML2/Message.php:578 (SAML2\Message::fromXML)2 vendor/simplesamlphp/saml2/src/SAML2/HTTPPost.php:76 (SAML2\HTTPPost::receive)1 modules/saml/www/sp/saml2-acs.php:31 (require)0 www/module.php:135 (N/A)--Med venlig hilsen / With best regardsThomas AndersenNetwork ArchitectIT University of CopenhagenRued Langgaards Vej 72300 København SPhone: +45 72185249____________________________________________________________________________**NEVER DISCLOSE YOUR PASSWORD OR SHOE SIZE - NOT EVEN TO YOUR DENTIST**To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users
- [[cat-users]] WAYF login broken?, Thomas Andersen, 05/04/2018
- Re: [[cat-users]] WAYF login broken?, Ole Frendved Hansen, 05/04/2018
- Re: [[cat-users]] WAYF login broken?, Dubravko Voncina, 05/07/2018
- Re: [[cat-users]] WAYF login broken?, Dubravko Voncina, 05/05/2018
- Re: [[cat-users]] <<workaround>> WAYF login broken?, Ole Frendved Hansen, 05/07/2018
- Re: [[cat-users]] WAYF login broken?, Ole Frendved Hansen, 05/04/2018
Archive powered by MHonArc 2.6.19.