The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Ole Frendved Hansen <ole.frendved.hansen AT deic.dk>]

Workaround for WAYF-access to CAT admin

The problem applies to users going trough WAYF when accessing admin part of CAT.

Due to a software mismatch it is not possible to log in to the admin module of cat.eduroam.org (applies to users going trough WAYF).

WAYF has provided a workaround based on the new wayf-platform. 

The workaround requires a change to the configuration of the users computer (the hosts file to be edited).

Guide:

   https://wayf.dk/en/testing-wayfs-new-hub-platform-your-web-service

Use your ordinary account - not an Orphanage account.

A permanent solution will come with deploy of the new WAYF platform. This should happen in the near future.

Best regards,

Ole
-- 
ole.frendved.hansen AT deic.dk 
DeiC, Danish e-Infrastructure Cooperation, www.deic.dk 

Den 5. maj 2018 kl. 19.36 skrev Dubravko Voncina <dubravko.voncina AT srce.hr>:

Hello Thomas,

Apparently, your authentication service (IdP) provides a string value of an attribute 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10' (eduPersonTargetedID) which is an invalid, deprecated eduPersonTargetedID value format.

On thursday we upgraded the version of SimpleSAMLphp which we use as a SAML IdP Proxy for eduroam Configuration Assistant Tool. Providing attribute 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10' as a string was tolerated in SimpleSAMLphp versions prior to 1.15, but the latest stable version of SimpleSAMLphp requires eduPersonTargetedID to be provided as an XML construct.

For example, your IdP provides SAML authentication response which contains following attribute statement:

<saml:AttributeStatement>

  <saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

    <saml:AttributeValue xsi:type="xs:string">some_value</saml:AttributeValue>

  </saml:Attribute>

  <saml:Attribute Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

    <saml:AttributeValue xsi:type="xs:string">Thomas Andersen</saml:AttributeValue>

  </saml:Attribute>

  <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

    <saml:AttributeValue xsi:type="xs:string">WAYF-DK-some_value</saml:AttributeValue>

  </saml:Attribute>

</saml:AttributeStatement>

but instead, your IdP should provide attribute statement that roughly looks like:

<saml:AttributeStatement>

  <saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

    <saml:AttributeValue xsi:type="xs:string">some_value</saml:AttributeValue>

  </saml:Attribute>

  <saml:Attribute Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

    <saml:AttributeValue xsi:type="xs:string">Thomas Andersen</saml:AttributeValue>

  </saml:Attribute>

  <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

    <saml:AttributeValue>

       <saml:NameID NameQualifier="https://birk.wayf.dk/birk.php/wayf.itu.dk/saml2/idp/metadata.php" SPNameQualifier="https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">WAYF-DK-some_value</saml:NameID>

    </saml:AttributeValue>

  </saml:Attribute>

</saml:AttributeStatement>

Unfortunatelly, there's not much we can do about it, as this problem has to be fixed at the IdP side.

Best Regards,

Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko.voncina AT srce.hr, tel: +385 98 219273, fax: +385 1 6165559

On 04 May 2018, at 20:10, Thomas Andersen <than AT itu.dk> wrote:

Hi,

 

I’ve been trying to login to cat.eduroam.org with wayf, as always – but It fails.

 

Trace id: debe94c599

 

 

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:

1 www/_include.php:45 (SimpleSAML_exception_handler)

0 [builtin] (N/A)

Caused by: SAML2\Exception\RuntimeException: A "urn:oid:1.3.6.1.4.1.5923.1.1.1.10" (EPTI) attribute value must be a NameID, none found for value no. "0"

Backtrace:

7 vendor/simplesamlphp/saml2/src/SAML2/Assertion.php:558 (SAML2\Assertion::parseAttributeValue)

6 vendor/simplesamlphp/saml2/src/SAML2/Assertion.php:540 (SAML2\Assertion::parseAttributes)

5 vendor/simplesamlphp/saml2/src/SAML2/Assertion.php:298 (SAML2\Assertion::__construct)

4 vendor/simplesamlphp/saml2/src/SAML2/Response.php:38 (SAML2\Response::__construct)

3 vendor/simplesamlphp/saml2/src/SAML2/Message.php:578 (SAML2\Message::fromXML)

2 vendor/simplesamlphp/saml2/src/SAML2/HTTPPost.php:76 (SAML2\HTTPPost::receive)

1 modules/saml/www/sp/saml2-acs.php:31 (require)

0 www/module.php:135 (N/A)

 

 

 

 

-- 

Med venlig hilsen / With best regards

Thomas Andersen

 

Network Architect

 

IT University of Copenhagen

Rued Langgaards Vej 7

2300 København S

 

Phone: +45 72185249

 

____________________________________________________________________________

 

**NEVER DISCLOSE YOUR PASSWORD OR SHOE SIZE - NOT EVEN TO YOUR DENTIST**

 

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users