The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Dubravko Voncina <dubravko.voncina AT srce.hr>]

Hello again Ole,

This problem is 'specific' to all Identity Providers which do not provide eduPersonTargetedID attribute value as an XML construct, but instead still provide eduPersonTargetedID as a string.

According to eduPerson Object Class Specification document, eduPersonTargetedID value must be an XML construct:

http://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201310.html#eduPersonTargetedID

For a long time various SAML toolkits allowed eduPersonTargetedID to be a simple string, which apparently was wrong. As far as SimpleSAMLphp is concerned, this issue was fixed in version 1.14, about two years ago.

When we upgraded eduroam CAT SP proxy to SimpleSAMLphp 1.14, we created a patch that allowed SP proxy to recognize both string and XML values of an eduPersonTargetedID.

Because of security reasons last week we had to upgrade our SP proxy to SimpleSAMLphp 1.15.4 which only recognizes eduPersonTargetedID values provided as an XML construct so all Identity Providers must provide eduPersonTargetedID as an XML construct now (which shouldn't be a problem since this issue was addressed and fixed two years ago).

Alternatively, you can configure your Identity Provider(s) to provide persistent NameID for authenticated users. In that case, persistent NameID will be used as an unique user identifier instead of eduPersonTargetedID attribute, but those users will probably have to register again as CAT admins.

Best Regards,

Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko.voncina AT srce.hr, tel: +385 98 219273, fax: +385 1 6165559

On 04 May 2018, at 22:38, Ole Frendved Hansen <ole.frendved.hansen AT deic.dk> wrote:

Hi,

I am getting the error too, trying to login with my dtu.dk-account.

Is this error specific DK/WAYF-related or general eduGAIN ?

 

I will alert the guys at WAYF.

Best, Ole
-- 
ole.frendved.hansen AT deic.dk 
DeiC, Danish e-Infrastructure Cooperation, www.deic.dk 

Den 4. maj 2018 kl. 20.10 skrev Thomas Andersen <than AT itu.dk>:

Hi,

 

I’ve been trying to login to cat.eduroam.org with wayf, as always – but It fails.

 

Trace id: debe94c599

 

 

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:

1 www/_include.php:45 (SimpleSAML_exception_handler)

0 [builtin] (N/A)

Caused by: SAML2\Exception\RuntimeException: A "urn:oid:1.3.6.1.4.1.5923.1.1.1.10" (EPTI) attribute value must be a NameID, none found for value no. "0"

Backtrace:

7 vendor/simplesamlphp/saml2/src/SAML2/Assertion.php:558 (SAML2\Assertion::parseAttributeValue)

6 vendor/simplesamlphp/saml2/src/SAML2/Assertion.php:540 (SAML2\Assertion::parseAttributes)

5 vendor/simplesamlphp/saml2/src/SAML2/Assertion.php:298 (SAML2\Assertion::__construct)

4 vendor/simplesamlphp/saml2/src/SAML2/Response.php:38 (SAML2\Response::__construct)

3 vendor/simplesamlphp/saml2/src/SAML2/Message.php:578 (SAML2\Message::fromXML)

2 vendor/simplesamlphp/saml2/src/SAML2/HTTPPost.php:76 (SAML2\HTTPPost::receive)

1 modules/saml/www/sp/saml2-acs.php:31 (require)

0 www/module.php:135 (N/A)

 

 

 

 

-- 

Med venlig hilsen / With best regards

Thomas Andersen

 

Network Architect

 

IT University of Copenhagen

Rued Langgaards Vej 7

2300 København S

 

Phone: +45 72185249

 

____________________________________________________________________________

 

**NEVER DISCLOSE YOUR PASSWORD OR SHOE SIZE - NOT EVEN TO YOUR DENTIST**

 

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users