Skip to Content.
Sympa Menu

cat-users - RE: [[cat-users]] [eduroam] eduroam Managed IdP pilot - codebase update

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

RE: [[cat-users]] [eduroam] eduroam Managed IdP pilot - codebase update


Chronological Thread 
    < Chronological >      < Thread >
  • From: Eli Beker <eli.beker AT iucc.ac.il>
  • To: eduroam CAT Feedback <cat-users AT lists.geant.org>
  • Cc: "development AT lists.eduroam.org" <development AT lists.eduroam.org>
  • Subject: RE: [[cat-users]] [eduroam] eduroam Managed IdP pilot - codebase update
  • Date: Tue, 8 May 2018 09:39:05 +0000
  • Accept-language: en-US
  • Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass (1024-bit key) header.d=emailiuccac.onmicrosoft.com
  • Authentication-results: spf=none (sender IP is ) smtp.mailfrom=eli.beker AT iucc.ac.il;
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Thanks Stefan for the prompt reply.

Will take it with Edugain admin here.

Tnx,

-eli

 

From: Stefan Winter [mailto:stefan.winter AT restena.lu]
Sent: Tuesday, May 8, 2018 12:20 PM
To: Eli Beker <eli.beker AT iucc.ac.il>
Cc: development AT lists.eduroam.org
Subject: Re: [eduroam] eduroam Managed IdP pilot - codebase update

 

Hello Eli,

> I'm getting this error on

> https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-acs.php/default-sp

[...]

> urn:oid:1.3.6.1.4.1.5923.1.1.1.10

>

>      

>

> 1408xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx23

This is already being discussed on cat-users AT lists.geant.org:

Quoting Dubravko Voncina, SRCE:

"This problem is 'specific' to all Identity Providers which do not

provide eduPersonTargetedID attribute value as an XML construct, but

instead still provide eduPersonTargetedID as a string.

According to eduPerson Object Class Specification document,

eduPersonTargetedID value must be an XML construct:

http://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201310.html#eduPersonTargetedID

For a long time various SAML toolkits allowed eduPersonTargetedID to be

a simple string, which apparently was wrong. As far as SimpleSAMLphp is

concerned, this issue was fixed in version 1.14, about two years ago.

When we upgraded eduroam CAT SP proxy to SimpleSAMLphp 1.14, we created

a patch that allowed SP proxy to recognize both string and XML values of

an eduPersonTargetedID.

Because of security reasons last week we had to upgrade our SP proxy to

SimpleSAMLphp 1.15.4 which only recognizes eduPersonTargetedID values

provided as an XML construct so all Identity Providers must provide

eduPersonTargetedID as an XML construct now (which shouldn't be a

problem since this issue was addressed and fixed two years ago).

Alternatively, you can configure your Identity Provider(s) to provide

persistent NameID for authenticated users. In that case, persistent

NameID will be used as an unique user identifier instead of

eduPersonTargetedID attribute, but those users will probably have to

register again as CAT admins."

Greetings,

Stefan

--

Stefan WINTER

Ingenieur de Recherche

Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et

de la Recherche

2, avenue de l'Université

L-4365 Esch-sur-Alzette

Tel: +352 424409 1

Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the

recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: pgpw2jCaxJnRO.pgp
Description: PGP signature


  • RE: [[cat-users]] [eduroam] eduroam Managed IdP pilot - codebase update, Eli Beker, 05/08/2018

Archive powered by MHonArc 2.6.19.

Top of Page