The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Dubravko Voncina <dubravko.voncina AT srce.hr>]

Hello,

Your federation is the only one having this type of problem. Therefore, it's quite difficult for us to find out what might be causing it.

According to the log excerpt you provided, authentication request sent by CAT authentication proxy didn't met some security requirements, but it's not clear which security requirements are not met.

I'm just guessing, but this part of log:

08:13:55.903 - DEBUG [org.opensaml.util.storage.ReplayCache:115] - Replay of message ID _12ccaa1225e25db984752e6f967cd96b3bbebcbae5 detected in replay cache, will expire at 2018-05-31T13:18:28.653Z

suggests that there might be more than one minute discrepancy between your IdP and our SP system clocks which can cause SAML request to be invalid.

Do you use any sort of NTP server to synchronize your IdP system clock?

Can you increase your Shibboleth IdP log level so that we can have some more information why your IdP proclaims SAML requests invalid?

Best regards,

Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko.voncina AT srce.hr, tel: +385 98 219273, fax: +385 1 6165559

On 31 May 2018, at 15:17, Gerencia de Tecnologías de la Información <c.ramirez AT renata.edu.co> wrote:

Dear Stefan 

Just now we have the same problem:

08:13:55.901 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:130] - Evaluating security policy of type 'edu.internet2.middleware.shibboleth.common.security.ShibbolethSecurityPolicy' for decoded message

08:13:55.902 - DEBUG [org.opensaml.util.storage.ReplayCache:92] - Attempting to acquire lock for replay cache check

08:13:55.902 - DEBUG [org.opensaml.util.storage.ReplayCache:94] - Lock acquired

08:13:55.903 - DEBUG [org.opensaml.util.storage.ReplayCache:115] - Replay of message ID _12ccaa1225e25db984752e6f967cd96b3bbebcbae5 detected in replay cache, will expire at 2018-05-31T13:18:28.653Z

08:13:55.904 - WARN [org.opensaml.common.binding.security.MessageReplayRule:99] - Replay detected of message '_12ccaa1225e25db984752e6f967cd96b3bbebcbae5' from issuer https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp

08:13:55.905 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:406] - Message did not meet security requirements

org.opensaml.ws.security.SecurityPolicyException: Rejecting replayed message ID '_12ccaa1225e25db984752e6f967cd96b3bbebcbae5' from issuer https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp

        at org.opensaml.common.binding.security.MessageReplayRule.evaluate(MessageReplayRule.java:100) ~[opensaml-2.6.0.jar:na]

        at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51) ~[openws-1.5.0.jar:na]

        at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132) ~[openws-1.5.0.jar:na]

        at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83) ~[openws-1.5.0.jar:na]

        at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) ~[opensaml-2.6.0.jar:na]

        at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.decodeRequest(SSOProfileHandler.java:386) [shibboleth-identityprovider-2.4.0.jar:na]

        at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.performAuthentication(SSOProfileHandler.java:211) [shibboleth-identityprovider-2.4.0.jar:na]

        at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:189) [shibboleth-identityprovider-2.4.0.jar:na]

        at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:90) [shibboleth-identityprovider-2.4.0.jar:na]

        at edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:83) [shibboleth-common-1.4.0.jar:na]

Can you help us ???

Best regards

Carlos Ramírez Guzmán

Gerente de Tecnologías de la información | Chief Information Officer
Correo electrónico: c.ramirez AT renata.edu.co Móvil: (+57) 3155890044
Teléfono: (57+1) 5185353, ext. 1003
Carrera 18 # 79 – 47
Bogotá D.C. – Colombia

 

  

2018-05-28 1:31 GMT-05:00 Stefan Winter <stefan.winter AT restena.lu>:

Hello,

I believe what Dubravko meant is that you can simply continue to use CAT
now, with no changes needed. I.e. you just login with whatever account
you used before.

In any case, we do not store user names in the classic sense. We only
have information on which authentication source you used to sign up, and
a opaque identifier that allows us to recognise you when you come back.

Notably, the authentication is NOT strictly tied to the email address we
sent the invitation to. You may have received it on a certain email
address, but may then have chosen to use any authentication service you
want, with any local username at that authentication service.

Greetings,

Stefan Winter

Am 23.05.2018 um 17:07 schrieb Gerencia de Tecnologías de la Información:
> Dear Dubravko
>
> Many thanks for your help, can you remember me who is the administrative
> user for RENATA cat??? 
>
> Can we change the user for soporte AT renata.edu.co
> <mailto:soporte AT renata.edu.co> ???
>
> Thanks a lot
>
>
>
>
>
>
>
>
> Carlos *Ramírez Guzmán*
>
> *Gerente de Tecnologías de la información | Chief Information Officer
> *Correo electrónico: c.ramirez AT renata.edu.co
> <mailto:c.ramirez AT renata.edu.co> Móvil: (+57) 3155890044
> <tel:+57%20316%5275524>
> Teléfono: (57+1) 5185353, ext. 1003
> Carrera 18 # 79 – 47
> <https://maps.google.com/?q=Carrera+18+%23+79+%E2%80%93+47+*Bogot%C3%A1+D.C.+%E2%80%93+Colombia*&entry=gmail&source=g>
> *Bogotá D.C. – Colombia
> <https://maps.google.com/?q=Carrera+18+%23+79+%E2%80%93+47+*Bogot%C3%A1+D.C.+%E2%80%93+Colombia*&entry=gmail&source=g>*
>
> <http://www.renata.edu.co/>
>
>  
>
> <http://www.renata.edu.co/><https://www.facebook.com/RENATAColombia/> <https://twitter.com/@red_renata> <https://www.youtube.com/user/comunicacionesrenata/videos>
>
>
> 2018-05-23 9:26 GMT-05:00 Dubravko Voncina <dubravko.voncina AT srce.hr
> <mailto:dubravko.voncina AT srce.hr>>:
>
>     Hello Carlos,
>
>     Please try to authenticate again. I believe I've solved the problem.
>
>     Best regards,
>
>     Dubravko Voncina
>     Middleware and Data Services Department
>     University of Zagreb, University Computing Centre, www.srce.unizg.hr
>     <http://www.srce.unizg.hr>
>     dubravko.voncina AT srce.hr <mailto:dubravko.voncina AT srce.hr>, tel:
>     +385 98 219273, fax: +385 1 6165559
>
>
>
>
>>     On 21 May 2018, at 15:40, Gerencia de Tecnologías de la
>>     Información <c.ramirez AT renata.edu.co
>>     <mailto:c.ramirez AT renata.edu.co>> wrote:
>>
>>     Dear all,
>>
>>
>>     Just now we have  problem with authentication to the cat, the
>>     message is:
>>
>>     08:18:42.246 - WARN
>>     [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:406]
>>     - Message did not meet security requirements
>>     org.opensaml.ws.security.SecurityPolicyException: Validation of
>>     protocol message signature failed
>>
>>
>>     Best regards 
>>
>>
>>     Carlos *Ramírez Guzmán*
>>
>>     *Gerente de Tecnologías de la información | Chief Information Officer
>>     *Correo electrónico: c.ramirez AT renata.edu.co
>>     <mailto:c.ramirez AT renata.edu.co> Móvil: (+57) 3155890044
>>     <tel:+57%20316%5275524>
>>     Teléfono: (57+1) 5185353, ext. 1003
>>     Carrera 18 # 79 – 47
>>     <https://maps.google.com/?q=Carrera+18+%23+79+%E2%80%93+47+*Bogot%C3%A1+D.C.+%E2%80%93+Colombia*&entry=gmail&source=g>
>>     *Bogotá D.C. – Colombia
>>     <https://maps.google.com/?q=Carrera+18+%23+79+%E2%80%93+47+*Bogot%C3%A1+D.C.+%E2%80%93+Colombia*&entry=gmail&source=g>*
>>
>>     <http://www.renata.edu.co/>
>>
>>      
>>
>>     <http://www.renata.edu.co/><https://www.facebook.com/RENATAColombia/> <https://twitter.com/@red_renata> <https://www.youtube.com/user/comunicacionesrenata/videos>
>>
>>
>>     2018-04-20 8:58 GMT-05:00 Tomasz Wolniewicz <twoln AT umk.pl
>>     <mailto:twoln AT umk.pl>>:
>>
>>         Hi,
>>            this error was most likely due to the Colombian federation
>>         dropping out of eduGAIN metadata. This did happen several time
>>         due to the federation not renewing its metadata file in time.
>>
>>         Since CAT consumes information about identity providers via
>>         eduGAIN if a country federation drops out of eduGAIN, CAT
>>         looses information and cannot work with your identity
>>         provider. Everything gets restored when the federation renews
>>         its file (it is OK now).
>>
>>         Yours
>>         Tomasz
>>
>>
>>         W dniu 11.04.2018 o 23:47, Gerencia de Tecnologías de la
>>         Información pisze:
>>>         Dear all 
>>>
>>>         we have problems with the user administrator form cat
>>>         administrator Colombia, the reported user is
>>>         tecnico AT renata.edu.co <mailto:tecnico AT renata.edu.co>.
>>>
>>>         the error reported is:
>>>
>>>         <Captura de pantalla 2018-04-11 a la(s) 4.47.06 p. m..png>
>>>
>>>
>>>         best regards
>>>
>>>         ​
>>>
>>>
>>>         Carlos *Ramírez Guzmán*
>>>
>>>         *Gerente de Tecnologías de la información | Chief Information
>>>         Officer
>>>         *Correo electrónico: c.ramirez AT renata.edu.co
>>>         <mailto:c.ramirez AT renata.edu.co> Móvil: (+57) 3155890044
>>>         <tel:+57%20316%5275524>
>>>         Teléfono: (57+1) 5185353, ext. 1003
>>>         Carrera 18 # 79 – 47
>>>         <https://maps.google.com/?q=Carrera+18+%23+79+%E2%80%93+47+*Bogot%C3%A1+D.C.+%E2%80%93+Colombia*&entry=gmail&source=g>
>>>         *Bogotá D.C. – Colombia
>>>         <https://maps.google.com/?q=Carrera+18+%23+79+%E2%80%93+47+*Bogot%C3%A1+D.C.+%E2%80%93+Colombia*&entry=gmail&source=g>*
>>>
>>>         <http://www.renata.edu.co/>
>>>
>>>          
>>>
>>>         <http://www.renata.edu.co/><https://www.facebook.com/RENATAColombia/> <https://twitter.com/@red_renata> <https://www.youtube.com/user/comunicacionesrenata/videos>
>>>
>>>         To unsubscribe, send this message:
>>>         mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>>>         <mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users>
>>>         Or use the following link:
>>>         https://lists.geant.org/sympa/sigrequest/cat-users
>>>         <https://lists.geant.org/sympa/sigrequest/cat-users>
>>
>>         --
>>         Tomasz Wolniewicz   
>>                   twoln AT umk.pl <mailto:twoln AT umk.pl>        http://www.home.umk.pl/~twoln
>>
>>         Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
>>         Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
>>         pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
>>         tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576
>>
>>
>>     To unsubscribe, send this message:
>>     mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>>     <mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users>
>>     Or use the following link:
>>     https://lists.geant.org/sympa/sigrequest/cat-users
>>     <https://lists.geant.org/sympa/sigrequest/cat-users>
>
>
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users