cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Francesco Malvezzi <francesco.malvezzi AT unimore.it>
- To: cat-users AT lists.geant.org
- Subject: [[cat-users]] Access to admin pages: persistent-id is not enough
- Date: Thu, 8 Nov 2018 10:58:02 +0100
- Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass (1024-bit key) header.d=unimore.it
- Autocrypt: addr=francesco.malvezzi AT unimore.it; prefer-encrypt=mutual; keydata= xsFNBFV31jgBEACu+qDnchdeX34JwbZy1LfZWj2Rp9iVnPKynxWB7pTLbipVI4I76+VOFM0J Fis2LoOq84ksNlddYpVj9P7+7F52Po7EptrebpugMrueOszvdRutAbciqEFlsZracC/C630+ VShBtUYUofQBS7tgeqjluWZ6byXvL6ujI3KRe+dzx8/ycUu7VZQmLOaTlaSahmMVXHGfAtHD qwvTK4BG882Ts9eTpLRBDlDaBNutNLvvqgJfgSQM5Uf6fhQS/9iHyleb3kAmLN87LYeG8PwK /OgssvKNKIV721koe5tO0nkjA/JnRKpakJXFUtos93YtNyDI3GqX3JqBLJ177PT7y7tvnrJj aRkDjQ56NcFcv0t0326l0uTpwtb9DbVGctTeL68PxjiInnLtBi/IGZvWg34ovU1o1ECMf+v6 5vy3Lf1j0NDVqL+H8en7q8N5HCHDQNYFFUOPFhY6u7Ylr70BoMEIYvIRvcrU4/n3IlZmVatV hMozeqqEDOxPTtKfqm1CbE7hBB29PcGtIUpi6mWEne2sCH0j8nDqcYiO6ipxqazeOnv6xE3o 9xHVkG1rmsIx5Tg0LHO7FfFfHzLd/Yf4HM7Pal9gGwnpHtjFA2Aurs62ggfKzFKmkbc/Bq4z ULcMSc1+qmbZygmMoW3XrPXBJgIlXbaKxfI4U7/7YsubeOYjHQARAQABzTJGcmFuY2VzY28g TWFsdmV6emkgPGZyYW5jZXNjby5tYWx2ZXp6aUB1bmltb3JlLml0PsLBfQQTAQoAJwUCVXfW OAIbIwUJEswDAAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRADpeuJdjXV+nX8D/9Or1uc P6YFgT1TVhlLxToB8wVxrpRu5+oFA38lUcvEqzpPXRQ/I9DK8Pu7k7lAj08R/xZ2y5K+RU+F zE+0vnmzIQorDItQ0NpXp5I4UAcl57FFORlurHWiQ8aNlI3xtmAXnJXYAGrxZeUD9cNgp2VH G9iwvT9GuC7Yjt4sakOA2smv4Fx7GX9wuKYNRgGcbBMLB9qVUD01cGnEuQNGvR6vxU6DpoKO iqIvhYnxAjHWAe7NvA3mDEZYFsWqjZFiPPKg9MIHV+463XP8Jh4YmB2CNzo1rauP+SSrFJPZ pPJVDw6j7ComvE8S10Zf7HYQ1rjijM9FsQIxKbpmpo0Rn4bwysEo6jNkpQjj1t5lPvSDsm34 a1EkX63NkiXYajbF6hDtmj1tM8Lxzo5m/J8FvGmTckeKb0fQAkSbKFXrA9HlY/M6WpXEolaG 8zeeHmBaE7VAn9e1xq17zz1BNCZYqZoDuIjgD9xg9WjY7Hz/EIWYazuyA77e+OIOYC2cmAng kWR7eWHHnjDoMebA4Ku8x/bdh1HNkxnIjJ/98SuUbf9xkmhG4/jYO12HJKzaKTs+KhfRp3Uo 18VoZbwjj8Aagu8loQtpPzVWm/DrNu0ZJeKBANQwYqjbYrNu3DiZXYEuJupdm8yZ/ViS8sSu Kp74wMokQIBuQnnpnnxW38EoNbHSec7BTQRVd9Y4ARAAuNTsdUG4d31F2u+y56lNu+h5nCqW V3lRPZZwbnYTHTUKbDDMaf1mI08aCTDBMG/WzKWQT9MB444ZYZWtcTMv3Z+lGMN2mBY+r1qW gbmeYH5QV9bSwIG67CAvqOH2M0dbTWyWUQ/nfTh/1pvM74F8eGYOFZkcZ53ds+T/kyQUe7yR 22GaUCUCdIhRTzM7GFOGiRmntQJNcFKiIxNH2Q+bDB0e9SMugOOGVVYJkMMpV8V88fIZKN4+ n3w9pyPn+V3oRGE858jolozJ0GOXhF0URSPpCPe7Sb6QB4d/5AsEACj8Vr6BJi19sGwoQX6p DGEBRdK0n/2cHt1D9gB8InN1L+F+awK3SYjhdjWPh6yex7PB1HLztQi9UUnZ08LF60wpiMRo 8vMQK9j+KwendstWDGqkdzpIfjbUiczdMX5jGAH1N5pmuNUudqtKA9lxrngcJU3Rdj6t79v9 aHX9G22wEhL2PuUNl7pyB7Pzp3hfr5fAYU1k38Gb32okL18hsYaxd8mTM9xgUtStSxTgns2Y HEMltfaw+wkcQzN6kK3uOvykPtnkdLk/OKH8Z/QZEKrbPB+wGfSJ5deluW9UqUXT6lBzAf4X lJFk2AoW+N7k2jqtZIG3poYPAKExWi71nStwlsECymidBFuv3xagUwkXz9RqyRTaYn0zwdod ef9NcG8AEQEAAcLBZQQYAQoADwUCVXfWOAIbDAUJEswDAAAKCRADpeuJdjXV+jv0D/0VmkR1 9IiFPWxmBzoYJhsnNx15hpTc4eQkOu1HRSjYx7HS6uancSlYf9Rppl/wiQqJQaG6BmITrrXC pEXrVQSyQ4ZDUMgAJnJBtEtB5e40JtYqaTqeYyAhzfnqkoYYovuiyQFoue+EeIRiBek3hlkf BXiNz17SWIVXm9/bQmKNN8iCTQPtQyJ+iy1rjqQqfqgFqDO9ftPdiWfKEe9mQY2Pot6zCZSZ APIpg8LLO8cgdrt8U0aJjZmrVccxDd0J5Wef9QyQMNyojTafsQfnjV+k6d6N0am80GiKcLN1 JbhQ70qfywYCFSlaDLNOnngjo+Rw6IwVhR0LophsWa3sVETbq8/t5d0yFxehLZMCr3DgqydY u6xV5Jgz0h3BfyoY/dUmFbKlrPGTXNeztQon4HnegBlsINkGo9Vg5RyhFFhtjF+cTMRuRMx2 KsYVZ2Y0IZoGZ8/qOWrmMWROo2j8KyVnCt+7B9dbFeWzfqsA2wCpSTOWcLisaTOl/43qIfws Hc2k/OtITyp9EMMzFKuXevsQ7A+tJmaTe6fU58YdB4ShIyvcCWjQPJ8fVl+1p8WXqRQ7k39J kX9rcJCeMz8SS5xmvR96ymzWanrWyYdAYwYOA6UtaX39s8bZBHtn0EvlDOQ8DX7O5MbaPEtc 8z0RBx/5oJ3Vhk2FeQGUlcJfKm4bOA==
- Openpgp: preference=signencrypt
hi all,
I have a problem accessing the admin portal of cat.eduroam.org.
The other day, I have stripped away from local Shibboleth IdP
eduPersonTargetedID because I thought it was replaced by saml2
persistent-id, so now ePTID is not released.
This is the error I receive:
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
1 www/_include.php:45 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: sspmod_saml_Error: Responder: SimpleSAML_Error_Exception:
This service needs at least one of the following
attributes to identity users: eduPersonTargetedID,
pairwise-id,
subject-id, facebook_targetedID, google_eppn, linkedin_targetedID,
twitter_targetedID. Unfortunately not
one of them was detected. Please ask your institution
administrator to
release one of
them, or try using another identity provider.
Backtrace:
3 modules/saml/lib/Message.php:420 (sspmod_saml_Message::getResponseError)
2 modules/saml/lib/Message.php:554 (sspmod_saml_Message::processResponse)
1 modules/saml/www/sp/saml2-acs.php:129 (require)
0 www/module.php:135 (N/A)
This is my SAML2 assertion:
<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion ID="_8c65259efb298655a71e47a39daecc8b"
IssueInstant="2018-11-08T09:44:20.184Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>https://idp.unimore.it/idp/shibboleth</saml2:Issuer>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://idp.unimore.it/idp/shibboleth";
SPNameQualifier="https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp";>j8y/HpQRUQOXjLNuvEbX7a3Ldw8=</saml2:NameID>
</saml2:Subject>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="eduPersonScopedAffiliation"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xsd:string">staff AT unimore.it</saml2:AttributeValue>
<saml2:AttributeValue
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xsd:string">member AT unimore.it</saml2:AttributeValue>
<saml2:AttributeValue
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xsd:string">employee AT unimore.it</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="displayName"
Name="urn:oid:2.16.840.1.113730.3.1.241"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xsd:string">Francesco MALVEZZI</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="schacHomeOrganization"
Name="urn:oid:1.3.6.1.4.1.25178.1.2.9"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xsd:string">unimore.it</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="eduPersonPrincipalName"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>malvezzi AT unimore.it</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="mail"
Name="urn:oid:0.9.2342.19200300.100.1.3"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>francesco.malvezzi AT unimore.it</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="ou" Name="urn:oid:2.5.4.11"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xsd:string">Dipendenti</saml2:AttributeValue>
<saml2:AttributeValue
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xsd:string">people</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
I'm going to re-enable ePITD so nothing here is urgent, but is it
expected a plain persistent-id can't do its job?
thank you,
Francesco Malvezzi
--
servizio gestione identità
Università di Modena e Reggio Emilia
- [[cat-users]] Access to admin pages: persistent-id is not enough, Francesco Malvezzi, 11/08/2018
- Re: [[cat-users]] Access to admin pages: persistent-id is not enough, Stefan Winter, 11/08/2018
Archive powered by MHonArc 2.6.19.