cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Stefan Winter <stefan.winter AT restena.lu>
- To: cat-users AT lists.geant.org
- Subject: Re: [[cat-users]] Access to admin pages: persistent-id is not enough
- Date: Thu, 8 Nov 2018 11:40:12 +0100
- Autocrypt: addr=stefan.winter AT restena.lu; prefer-encrypt=mutual; keydata= xsFNBFIplEwBEADTSz+DS8nio+RSvfSLLfaOnCGi1nqpn8Pb1laVUyEvnAAzZ5jemiS88Gxf iDH6hUGlWzcaW0hCfUHGiohr485adbjxRksPngWgAt/1bRxpifsW3zObFjgog01WWQV5Sihl wc4zr8zvYbFA5BJZ6YdkR9C5J015riv5OS30WTjA65SSXgYrb7zJWPwmegTFwE093uBFvC39 waz3xYpVu5j87nO6w2MVQt/8sY2/2BFPEq+xfOajl18UEwc7w8SCgnZdlVNcmEK4UBvJuwS/ 1lsR2JeQa8Gu1EDxC7PRgMgNXsDSWnnBe9aVmfG54+6ILe1QH2dwk9sPBQT5w2+vjijrb3Dv 9ur+1kN+TNU2XE436jVpnnY/3OsLdix30STQn4Q/XOm7YoVMeDwwviefilRxzK0dXA+wKj92 T68Od82CFxuZqPAgBCVmWfQM91iK9piqFK+QP+R3vF6+NGDBdwbe68iVKs0v5L8XmbxBQndj pmo+lo2asmBR2TAIfZHaKdgtBw13u3GPVVKlg/Mpko8ki9JOSem2aFyi3kQEVKptWgXT3POl 97DWJzsR5VyKz6GOx9kJAEISRyLZwm0wqh8+9LCza5oeIKW381lzq1b9x30vOh8CBSQQJ+cG 9ko0yPHAj7Suw2TmPXx1qMctmE6Ahq82ZW30SljdZby8WQuR2wARAQABzTxTdGVmYW4gV2lu dGVyIChSRVNURU5BIGtleSAyMDEzKykgPHN0ZWZhbi53aW50ZXJAcmVzdGVuYS5sdT7CwXkE EwECACMFAlIplEwCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDA3mo1ijncZj7/ D/99hVS+mJr8dSPCaDaUFFxBiT2eI1LoR8VKEerTCRw5BsdL6pN2eRJZ9NmsqWo1ynWVHEzO 91bNZ+oZGgyoNohcBAI7p+r0qUTzkyqwdZO4kMm0pqKoM9xkP3tf2mjGujKjOz4Y7S7wnz2Z FokeUsecoRVJF/++/qHnmeWLn44J1HUKLHYCjMu+QXGOgGXgz024jQ5eUrnPwzNp0Z90AFVH lWC+bymty/ToIUUCQqS5Ff0jzdWLd8U695OG9iGvjBQT1LdEjsfbAwuKV5UcnpxNqUpUwKa5 9hdX5/2cMZP07FI1UXwnBlxa8rJfdb13FLjSKX4vUUHedYUZMjMPgcwl1a+zGE22lHiSQWgP 8QLA/W3BLsi22ERCEPZBfexOeOtaWIItDIz18fIaQoMDoRPshzar0JI2CzLYsyeKySAtYJEH FVoLmMvhkwzBmgqA/BEswUA67CfCr1jFHRXdpmWM7YkyAmMa9q6LwquWKS5+MXlUXe/3oZUc gpw/T9Uuy3Jo3RdS7B3jFcWaVr6KsO/A9u1gr/aYn5M+iJTQSj4vzqtkQaJTpSspRZoKa66H Zt3IwSYiDiYZqtM83ynuj9kjnZzGfnuTaNIi996q6Mptr33mOzIE1wmMqnJYwTr3EcNtf483 q/qrJwh5ES8Q9xY7aat/ZcSl8fKubW4TlfVr8c7BTQRSKZRMARAAvBPpn7FQq7LQ5glohtbL 6XIEo1U4X67S0TzUYieENSWSVYuWYIhCBldmWdmH8Bpj/qHeqdon7v+SLtR4WngzMR9toupK cFfHnbP9kpazTSB2ySHxXWGX1gJOpPXdCcg9iveKBHEsDn00ThTcPsvtXpnnzET16pXIvOXO 0bxTmVZ4INIF1SWgvYma/g8kBbgXLpkj8tOywBqFiiYPEZlDeCxDHiMgUDh6olda9K/0TZFT dMPUgjKuubfAeaDNCOrVt4RjmFOaRLikcZocmgJhm3z/j25x7/mnNu+0di1H/S67YGQJ+pqC FInzIXDx7aRW2+JCiqsY2X3xOPWZZzjyis5SNnfOcPH3gt2hYz1fy+thsBGf4NgCN01JRqIJ 2/MOQCgUdwh+9l8xqaJvCkUHM4hVh4W62MAe1u7UEqQbvvNEqxM5034vcvlE+/LRkrDCspw+ 2YJ9QyroLerVRwW5DVleP8Ifi8VB3yD80nqXYs9aqRy0BkDNIQ43ERhESMt8dJqrNkxgC6pe mZrhNwyDh+hy2kPNGQh/iBpdKuH1o3E24TIZoV2v3YHvzob7aAYHddE/PofAXhJW7I9mAs+H dWDmnI8ckuPDFpFH+Y/BFGvEXgcnJAJ1wEvf+4LuiIi0MHjR4EWFn9vvoFDAIqD10h3FSd3D 59HGtdSsNn4XaCsAEQEAAcLBXwQYAQIACQUCUimUTAIbDAAKCRDA3mo1ijncZhBtEACL036d djc5pFoYIdoUY1vT8SMXJNquewCnL1quDADzqDZFU5GNlQEy10krSfBwlTb9ahTtE0JFrOdZ wUZtoa1Pgfr8nU6KOgrXPHbNjS/9dyc5CwGVVIpOavIm2CsMVDJ9LCF/NT+u/t1k6eGfHhPV l3dUQyDa/lzc1chKUIVQYQkFmr0A/iXP+29lFCaI+IeyU0bSdZhezDwUROn5vEx+fiPZyHDS hCb+BxJv/o2LQp9JHenCiSbO+ioRZdxgbWfoKBuXOfmSStqMWXas/gZ5vS3xq72LNtKPRxgp jX3P8Zml1XDqpcBau7eK75VKE0Yd06YxnUIsbcEzInUc3uzW/u0DFpXYkMJb0XIvJyUt5yYP KfV13N8kSkPi5pLxm8yuftXMzfgeFMR7nafY3glTVj/TxElzg6xeZNqfC2ZjIbBtZg9ylHU8 u8wwB+dX282crs0R3N9A064C71/cXlBqcjzjlKH2NUIWGxr+od3TXFIFjszSU3NgMPKrWNhF LLwS81MpbkOe73s6aDhS8RDyNucoxtKXriLR+4Xiu4+pyj5ukYP1JqpB3ZobY/XZgCnJMye+ 7xeTpIDJ1LPORxM3NNAElyb26lxAK2P+km+EpI0Zzz6rNSCfg5jYQ474+e/GBgaSG4MlaPoZ +XAfN46u1Xjjv1/AkkA4IA6m5zP5og==
- Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hello,
I have forwarded this to the admnistrators of the eduroam SP proxy.
Stefan
Am 08.11.18 um 10:58 schrieb Francesco Malvezzi:
> hi all,
>
> I have a problem accessing the admin portal of cat.eduroam.org.
>
> The other day, I have stripped away from local Shibboleth IdP
> eduPersonTargetedID because I thought it was replaced by saml2
> persistent-id, so now ePTID is not released.
>
> This is the error I receive:
>
> SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
>
> Backtrace:
> 1 www/_include.php:45 (SimpleSAML_exception_handler)
> 0 [builtin] (N/A)
> Caused by: sspmod_saml_Error: Responder: SimpleSAML_Error_Exception:
> This service needs at least one of the following
> attributes to identity users: eduPersonTargetedID,
> pairwise-id,
> subject-id, facebook_targetedID, google_eppn, linkedin_targetedID,
> twitter_targetedID. Unfortunately not
> one of them was detected. Please ask your institution
> administrator to
> release one of
> them, or try using another identity provider.
> Backtrace:
> 3 modules/saml/lib/Message.php:420 (sspmod_saml_Message::getResponseError)
> 2 modules/saml/lib/Message.php:554 (sspmod_saml_Message::processResponse)
> 1 modules/saml/www/sp/saml2-acs.php:129 (require)
> 0 www/module.php:135 (N/A)
>
> This is my SAML2 assertion:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <saml2:Assertion ID="_8c65259efb298655a71e47a39daecc8b"
> IssueInstant="2018-11-08T09:44:20.184Z" Version="2.0"
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
> <saml2:Issuer>https://idp.unimore.it/idp/shibboleth</saml2:Issuer>
> <saml2:Subject>
> <saml2:NameID
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
> NameQualifier="https://idp.unimore.it/idp/shibboleth";
> SPNameQualifier="https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp";>j8y/HpQRUQOXjLNuvEbX7a3Ldw8=</saml2:NameID>
> </saml2:Subject>
> <saml2:AttributeStatement>
> <saml2:Attribute FriendlyName="eduPersonScopedAffiliation"
> Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml2:AttributeValue
> xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="xsd:string">staff AT unimore.it</saml2:AttributeValue>
> <saml2:AttributeValue
> xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="xsd:string">member AT unimore.it</saml2:AttributeValue>
> <saml2:AttributeValue
> xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="xsd:string">employee AT unimore.it</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="displayName"
> Name="urn:oid:2.16.840.1.113730.3.1.241"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml2:AttributeValue
> xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="xsd:string">Francesco MALVEZZI</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="schacHomeOrganization"
> Name="urn:oid:1.3.6.1.4.1.25178.1.2.9"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml2:AttributeValue
> xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="xsd:string">unimore.it</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="eduPersonPrincipalName"
> Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml2:AttributeValue>malvezzi AT unimore.it</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="mail"
> Name="urn:oid:0.9.2342.19200300.100.1.3"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>
> <saml2:AttributeValue>francesco.malvezzi AT unimore.it</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="ou" Name="urn:oid:2.5.4.11"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml2:AttributeValue
> xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="xsd:string">Dipendenti</saml2:AttributeValue>
> <saml2:AttributeValue
> xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="xsd:string">people</saml2:AttributeValue>
> </saml2:Attribute>
> </saml2:AttributeStatement>
> </saml2:Assertion>
>
> I'm going to re-enable ePITD so nothing here is urgent, but is it
> expected a plain persistent-id can't do its job?
>
> thank you,
>
> Francesco Malvezzi
>
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Attachment:
0xC0DE6A358A39DC66.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
- [[cat-users]] Access to admin pages: persistent-id is not enough, Francesco Malvezzi, 11/08/2018
- Re: [[cat-users]] Access to admin pages: persistent-id is not enough, Stefan Winter, 11/08/2018
Archive powered by MHonArc 2.6.19.