cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Matthew Slowe <Matthew.Slowe AT jisc.ac.uk>
- To: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
- Subject: Re: [[cat-users]] Unable to authenticate
- Date: Fri, 31 Jul 2020 08:55:13 +0000
- Accept-language: en-GB, en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jisc.ac.uk; dmarc=pass action=none header.from=jisc.ac.uk; dkim=pass header.d=jisc.ac.uk; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dAnZ8z1pgcmNsoNNqbrEqvH49nyodead9v5riPGLJOU=; b=No9SrAIZMp1I0vZ0TXKr7Z6VkywRQ38EPGrhvM/qL1W0lccucqPs5S0xFl4vhMYQyMlSua1lT3fojJrVyNvcMUYcGJfvqbmB6Qe4rU5oE0Ifs6piqB7ucHTwp3nce4e9+RS6iwZLdGj6pGazChLZz4mNBWwdrkoC9z6Q9O6HBW9u5PBygUWGNH7Q+r5sbLUinURlB7BS3x6BZhIY9Vxr48wYUyB9ZnuwAw6Q72GexwfkLtFbhyq5dSNoNK5V9yiSej979yJhUbqfhffQknyFrs3onByBQ9pvhijKxaYPTkHrEPLUoQtc+672zJAAxKCLcsaAVr1kkgcJC2zRnM/VSw==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Nbzr5tkrdWv+Q/QHEPZYca9kYHmrEFAvowWPtSYzLwLP/Ust1WsslfNTgUW3KQ3rEEQ/Q0WmMWHCFN2pH/jEvX1qOkkmg/6gPa4cTT9fOh5UvhcvnDzIJ3MX/4g3nleFvzGbtxhd8YJ0sBRYbQKnvOFZbrbDsNji2Isjj16kxYMoIWTd7D7z0KrZRlsj6vETTa+WNGr8nj1ucdfES8VRMKjZJ7tvSFMouHPeACjyeICEuO/j/kyCbirGT5iF45xYA/F6IkIQlbDf8T8qD/zYusbtDCepm6QP97syDo45zGX6bBaw6IUpfYx0drjoSji/JgdeOgOnqxEHyyosWXcAlA==
- Authentication-results: lists.geant.org; dkim=none (message not signed) header.d=none;lists.geant.org; dmarc=none action=none header.from=jisc.ac.uk;
On 28 Jul 2020, at 10:18, Matthew Slowe <Matthew.Slowe AT jisc.ac.uk> wrote:
>
> On behalf of a new CAT member organisation, they're having trouble
> authenticating to the CAT Admin portal. SimpleSAMLphp is returning an error
> "Failed to decrypt XML element". We've checked the logs on the IdP (look
> ok) and can access the UK Federation's Test SP ok, too.
>
> SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
> ...
> Caused by: Exception: Failed to decrypt XML element.
>
> The tracking code was 5d4e392eee at about 08:53Z today.
>
> Is this something at the SimpleSAMLphp end or something wrong with the
> assertion being generated by their IdP?
Following up my own question, this could be because the IdP is a new
Shibboleth v4 which is using AES-GCM encryption rather than the older AES-CBC
and SimpleSAMLphp doesn't know how to decrypt it?
Could the metadata registration for the CAT SP be updated to include an
<EncryptionMethod> element to assert its support options?
https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-algsupport-v1.0-cs01.html#__RefHeading__13608_557150731
This should instruct IdPs to use the correct algorithm rather than the new
default in ShibIdP4.
Thanks,
--
Matthew Slowe
Technical Specialist - Trust & Identity, Jisc
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- [[cat-users]] Unable to authenticate, Matthew Slowe, 07/28/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 07/31/2020
- Re: [[cat-users]] Unable to authenticate, Miroslav Milinovic, 07/31/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 07/31/2020
Archive powered by MHonArc 2.6.19.