cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Dubravko Penezic <dpenezic AT srce.hr>
- To: cat-users AT lists.geant.org
- Subject: Re: [[cat-users]] Unable to authenticate
- Date: Mon, 3 Aug 2020 08:40:12 +0200
- Autocrypt: addr=dpenezic AT srce.hr; prefer-encrypt=mutual; keydata= xsFNBFl67kYBEACgB/pAe2qQ2l7jXviMrJvOPVNyUzkyVC5RfSj9f3nS5vxKSu8p/r4LGI0L UFfwij0wWENGVA8GmhlxtVPkJguJ2voKdCF71rT/waQBRDLd58SNFCj25YhghZvwD13E7Kpo LDJnjTjZdoR8MdoGvDf4tHuAPEb82MGiGePkYfXULpnQERSwN2E7PchZR9iooq0VnLnWz1dC p631yiRzqitvfaxOD/ve+/mQVGkjvhaKXoRvC2ESuwGn2tEY2pBAGFBJJpRuCHHZmy2xXqUm EEZIyylnVIZY91mfh+B6+0UbcNcjARTjxwMtvqgr0FnI8H6emBgp04njbEIonB4XFEIwoVMi 3sbLbNhbbtm5zWLR9j/t9r8kRyXVL74T33/w6Wo02oBinnNl7JRS41VwECmD4Ry0ZyQ9awnn RmRMM2jJIN/saEiHlskWoA+NaexGy8S9utHs0KeK66ADADwH7ccVBTe036XjqT0IUwkQ/iZq HBSmBcfPCJpxdztD/pTnZlAb/SVs4qND+lFGSYBR3xtd4Tjy7jUEchv7KgXYC+0nEioG/ugJ sN9C6lws7FKqF3M6pbdDbJ8v5+1ZGWUbeTW3nLynkfTB0IaJRg7fhbTRnsFoCTQqtqBzhQo5 qPGRJGCtKT7VtHhw35NWIvWpg8rf2rCrAAI7QHHTtjug+eli3QARAQABzSNEdWJyYXZrbyBQ ZW5lemljIDxkcGVuZXppY0BzcmNlLmhyPsLBfwQTAQIAKQUCWXruRgIbIwUJEswDAAcLCQgH AwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEGpNIE2rCiDPLvYP/j4v2ita+FGUkr1asnj9/rRn x/tz+ecXn2IM+mJnrxAb852tH4Vp/fTRDP1oq8tZqCEErYFFPYNDZzw/2uFmtNioXSdemuWB 3DFyodGXg20Y5ZXdQ2YgdmnLk+i2enZYBRIvC/rqwEwzfJLgbPRbPGld4kHE/tdOTwWfxgW7 ue6e+g6yPGknQN2lflSCqCL7XIqN7wAEDfdPMMRjiOmq6j1AWsGDOOfOKn7qggPCKp4XAgsz nA3ZtjO2VjLsodlnxXick4bfPz1rDQFYdk2TNlCVuBMO8hg70OUQbqVgBOM4sq+V0dhjryDV 2MN1GHfyly/n5+KUbWdnBZnNjhliWcGraQzJaCzRQQ77vWxn/YnqelIobc/a5JxlNqAF3IJW Rw0S2iVdzuVYYTws7/MCbb8EJVQBN9DfU855MiUbExB/tLpg01XTu3GIBtTy6r0yLN1d7KEu nb9Qd2Du8jid5VXCB368KUC5SC3/E2x2fklpHtQ3yLJUP4W+KHOPAivJT5li6KBntTbchBJa +NsIaIYUeaYJ7168fY86Q8y7AjG2I7Eya3s90tfjVBndPxs2WEJ+3ck0z96qcdBt3FRGnatY 3bitRzeaQpoa9jPhNI/cVUl8fcoP6SQAlGjIdCaQKn0RZgovvylG+pioBpUVsLAAn+3ZePM9 frRiXRb2Bo93zsFNBFl67kYBEACrBvckp5yR+p4Kc+mWF3inQFJzaxyYu3VVY8+nla2SGyPH /OhiVl+20wINBmTQrnJPzP2Sim+6dZ/PPZzKXLrn/jJm7lw4IuCYNv7uKmmoYDCN82Gc1C4H 3rfik+rw9CAhtspe9VExdJqNI38PCujzj3x8q3gvRP6WAGC+O2OJaCvThj2eiT8nBQSVaLTm Tk2s2w5ZBsRG7UULUi5CvfCzfXnrBMygaoLAjlWIPN58rmwWwj3v3FIX/pjodMQv4Aygff9K oUVIGsf4Q5mKnVpEG+AF0mAY5zW2BYrj+wA8RJh42hQe5boXc5K+aPH6wMdUyYqbD+lZrGGx EPav4bspuu4Z0laZ0sEcxyjRSxoj2hgdNcjKTT3bRP/nNa5KEF38c0AvobWbGgHYGpDeiKmK 3A4/sSWkMi4FFdYdPc8P9bjALP7Z0FGSZlHj9km1ls9H6CadgQFYX2XpL4Irc/DqgQupn3m2 otXJgJeNrQMgXkMr7iz03DJ0K/HVe13VhLzNKyusOoagHLyJxm/r3XX9wR+t6BCGyHw/ckz/ C1wSrJvYtB0/2nrgwHRXbQtQmKkUcWqfX9oWGLPL1PzASVtM8rpSO8FSBtz1vz3BKUV9bpC0 z/7PhnFKIpop/DXOxM4TcD9cXF9dWb6LQW0SSD6OFT524en8N/xoPNCbsA+sTQARAQABwsFl BBgBAgAPBQJZeu5GAhsMBQkSzAMAAAoJEGpNIE2rCiDP5WEP/jTsPgzRJOJS8Un3PJAvwpXF WzOq0wKLuX7sUvMG7UoRfUfTaKIEh+x40LDbMxUgjcsJwFc1VMeeg3L8qgs8giUp5mF/70ua SZS5zPkCf1IOhEdB+eU0g8UNECzs9iS0qm+uu+vsUcvr9RMOnvUGDvldDDdfLZ3Ifj9jqmbp v3OPc88b9Ua1SeWcPaJQROWe+isVRqRbbzBwFI4Fj8C6M8jFNLv/oXlLKCDHlX9RFOSg9Umn ZT9/0LTUAuensC4l2wlanBsvPTJq/d2mOj4ac1sRL1wRRfCX04dv7Aurtz1Uip4p5yYmyosQ RLue91BioZw5K8oxnHQJ8mZNkIT+61YV0jzoB8yHjw8bzKlidNlxKUz5eN2CrlBLD/YvAa+5 lBhVqfD4U04o6uNJ+KKH5oxIVML88aKquKSgqDeCMVUo4lwmdy/U6DGZoTih9CTBBhrJDkrK OYmzumqJjbiRE/PN15f/phLvzbqjemw0Njy5jnMA6Y6vM3qdGSslwlpFkYxvrrw2GYKCJyRW nvVRj4ufJPai2drwJ4SuwzN5vLkeh9K05bgT7vqeXOl9n/oexxzWhTzvzx5Jb+fl8f/2yeAW 3KCxf2dhhM8oO7RLIufg2ks2+ytOP/Js0yguRB9Mm1LSqJ/STZ8oz0CewCVqfNUI6NljKeIT 5bWTWRBQOe6l
Hi all,
after some investigation situation is as follow.
CAT request authentication , and user decide from discovery service for
IdP, discovery service send request for authentication to
https://shib.highlands.ac.uk/idp (via user browser) and attach
certificate in it and encryption algorithm for signature.
In next step arrive response from https://shib.highlands.ac.uk/idp , and
that xml have 2 keys.
First one is declared like rsa-sha256 , for signature, and system is not
able to check signature with this one. Looking in other request
responses, it is look like that signature certificate are one of issue
(in few other case using aes128-gcm validation is done correctly).
Second issue is connected with xmlseclibs SSP use , and I did upgrade,
to latest one according https://github.com/simplesamlphp/saml2/issues/179 .
So please check your signature certificate, and then try to check if
system now work (I dont have any Shib to test with).
Regards,
Dubravko Penezic
On 7/31/20 10:55 AM, Matthew Slowe wrote:
> On 28 Jul 2020, at 10:18, Matthew Slowe <Matthew.Slowe AT jisc.ac.uk> wrote:
>>
>> On behalf of a new CAT member organisation, they're having trouble
>> authenticating to the CAT Admin portal. SimpleSAMLphp is returning an
>> error "Failed to decrypt XML element". We've checked the logs on the IdP
>> (look ok) and can access the UK Federation's Test SP ok, too.
>>
>> SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
>> ...
>> Caused by: Exception: Failed to decrypt XML element.
>>
>> The tracking code was 5d4e392eee at about 08:53Z today.
>>
>> Is this something at the SimpleSAMLphp end or something wrong with the
>> assertion being generated by their IdP?
>
> Following up my own question, this could be because the IdP is a new
> Shibboleth v4 which is using AES-GCM encryption rather than the older
> AES-CBC and SimpleSAMLphp doesn't know how to decrypt it?
>
> Could the metadata registration for the CAT SP be updated to include an
> <EncryptionMethod> element to assert its support options?
>
> https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-algsupport-v1.0-cs01.html#__RefHeading__13608_557150731
>
> This should instruct IdPs to use the correct algorithm rather than the new
> default in ShibIdP4.
>
> Thanks,
>
--
Dubravko Penezic
Information Systems and Applications Department
SRCE - University of Zagreb University Computing Centre, www.srce.unizg.hr
Dubravko.Penezic AT srce.hr, tel: +385 1 616 5555, fax: +385 1 616 5559
- Re: [[cat-users]] Unable to authenticate, Dubravko Penezic, 08/03/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/03/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Dubravko Penezic, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/07/2020
- Re: [[cat-users]] Unable to authenticate, Dubravko Penezic, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Stefan Paetow, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Dubravko Penezic, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/07/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/03/2020
Archive powered by MHonArc 2.6.19.