The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Matthew Slowe <Matthew.Slowe AT jisc.ac.uk>]

Morning Dubravko,

Thanks for looking into this.

> On 3 Aug 2020, at 07:40, Dubravko Penezic <dpenezic AT srce.hr> wrote:
> 
> In next step arrive response from https://shib.highlands.ac.uk/idp , and
> that xml have 2 keys.
> 
> First one is declared like rsa-sha256 , for signature, and system is not
> able to check signature with this one. Looking in other request
> responses, it is look like that signature certificate are one of issue
> (in few other case using aes128-gcm validation is done correctly).

Do you have any idea why it's not liking this certificate? It's able to talk 
to some other services, at least.

I don't think it's to do with the signature as the backtrace mentions 
decryptAssertion which is called before the signature is looked at and the 
called decryptElement deliberately obfuscates the underlying decryption error 
(at 
https://github.com/simplesamlphp/saml2/blob/master/src/SAML2/Utils.php#L511)

> Second issue is connected with xmlseclibs SSP use , and I did upgrade,
> to latest one according https://github.com/simplesamlphp/saml2/issues/179 .
> 
> So please check your signature certificate, and then try to check if
> system now work (I dont have any Shib to test with).

I have re-tested and get the same error (today's tracking code: 0185ef6a88)

Happy to take this off-list if you'd prefer.

Thanks,
Matthew


> On 7/31/20 10:55 AM, Matthew Slowe wrote:
>> On 28 Jul 2020, at 10:18, Matthew Slowe <Matthew.Slowe AT jisc.ac.uk> wrote:
>>> 
>>> On behalf of a new CAT member organisation, they're having trouble 
>>> authenticating to the CAT Admin portal. SimpleSAMLphp is returning an 
>>> error "Failed to decrypt XML element". We've checked the logs on the IdP 
>>> (look ok) and can access the UK Federation's Test SP ok, too.
>>> 
>>> SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
>>> ...
>>> Caused by: Exception: Failed to decrypt XML element.
>>> 
>>> The tracking code was 5d4e392eee at about 08:53Z today.
>>> 
>>> Is this something at the SimpleSAMLphp end or something wrong with the 
>>> assertion being generated by their IdP?
>> 
>> Following up my own question, this could be because the IdP is a new 
>> Shibboleth v4 which is using AES-GCM encryption rather than the older 
>> AES-CBC and SimpleSAMLphp doesn't know how to decrypt it?
>> 
>> Could the metadata registration for the CAT SP be updated to include an 
>> <EncryptionMethod> element to assert its support options?
>> 
>> https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-algsupport-v1.0-cs01.html#__RefHeading__13608_557150731
>> 
>> This should instruct IdPs to use the correct algorithm rather than the new 
>> default in ShibIdP4.
>> 
>> Thanks,
>> 
> 
> -- 
> Dubravko Penezic
> Information Systems and Applications Department
> SRCE - University of Zagreb University Computing Centre, www.srce.unizg.hr
> Dubravko.Penezic AT srce.hr, tel: +385 1 616 5555, fax: +385 1 616 5559
> To unsubscribe, send this message: 
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link: 
> https://lists.geant.org/sympa/sigrequest/cat-users