cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Alan Cox - UKRI <Alan.Cox AT ukri.org>
- To: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
- Subject: RE: [[cat-users]] Unable to authenticate
- Date: Thu, 6 Aug 2020 09:08:34 +0000
- Accept-language: en-GB, en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ukri.org; dmarc=pass action=none header.from=ukri.org; dkim=pass header.d=ukri.org; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Pyf5tFwpcqS8uNAN904mN8TlnqAYX3xnVvF3l8GO0YQ=; b=T6RzPJTBFGdB6wYL1ITnSmSnln2evDir1kDq3nIzFmv0pZha4bI94H7OnCHYiZEa2mznB2JIpUBfULtvpV/SUrpUxWht/3zA9xRUIKBKeWKkT7KreKWBomn09lh2oxjzcGNDUsEm1KnwM1nHKr7VK3KFTNpJdWG/16FBqMyU/PCI+tcT+UKwMKVVR2vkSNUAf1aSbeH2/xMRapgHinvxEMcqy+JFkiyAHw4Q9QJdPBzxLZD/BTRy2tz4gCQt9OTUmpC9WrY59JoXgrMndxP34BrSTWVtBtyOdkBraNQ8qK2F8Oul/0Rus6Ti2QiLZNyds492Ato2l49RMbAhbWm98g==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fl+DGNePBHpUHBS+0ueiIDWtfqvMiX2zRE3eo7SfOMSrtRA26SdpgWbeDe+VeubPc/7IZhUhLJIu5liYJcF+MxuiRK5tps+SEPqT+qWxfXcZG59zW5Qxgjv+rhaL4S0D0i9Xf6u1xq4sqflgj1G0BSCIhWb0EfJMiEUM07kb63WJYMrxAKUo4QyM/m/MJp1Bj3Jbfxij77zys252jgCQx5kvKXaFm7wYEbXZWxEgongAoSlzJLuoijiyjM0seudkiR8XgxREIWZGYw96ucJj94IzlRjtOi0qXf63NIwObMjrEKiGubzVkSZ4bqSZRrzYEZ5qJMaKd/rruQTffnnnkQ==
- Authentication-results: lists.geant.org; dkim=none (message not signed) header.d=none;lists.geant.org; dmarc=none action=none header.from=ukri.org;
I've just experienced what seems to be the same error, though with a
Shibboleth 3.4.6 IdP - https://nerckwshibba.nerc.ac.uk/idp/shibboleth.
I have a SAML trace if that helps.
Alan Cox
Digital, Data and Technology
UK Research and Innovation
Polaris House, Swindon
-----Original Message-----
From: cat-users-request AT lists.geant.org <cat-users-request AT lists.geant.org>
On Behalf Of Matthew Slowe
Sent: 03 August 2020 10:22
To: Dubravko Penezic <dpenezic AT srce.hr>
Cc: cat-users AT lists.geant.org
Subject: Re: [[cat-users]] Unable to authenticate
Morning Dubravko,
Thanks for looking into this.
> On 3 Aug 2020, at 07:40, Dubravko Penezic <dpenezic AT srce.hr> wrote:
>
> In next step arrive response from https://shib.highlands.ac.uk/idp ,
> and that xml have 2 keys.
>
> First one is declared like rsa-sha256 , for signature, and system is
> not able to check signature with this one. Looking in other request
> responses, it is look like that signature certificate are one of issue
> (in few other case using aes128-gcm validation is done correctly).
Do you have any idea why it's not liking this certificate? It's able to talk
to some other services, at least.
I don't think it's to do with the signature as the backtrace mentions
decryptAssertion which is called before the signature is looked at and the
called decryptElement deliberately obfuscates the underlying decryption error
(at
https://github.com/simplesamlphp/saml2/blob/master/src/SAML2/Utils.php#L511)
> Second issue is connected with xmlseclibs SSP use , and I did upgrade,
> to latest one according https://github.com/simplesamlphp/saml2/issues/179 .
>
> So please check your signature certificate, and then try to check if
> system now work (I dont have any Shib to test with).
I have re-tested and get the same error (today's tracking code: 0185ef6a88)
Happy to take this off-list if you'd prefer.
Thanks,
Matthew
> On 7/31/20 10:55 AM, Matthew Slowe wrote:
>> On 28 Jul 2020, at 10:18, Matthew Slowe <Matthew.Slowe AT jisc.ac.uk> wrote:
>>>
>>> On behalf of a new CAT member organisation, they're having trouble
>>> authenticating to the CAT Admin portal. SimpleSAMLphp is returning an
>>> error "Failed to decrypt XML element". We've checked the logs on the IdP
>>> (look ok) and can access the UK Federation's Test SP ok, too.
>>>
>>> SimpleSAML_Error_Error: UNHANDLEDEXCEPTION ...
>>> Caused by: Exception: Failed to decrypt XML element.
>>>
>>> The tracking code was 5d4e392eee at about 08:53Z today.
>>>
>>> Is this something at the SimpleSAMLphp end or something wrong with the
>>> assertion being generated by their IdP?
>>
>> Following up my own question, this could be because the IdP is a new
>> Shibboleth v4 which is using AES-GCM encryption rather than the older
>> AES-CBC and SimpleSAMLphp doesn't know how to decrypt it?
>>
>> Could the metadata registration for the CAT SP be updated to include an
>> <EncryptionMethod> element to assert its support options?
>>
>> https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-
>> algsupport-v1.0-cs01.html#__RefHeading__13608_557150731
>>
>> This should instruct IdPs to use the correct algorithm rather than the new
>> default in ShibIdP4.
>>
>> Thanks,
>>
>
> --
> Dubravko Penezic
> Information Systems and Applications Department SRCE - University of
> Zagreb University Computing Centre, www.srce.unizg.hr
> Dubravko.Penezic AT srce.hr, tel: +385 1 616 5555, fax: +385 1 616 5559
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users
To unsubscribe, send this message:
mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users
This email and any attachments are intended solely for the use of the named
recipients. If you are not the intended recipient you must not use, disclose,
copy or distribute this email or any of its attachments and should notify the
sender immediately and delete this email from your system. UK Research and
Innovation (UKRI) has taken every reasonable precaution to minimise risk of
this email or any attachments containing viruses or malware but the recipient
should carry out its own virus and malware checks before opening the
attachments. UKRI does not accept any liability for any losses or damages
which the recipient may sustain due to presence of any viruses. Opinions,
conclusions or other information in this message and attachments that are not
related directly to UKRI business are solely those of the author and do not
represent the views of UKRI.
- Re: [[cat-users]] Unable to authenticate, Dubravko Penezic, 08/03/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/03/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Dubravko Penezic, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/07/2020
- Re: [[cat-users]] Unable to authenticate, Dubravko Penezic, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Stefan Paetow, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Dubravko Penezic, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/07/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/21/2020
- Re: [[cat-users]] Unable to authenticate, Miroslav Milinovic, 08/26/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/21/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/07/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/03/2020
Archive powered by MHonArc 2.6.19.