The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Alan Cox - UKRI <Alan.Cox AT ukri.org>]

I've just experienced what seems to be the same error, though with a 
Shibboleth 3.4.6 IdP - https://nerckwshibba.nerc.ac.uk/idp/shibboleth.

I have a SAML trace if that helps.

Alan Cox

Digital, Data and Technology
UK Research and Innovation
Polaris House, Swindon

-----Original Message-----
From: cat-users-request AT lists.geant.org <cat-users-request AT lists.geant.org> 
On Behalf Of Matthew Slowe
Sent: 03 August 2020 10:22
To: Dubravko Penezic <dpenezic AT srce.hr>
Cc: cat-users AT lists.geant.org
Subject: Re: [[cat-users]] Unable to authenticate

Morning Dubravko,

Thanks for looking into this.

> On 3 Aug 2020, at 07:40, Dubravko Penezic <dpenezic AT srce.hr> wrote:
>
> In next step arrive response from https://shib.highlands.ac.uk/idp ,
> and that xml have 2 keys.
>
> First one is declared like rsa-sha256 , for signature, and system is
> not able to check signature with this one. Looking in other request
> responses, it is look like that signature certificate are one of issue
> (in few other case using aes128-gcm validation is done correctly).

Do you have any idea why it's not liking this certificate? It's able to talk 
to some other services, at least.

I don't think it's to do with the signature as the backtrace mentions 
decryptAssertion which is called before the signature is looked at and the 
called decryptElement deliberately obfuscates the underlying decryption error 
(at 
https://github.com/simplesamlphp/saml2/blob/master/src/SAML2/Utils.php#L511)

> Second issue is connected with xmlseclibs SSP use , and I did upgrade,
> to latest one according https://github.com/simplesamlphp/saml2/issues/179 .
>
> So please check your signature certificate, and then try to check if
> system now work (I dont have any Shib to test with).

I have re-tested and get the same error (today's tracking code: 0185ef6a88)

Happy to take this off-list if you'd prefer.

Thanks,
Matthew


> On 7/31/20 10:55 AM, Matthew Slowe wrote:
>> On 28 Jul 2020, at 10:18, Matthew Slowe <Matthew.Slowe AT jisc.ac.uk> wrote:
>>>
>>> On behalf of a new CAT member organisation, they're having trouble 
>>> authenticating to the CAT Admin portal. SimpleSAMLphp is returning an 
>>> error "Failed to decrypt XML element". We've checked the logs on the IdP 
>>> (look ok) and can access the UK Federation's Test SP ok, too.
>>>
>>> SimpleSAML_Error_Error: UNHANDLEDEXCEPTION ...
>>> Caused by: Exception: Failed to decrypt XML element.
>>>
>>> The tracking code was 5d4e392eee at about 08:53Z today.
>>>
>>> Is this something at the SimpleSAMLphp end or something wrong with the 
>>> assertion being generated by their IdP?
>>
>> Following up my own question, this could be because the IdP is a new 
>> Shibboleth v4 which is using AES-GCM encryption rather than the older 
>> AES-CBC and SimpleSAMLphp doesn't know how to decrypt it?
>>
>> Could the metadata registration for the CAT SP be updated to include an 
>> <EncryptionMethod> element to assert its support options?
>>
>> https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-
>> algsupport-v1.0-cs01.html#__RefHeading__13608_557150731
>>
>> This should instruct IdPs to use the correct algorithm rather than the new 
>> default in ShibIdP4.
>>
>> Thanks,
>>
>
> --
> Dubravko Penezic
> Information Systems and Applications Department SRCE - University of
> Zagreb University Computing Centre, www.srce.unizg.hr
> Dubravko.Penezic AT srce.hr, tel: +385 1 616 5555, fax: +385 1 616 5559
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users

To unsubscribe, send this message: 
mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users


This email and any attachments are intended solely for the use of the named 
recipients. If you are not the intended recipient you must not use, disclose, 
copy or distribute this email or any of its attachments and should notify the 
sender immediately and delete this email from your system. UK Research and 
Innovation (UKRI) has taken every reasonable precaution to minimise risk of 
this email or any attachments containing viruses or malware but the recipient 
should carry out its own virus and malware checks before opening the 
attachments. UKRI does not accept any liability for any losses or damages 
which the recipient may sustain due to presence of any viruses. Opinions, 
conclusions or other information in this message and attachments that are not 
related directly to UKRI business are solely those of the author and do not 
represent the views of UKRI.