Skip to Content.

cat-users - Re: [[cat-users]] Unable to authenticate

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive


Re: [[cat-users]] Unable to authenticate


Chronological Thread 
    < Chronological >      < Thread >
  • From: Matthew Slowe <Matthew.Slowe AT jisc.ac.uk>
  • To: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
  • Subject: Re: [[cat-users]] Unable to authenticate
  • Date: Thu, 6 Aug 2020 09:46:56 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jisc.ac.uk; dmarc=pass action=none header.from=jisc.ac.uk; dkim=pass header.d=jisc.ac.uk; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vivqA2QRY4fapnhK+T9x8qH9pYIyp2T7Jot2dfo/f+0=; b=m0Xn8L+lUsULHRjTh27aHJmwid68/A87kdwRFhxPOuVsCNMVfqAYTiGFFMfFZ7NpC4BuCB5eRu/BLnQ02nv4HfLSPQWtlBKiI4CCoQWeGFenR3IDsr4WvYQRIi0SYAC932xZh61xY9AIkXUUp9RckYLeIegJ7axhpHKQhPm0s1RBS8sAQtOys+9LylW15lM0dLJKrsdK3y8JM0PTt0oUXbzUqDKH/TlMoZA+75x0VFX6LH7Ru2RuVHyJcy+87R8kkGXCI2rSQ1hLCyqPxrCQnwSX3XPBS1AMfjMlM2QHHfoXqU8hADDXiKkO3ykuwPjUX6yqAfbTp4fwjkDYr6ikJQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QAMn/abjlwirBTLFXCMEE27ktP4R8D6oZVC74l25qh0M6LYBqZ1y2Hmb0R1kkSbFiQSquI+YEcL3ObBu2v9ctdTxrW3vEhz+Js+vnv8UCk2saFCZgYIEcuVs9EFhRSscTb/ER+9nBjVMG6jw63CbiWLmpPM0Yx11C8hjFWxv+9P/8X3cktpnEXJUMUFoVAd5nKPVufC5+VpziCS5zp/UxzKp/dOUvX7gi/UYDcmCmKSRDalDcGQaaA7QeIX0pSv8+aCEAN1/dWQaOEZHk+7tVBwrIDTY+QYnnpqyk5kXcpxmNJksv4MQMTQ9rDIcg5p82rYGPvEtga28mPo/n4ZuRw==
  • Authentication-results: lists.geant.org; dkim=none (message not signed) header.d=none;lists.geant.org; dmarc=none action=none header.from=jisc.ac.uk;

> On 6 Aug 2020, at 10:08, Alan Cox - UKRI <Alan.Cox AT ukri.org> wrote:
>
> I've just experienced what seems to be the same error, though with a
> Shibboleth 3.4.6 IdP - https://nerckwshibba.nerc.ac.uk/idp/shibboleth.

Our 3.4.6 IdP is also now seeing the same thing - as is the new v4 IdP.

Comparing the assertion for CAT with a "known good" assertion (against an SP
which doesn't assert any algorithm requirements), I note these differences:

--- ref.xml 2020-08-06 10:38:45.000000000 +0100
+++ cat.xml 2020-08-06 10:38:56.000000000 +0100
@@ -4,8 +4,9 @@
<xenc:EncryptionMethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Id="id" Recipient="sp-entityid">
- <xenc:EncryptionMethod
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";>
+ <xenc:EncryptionMethod
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep";>
<ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+ <xenc11:MGF xmlns:xenc11="http://www.w3.org/2009/xmlenc11#";
Algorithm="http://www.w3.org/2009/xmlenc11#mgf1sha1"/>
</xenc:EncryptionMethod>
</xenc:EncryptedKey>
</ds:KeyInfo>


I don't know a huge amount about the inner workings of the different
algorithms, but I do wonder if SimpleSAMLphp doesn't support "rsa-oaep" but
does support "rsa-oaep-mgf1p" but, because the first one is listed first it's
using that?

--
Matthew Slowe
Technical Specialist - Trust & Identity, Jisc

Direct: 07442 097185
Team: 0300 300 2212, option 2
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG

Archive powered by MHonArc 2.6.19.

Top of Page