cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Stefan Paetow <Stefan.Paetow AT jisc.ac.uk>
- To: Alan Cox - UKRI <Alan.Cox AT ukri.org>, Matthew Slowe <Matthew.Slowe AT jisc.ac.uk>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
- Subject: Re: [[cat-users]] Unable to authenticate
- Date: Thu, 6 Aug 2020 12:39:08 +0000
- Accept-language: en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jisc.ac.uk; dmarc=pass action=none header.from=jisc.ac.uk; dkim=pass header.d=jisc.ac.uk; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4iyDPujFMu8IiI2aM50APgThNpI49K7g3ES7+bZNMDI=; b=VMy4FVwhU6xVTPv/OrxpwfYoSqBFKIPPvLWbD1DsOmcP6tm8FfmPhL++j8n5SzpWNwRO1KkQHSTgOXGXaA9yTk1z9/ijlgS3QhxPwfG+dxkG5dFvcdTCBXv7a5QIf1cG0VVlxGV8IOrwwjwREykqB/zbhtiOfjxrWgkauHxz18K9I7TbpJWFVHDNwzu99rkSgBj2m69b/g0o6jm8JVoc4Mt3EokRpOovVBV0FueWZvKMTIMVsZ461RYWDrcfHUgj7levzTOuCI+J7MNDhbK9aFq2RojH4CQDYUEsYqjZgltUWJrK33ODl2a3Iyc5vbC3Ofc6o7mzWMnmxsvSgHiVQw==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WznsTIj3mGDFLLszlIdMp1modptmAPBPMySSrxS22QsGLxGXHihr+6JoeLVjhwynNznqBapcHtrZS2F7je4koRsxnDAE/4WJtk2RTJWrFXl9Y2Dfxa5/bICwFji79GJ01w24a56RrcLEqbVTOYiyvQMFgn3qjvh8dMmNnuaoBEjPcFfP9YxGb8H3Gc7YfZM+q8fORIPtuah0m+yO7DXDG4LaOX9W0f3L58l0ilsyLchiBnQiN6JDpsGyGVoavtVa/MnV9JhkSJmmtVTbZZoYfD7SpK6n4b4k+OK8Bf3hxB+R4xrm7GlhrIs9WiHH2jXnlCV7a9RNHc2uGD0KSx6I0g==
- Authentication-results: ukri.org; dkim=none (message not signed) header.d=none;ukri.org; dmarc=none action=none header.from=jisc.ac.uk;
Hi,
Yep, we're experiencing the same trying to log into CAT.
:-/
Stefan Paetow
Federated Roaming Technical Specialist
t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp AT jabber.dev.ja.net
skype: stefan.paetow.janet
In line with government advice, at Jisc we’re now working from home and our
offices are currently closed. Read our statement on coronavirus
<https://www.jisc.ac.uk/about/corporate/coronavirus-statement>.
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT No.
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill,
Bristol, BS2 0JA. T 0203 697 5800.
On 06/08/2020, 11:24, "cat-users-request AT lists.geant.org on behalf of Alan
Cox - UKRI" <cat-users-request AT lists.geant.org on behalf of
Alan.Cox AT ukri.org> wrote:
> I don't know a huge amount about the inner workings of the different
algorithms
I know even less, but a look at
https://www.w3.org/TR/xmlenc-core/#sec-RSA-OAEP suggests that the same
encryption is being used in the two cases.
"#rsa-oaep-mgf1p identifier defines the mask generation function as the
fixed value of MGF1 with SHA1"
Whereas "#rsa-oaep identifier defines the mask generation function using
the optional xenc11:MGF element", and in the diffs you give, that element
gives the URI http://www.w3.org/2009/xmlenc11#mgf1sha1, which is MGF1 with
SHA1.
So, the algorithm is the same, just identified differently.
Which is not to say that this isn't the cause of the problem.
Alan.
-----Original Message-----
From: cat-users-request AT lists.geant.org
<cat-users-request AT lists.geant.org> On Behalf Of Matthew Slowe
Sent: 06 August 2020 10:47
To: cat-users AT lists.geant.org
Subject: Re: [[cat-users]] Unable to authenticate
> On 6 Aug 2020, at 10:08, Alan Cox - UKRI <Alan.Cox AT ukri.org> wrote:
>
> I've just experienced what seems to be the same error, though with a
Shibboleth 3.4.6 IdP - https://nerckwshibba.nerc.ac.uk/idp/shibboleth.
Our 3.4.6 IdP is also now seeing the same thing - as is the new v4 IdP.
Comparing the assertion for CAT with a "known good" assertion (against an
SP which doesn't assert any algorithm requirements), I note these differences:
--- ref.xml2020-08-06 10:38:45.000000000 +0100
+++ cat.xml2020-08-06 10:38:56.000000000 +0100
@@ -4,8 +4,9 @@
<xenc:EncryptionMethod
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="id" Recipient="sp-entityid">
- <xenc:EncryptionMethod
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
+ <xenc:EncryptionMethod
+ xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+ Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep">
<ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+ <xenc11:MGF xmlns:xenc11="http://www.w3.org/2009/xmlenc11#"
+ Algorithm="http://www.w3.org/2009/xmlenc11#mgf1sha1"/>
</xenc:EncryptionMethod>
</xenc:EncryptedKey>
</ds:KeyInfo>
I don't know a huge amount about the inner workings of the different
algorithms, but I do wonder if SimpleSAMLphp doesn't support "rsa-oaep" but
does support "rsa-oaep-mgf1p" but, because the first one is listed first it's
using that?
--
Matthew Slowe
Technical Specialist - Trust & Identity, Jisc
Direct: 07442 097185
Team: 0300 300 2212, option 2
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG To
unsubscribe, send this message:
mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link:
https://lists.geant.org/sympa/sigrequest/cat-users
This email and any attachments are intended solely for the use of the
named recipients. If you are not the intended recipient you must not use,
disclose, copy or distribute this email or any of its attachments and should
notify the sender immediately and delete this email from your system. UK
Research and Innovation (UKRI) has taken every reasonable precaution to
minimise risk of this email or any attachments containing viruses or malware
but the recipient should carry out its own virus and malware checks before
opening the attachments. UKRI does not accept any liability for any losses or
damages which the recipient may sustain due to presence of any viruses.
Opinions, conclusions or other information in this message and attachments
that are not related directly to UKRI business are solely those of the author
and do not represent the views of UKRI.
To unsubscribe, send this message:
mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link:
https://lists.geant.org/sympa/sigrequest/cat-users
- Re: [[cat-users]] Unable to authenticate, Dubravko Penezic, 08/03/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/03/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Dubravko Penezic, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/07/2020
- Re: [[cat-users]] Unable to authenticate, Dubravko Penezic, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Stefan Paetow, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Dubravko Penezic, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/07/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/21/2020
- Re: [[cat-users]] Unable to authenticate, Miroslav Milinovic, 08/26/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/21/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/07/2020
- Re: [[cat-users]] Unable to authenticate, Guy Halse, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/03/2020
Archive powered by MHonArc 2.6.19.