cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Dubravko Penezic <dpenezic AT srce.hr>
- To: cat-users AT lists.geant.org
- Subject: Re: [[cat-users]] Unable to authenticate
- Date: Thu, 6 Aug 2020 21:07:05 +0200
Hi Matthew.
metadata was change on 05.08., to single one , when you last time collect metadata ?
Regards,
Dubravko Penezic
On 8/6/20 11:46 AM, Matthew Slowe wrote:
On 6 Aug 2020, at 10:08, Alan Cox - UKRI <Alan.Cox AT ukri.org> wrote:Our 3.4.6 IdP is also now seeing the same thing - as is the new v4 IdP.
I've just experienced what seems to be the same error, though with a
Shibboleth 3.4.6 IdP - https://nerckwshibba.nerc.ac.uk/idp/shibboleth.
Comparing the assertion for CAT with a "known good" assertion (against an SP
which doesn't assert any algorithm requirements), I note these differences:
--- ref.xml 2020-08-06 10:38:45.000000000 +0100
+++ cat.xml 2020-08-06 10:38:56.000000000 +0100
@@ -4,8 +4,9 @@
<xenc:EncryptionMethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Id="id"
Recipient="sp-entityid">
- <xenc:EncryptionMethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";>
+ <xenc:EncryptionMethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep";>
<ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+ <xenc11:MGF xmlns:xenc11="http://www.w3.org/2009/xmlenc11#";
Algorithm="http://www.w3.org/2009/xmlenc11#mgf1sha1"/>
</xenc:EncryptionMethod>
</xenc:EncryptedKey>
</ds:KeyInfo>
I don't know a huge amount about the inner workings of the different algorithms, but I do wonder
if SimpleSAMLphp doesn't support "rsa-oaep" but does support "rsa-oaep-mgf1p"
but, because the first one is listed first it's using that?
- Re: [[cat-users]] Unable to authenticate, Dubravko Penezic, 08/03/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/03/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Dubravko Penezic, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/07/2020
- Re: [[cat-users]] Unable to authenticate, Dubravko Penezic, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Stefan Paetow, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Dubravko Penezic, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/07/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/21/2020
- Re: [[cat-users]] Unable to authenticate, Miroslav Milinovic, 08/26/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/21/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/07/2020
- Re: [[cat-users]] Unable to authenticate, Guy Halse, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/03/2020
Archive powered by MHonArc 2.6.19.