cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Matthew Slowe <Matthew.Slowe AT jisc.ac.uk>
- To: Dubravko Penezic <dpenezic AT srce.hr>
- Cc: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
- Subject: Re: [[cat-users]] Unable to authenticate
- Date: Fri, 7 Aug 2020 11:22:28 +0000
- Accept-language: en-GB, en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jisc.ac.uk; dmarc=pass action=none header.from=jisc.ac.uk; dkim=pass header.d=jisc.ac.uk; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sJwdahu4hzHB9Fe2C9DpnU3MEx7h1SLbcZFYx51Wu5Q=; b=Z32uK3nhiIP4TluhSGqFcCAg3qWefhqRqKN7nFfqFqfJISYgJsZks17k5Nr9l6LzM8qQMGl3F8vpRpcO5Ghn88zFu5Rj7G7tSmfR2hLkoj3C7fLEfYR7h0Cdn66jbP0+9YOfTqePvFvejWQz/0EHLRtAoe59xhVmC7E01pGkGnHFfBRTinVhvxMHJW01mf4xLYjbBlINo75cKAeMgPQf4TqjLgOCY4OD8W7d80ZRtJWI1sDm7PfbFhmsPDN4BbuSvJ67UAeXRAcpcwUdQaZzA9SVq2HWEH82pbL6TCUTQO14yQU+tZE+6h+25S6IVZ/S7K0a0XkGSU+oycC28pXaCw==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LCMSi/vLvAh0EZgQKjvfQFqo+lBcCYZeNFCP9+63UCZwkTnfsP5H0/fBh0dM1UGH/KwJqW1MTMmEtKbY/NZX33EHF7J1qiwYHB2D5LKJPQT3pr326yIt30t/VSLu67Tok+QP0aBe2cyQsDfzJGycHgO2YFBmDSt5EZ0DE2Lf/9hVVenNo2GHtd0vmOlXbtoefoLZRJB8N9pu7/H14OgWyTNT39LdpcV7ORdd9QyThOZTYkOLmkMPngTs5eJTevmLsiIwYPQARGEIJAFSjWgBFxquEGZzxNkvxqDwONkYmgpUeqch7LakbVEfuEE/1u13Sn9DMi5MlcKH3VoOud9tKA==
- Authentication-results: srce.hr; dkim=none (message not signed) header.d=none;srce.hr; dmarc=none action=none header.from=jisc.ac.uk;
Hi Dubravko,
I'm aware of some delays in the in-and-out-of-edugain processes but, in the
UK Federation publication that went out last night, it's a single element as
you say.
This seems to have fixed it for non-ShibIdPv4 instances (those that don't
default to GCM) and we're back to "mostly working". However it's still not
working when the IdP's default configuration is set to GCM.
I've had a chat with the Shibboleth project development team to check what I
should be suggesting for you. The long answer is:
> * They want at least the aes128-cbc value.
>
> * If they want the rsa-oaep-mgf1p explicitly specified as well, they can
> have that too but I don't think leaving it out will make a difference as
> it's kind of a mandatory default.
>
> * Adding the other AESxxx-CBC in the order given won't affect anything
> today, but might cause them to be selected one day if AES128-CBC ever
> becomes nonviable. They're slower, and not reckoned to have much additional
> strength, which is why the Shib SP orders them that way. Obviously they
> should only include things they actually support, and I accept that
> actually finding out what you support can be a PITA, so leaving them out is
> fine too.
The short answer is:
"Add the aes128-cbc, leave the existing one if you want."
That way "old" IdPs would still use the CBC algorithm and "new" IdPs will
know that they need to use the CBC (rather than GCM) algorithm. Would you be
able to do that?
Thanks!
--
Matthew Slowe
Technical Specialist - Trust & Identity, Jisc
Direct: 07442 097185
Team: 0300 300 2212, option 2
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
> On 6 Aug 2020, at 20:07, Dubravko Penezic <dpenezic AT srce.hr> wrote:
>
> Hi Matthew.
>
> metadata was change on 05.08., to single one , when you last time collect
> metadata ?
>
> Regards,
>
> Dubravko Penezic
>
> On 8/6/20 11:46 AM, Matthew Slowe wrote:
>>> On 6 Aug 2020, at 10:08, Alan Cox - UKRI <Alan.Cox AT ukri.org> wrote:
>>>
>>> I've just experienced what seems to be the same error, though with a
>>> Shibboleth 3.4.6 IdP - https://nerckwshibba.nerc.ac.uk/idp/shibboleth.
>> Our 3.4.6 IdP is also now seeing the same thing - as is the new v4 IdP.
>>
>> Comparing the assertion for CAT with a "known good" assertion (against an
>> SP which doesn't assert any algorithm requirements), I note these
>> differences:
>>
>> --- ref.xml 2020-08-06 10:38:45.000000000 +0100
>> +++ cat.xml 2020-08-06 10:38:56.000000000 +0100
>> @@ -4,8 +4,9 @@
>> <xenc:EncryptionMethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>> Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>> Id="id" Recipient="sp-entityid">
>> - <xenc:EncryptionMethod
>> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
>> + <xenc:EncryptionMethod
>> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>> Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep">
>> <ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> + <xenc11:MGF xmlns:xenc11="http://www.w3.org/2009/xmlenc11#"
>> Algorithm="http://www.w3.org/2009/xmlenc11#mgf1sha1"/>
>> </xenc:EncryptionMethod>
>> </xenc:EncryptedKey>
>> </ds:KeyInfo>
>>
>>
>> I don't know a huge amount about the inner workings of the different
>> algorithms, but I do wonder if SimpleSAMLphp doesn't support "rsa-oaep"
>> but does support "rsa-oaep-mgf1p" but, because the first one is listed
>> first it's using that?
>>
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users
- Re: [[cat-users]] Unable to authenticate, Dubravko Penezic, 08/03/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/03/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Dubravko Penezic, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/07/2020
- Re: [[cat-users]] Unable to authenticate, Dubravko Penezic, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Stefan Paetow, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Dubravko Penezic, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/07/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/21/2020
- Re: [[cat-users]] Unable to authenticate, Miroslav Milinovic, 08/26/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/21/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/07/2020
- Re: [[cat-users]] Unable to authenticate, Guy Halse, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- RE: [[cat-users]] Unable to authenticate, Alan Cox - UKRI, 08/06/2020
- Re: [[cat-users]] Unable to authenticate, Matthew Slowe, 08/03/2020
Archive powered by MHonArc 2.6.19.