cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
Re: [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org
Chronological Thread
- From: Vlad Mencl <vladimir.mencl AT reannz.co.nz>
- To: Matti Saarinen <mjsaarin AT cc.helsinki.fi>, cat-users AT lists.geant.org
- Subject: Re: [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org
- Date: Thu, 18 Feb 2021 09:26:07 +1300
Hi Matti, Miro,
I'm in a very similar situation (except for I'm still preparing the rollout of samlSubjectId / samlPairwiseId).
However, the samlSubjectId / samlPairwiseId attributes specify a standard method of requesting these attributes (via dedicated EntityAttributes in the SP metadata).
And the monitor.eduroam.org SP (which acts as a gateway for cat.eduroam.org) is not using this method.
It would be a significant waste of everyone's time if each IdP had to configure the IdP release manually - we would be back to square one with all attribute release efforts.
Miro, can you please add the entity attribute to the SP metadata?
As per https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html#_Toc536097237, the SP should have EntityAttribute "urn:oasis:names:tc:SAML:profiles:subject-id:req" with the right value - "any" if either samlSubjectId or samlPairwiseId is sufficient.
I.e.,
<saml:Attribute Name="urn:oasis:names:tc:SAML:profiles:subject-id:req" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>any</saml:AttributeValue>
</saml:Attribute>
Shibboleth IdP default config includes rules for releasing samlSubjectId / samlPairwiseId based on this attribute - so this should work right away for any IdP supporting these attributes.
I hope this can be done.
Cheers,
Vlad
On 18/02/21 01:51, Matti Saarinen wrote:
Hello,
Our IdP admins did now configure our IdP to send pairwise-id. Now, the
issue changed.
I used to be able to manage the IdP of University of Helsinki. Now, the
server replies "You are not managing any Identity Provider." Very likely
this is due the fact that the value sent with pairwise-id is diffrerent
from the one that was sent with eduPersonTargetedID. Should I contact
FUNET and ask them to invite me to manage our IdP again? Or is there any
easier way?
Cheers,
Matti
actually this service needs at least one of the following attributes toTo unsubscribe, send this message:
identify user: eduPersonTargetedID, pairwise-id, subject-id,
facebook_targetedID, google_eppn, linkedin_targetedID, twitter_targetedID.
mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users
--
Vladimir Mencl
Senior Software Engineer
Research & Education
Advanced Network NZ Ltd
M +64 21 997352
E vladimir.mencl AT reannz.co.nz
www.reannz.co.nz
- [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org, Matti Saarinen, 02/17/2021
- Re: [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org, Miroslav Milinovic, 02/17/2021
- Re: [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org, Matti Saarinen, 02/17/2021
- Re: [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org, Jan-Frederik Rieckers, 02/17/2021
- Re: [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org, Matti Saarinen, 02/17/2021
- Re: [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org, Miroslav Milinovic, 02/17/2021
- Re: [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org, Vlad Mencl, 02/17/2021
- Re: [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org, Miroslav Milinovic, 02/17/2021
- Re: [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org, Vlad Mencl, 02/18/2021
- Re: [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org, Miroslav Milinovic, 02/18/2021
- Re: [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org, Stefan Paetow, 02/18/2021
- Re: [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org, Miroslav Milinovic, 02/18/2021
- [[cat-users]] Changes in the AA process for CAT and other supporting services (was: SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org), Miroslav Milinovic, 02/22/2021
- Re: [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org, Miroslav Milinovic, 02/18/2021
- Re: [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org, Vlad Mencl, 02/18/2021
- Re: [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org, Miroslav Milinovic, 02/17/2021
- Re: [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org, Matti Saarinen, 02/17/2021
- Re: [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org, Miroslav Milinovic, 02/17/2021
Archive powered by MHonArc 2.6.19.