The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Miroslav Milinovic <miro AT srce.hr>]

Hi Vlad,

Thanks for you input.

Earlier we did such a change which ended with problems for some other
IdPs (yes, legacy problem)

Please allow us few days to test and check outcome of the change you
propose. I'll let the list know once it has been done.

Miro


On 17/02/2021 21:26, Vlad Mencl wrote:
> 
> Hi  Matti, Miro,
> 
> I'm in a very similar situation (except for I'm still preparing the
> rollout of samlSubjectId / samlPairwiseId).
> 
> However, the samlSubjectId / samlPairwiseId attributes specify a
> standard method of requesting these attributes (via dedicated
> EntityAttributes in the SP metadata).
> 
> And the monitor.eduroam.org SP (which acts as a gateway for
> cat.eduroam.org) is not using this method.
> 
> It would be a significant waste of everyone's time if each IdP had to
> configure the IdP release manually - we would be back to square one with
> all attribute release efforts.
> 
> Miro, can you please add the entity attribute to the SP metadata?
> 
> As per
> https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html#_Toc536097237,
> the SP should have EntityAttribute
> "urn:oasis:names:tc:SAML:profiles:subject-id:req" with the right value -
> "any" if either samlSubjectId or samlPairwiseId is sufficient.
> 
> I.e.,
> 
>      <saml:Attribute
> Name="urn:oasis:names:tc:SAML:profiles:subject-id:req"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>          <saml:AttributeValue>any</saml:AttributeValue>
>      </saml:Attribute>
> 
> Shibboleth IdP default config includes rules for releasing samlSubjectId
> / samlPairwiseId based on this attribute - so this should work right
> away for any IdP supporting these attributes.
> 
> I hope this can be done.
> 
> Cheers,
> Vlad
> 
> 
> 
> On 18/02/21 01:51, Matti Saarinen wrote:
>>
>> Hello,
>>
>> Our IdP admins did now configure our IdP to send pairwise-id. Now, the
>> issue changed.
>>
>> I used to be able to manage the IdP of University of Helsinki. Now, the
>> server replies "You are not managing any Identity Provider." Very likely
>> this is due the fact that the value sent with pairwise-id is diffrerent
>> from the one that was sent with eduPersonTargetedID. Should I contact
>> FUNET and ask them to invite me to manage our IdP again? Or is there any
>> easier way?
>>
>> Cheers,
>>
>> Matti
>>
>>> actually this service needs at least one of the following attributes to
>>> identify user: eduPersonTargetedID, pairwise-id, subject-id,
>>> facebook_targetedID, google_eppn, linkedin_targetedID,
>>> twitter_targetedID.
>> To unsubscribe, send this message:
>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>> Or use the following link:
>> https://lists.geant.org/sympa/sigrequest/cat-users
>>
>