Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org


Chronological Thread 
  • From: Miroslav Milinovic <miro AT srce.hr>
  • To: Vlad Mencl <vladimir.mencl AT reannz.co.nz>, Matti Saarinen <mjsaarin AT cc.helsinki.fi>, cat-users AT lists.geant.org
  • Subject: Re: [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org
  • Date: Thu, 18 Feb 2021 00:06:33 +0100

Hi Vlad,

Thanks for you input.

Earlier we did such a change which ended with problems for some other
IdPs (yes, legacy problem)

Please allow us few days to test and check outcome of the change you
propose. I'll let the list know once it has been done.

Miro


On 17/02/2021 21:26, Vlad Mencl wrote:
>
> Hi Matti, Miro,
>
> I'm in a very similar situation (except for I'm still preparing the
> rollout of samlSubjectId / samlPairwiseId).
>
> However, the samlSubjectId / samlPairwiseId attributes specify a
> standard method of requesting these attributes (via dedicated
> EntityAttributes in the SP metadata).
>
> And the monitor.eduroam.org SP (which acts as a gateway for
> cat.eduroam.org) is not using this method.
>
> It would be a significant waste of everyone's time if each IdP had to
> configure the IdP release manually - we would be back to square one with
> all attribute release efforts.
>
> Miro, can you please add the entity attribute to the SP metadata?
>
> As per
> https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html#_Toc536097237,
> the SP should have EntityAttribute
> "urn:oasis:names:tc:SAML:profiles:subject-id:req" with the right value -
> "any" if either samlSubjectId or samlPairwiseId is sufficient.
>
> I.e.,
>
> <saml:Attribute
> Name="urn:oasis:names:tc:SAML:profiles:subject-id:req"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml:AttributeValue>any</saml:AttributeValue>
> </saml:Attribute>
>
> Shibboleth IdP default config includes rules for releasing samlSubjectId
> / samlPairwiseId based on this attribute - so this should work right
> away for any IdP supporting these attributes.
>
> I hope this can be done.
>
> Cheers,
> Vlad
>
>
>
> On 18/02/21 01:51, Matti Saarinen wrote:
>>
>> Hello,
>>
>> Our IdP admins did now configure our IdP to send pairwise-id. Now, the
>> issue changed.
>>
>> I used to be able to manage the IdP of University of Helsinki. Now, the
>> server replies "You are not managing any Identity Provider." Very likely
>> this is due the fact that the value sent with pairwise-id is diffrerent
>> from the one that was sent with eduPersonTargetedID. Should I contact
>> FUNET and ask them to invite me to manage our IdP again? Or is there any
>> easier way?
>>
>> Cheers,
>>
>> Matti
>>
>>> actually this service needs at least one of the following attributes to
>>> identify user: eduPersonTargetedID, pairwise-id, subject-id,
>>> facebook_targetedID, google_eppn, linkedin_targetedID,
>>> twitter_targetedID.
>> To unsubscribe, send this message:
>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>> Or use the following link:
>> https://lists.geant.org/sympa/sigrequest/cat-users
>>
>





Archive powered by MHonArc 2.6.19.

Top of Page