Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org


Chronological Thread 
  • From: Vlad Mencl <vladimir.mencl AT reannz.co.nz>
  • To: Miroslav Milinovic <miro AT srce.hr>, Matti Saarinen <mjsaarin AT cc.helsinki.fi>, cat-users AT lists.geant.org
  • Subject: Re: [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org
  • Date: Thu, 18 Feb 2021 13:14:00 +1300



On 18/02/21 12:06, Miroslav Milinovic wrote:
Hi Vlad,

Thanks for you input.

Earlier we did such a change which ended with problems for some other
IdPs (yes, legacy problem)

It may potentially cause issues if IdPs that currently send EPTID start sending samlPairwiseID alongside it - and IFF monitor.eduroam.org starts picking up samlPairwiseID instead. And the users suddenly end up with "new" identities.

But such migration issues can be solved (or parked for later) by carefully choosing the order in which ID attributes are checked.

I.e., it can be possible to prefer EPTID over samlSubjectID to avoid breaking identities for now ... but the identities will have to break at some point in time in order to migrate the users from the deprecated EPTID to the new attributes.

Please allow us few days to test and check outcome of the change you
propose. I'll let the list know once it has been done.

Thanks - I look forward to hearing from you!

Cheers,
Vlad


Miro


On 17/02/2021 21:26, Vlad Mencl wrote:

Hi Matti, Miro,

I'm in a very similar situation (except for I'm still preparing the
rollout of samlSubjectId / samlPairwiseId).

However, the samlSubjectId / samlPairwiseId attributes specify a
standard method of requesting these attributes (via dedicated
EntityAttributes in the SP metadata).

And the monitor.eduroam.org SP (which acts as a gateway for
cat.eduroam.org) is not using this method.

It would be a significant waste of everyone's time if each IdP had to
configure the IdP release manually - we would be back to square one with
all attribute release efforts.

Miro, can you please add the entity attribute to the SP metadata?

As per
https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html#_Toc536097237,
the SP should have EntityAttribute
"urn:oasis:names:tc:SAML:profiles:subject-id:req" with the right value -
"any" if either samlSubjectId or samlPairwiseId is sufficient.

I.e.,

<saml:Attribute
Name="urn:oasis:names:tc:SAML:profiles:subject-id:req"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>any</saml:AttributeValue>
</saml:Attribute>

Shibboleth IdP default config includes rules for releasing samlSubjectId
/ samlPairwiseId based on this attribute - so this should work right
away for any IdP supporting these attributes.

I hope this can be done.

Cheers,
Vlad



On 18/02/21 01:51, Matti Saarinen wrote:

Hello,

Our IdP admins did now configure our IdP to send pairwise-id. Now, the
issue changed.

I used to be able to manage the IdP of University of Helsinki. Now, the
server replies "You are not managing any Identity Provider." Very likely
this is due the fact that the value sent with pairwise-id is diffrerent
from the one that was sent with eduPersonTargetedID. Should I contact
FUNET and ask them to invite me to manage our IdP again? Or is there any
easier way?

Cheers,

Matti

actually this service needs at least one of the following attributes to
identify user: eduPersonTargetedID, pairwise-id, subject-id,
facebook_targetedID, google_eppn, linkedin_targetedID,
twitter_targetedID.
To unsubscribe, send this message:
mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link:
https://lists.geant.org/sympa/sigrequest/cat-users





--
Vladimir Mencl
Senior Software Engineer

Research & Education
Advanced Network NZ Ltd

M +64 21 997352
E vladimir.mencl AT reannz.co.nz
www.reannz.co.nz



Archive powered by MHonArc 2.6.19.

Top of Page