Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org


Chronological Thread 
  • From: Miroslav Milinovic <miro AT srce.hr>
  • To: Vlad Mencl <vladimir.mencl AT reannz.co.nz>, Matti Saarinen <mjsaarin AT cc.helsinki.fi>, cat-users AT lists.geant.org
  • Subject: Re: [[cat-users]] SAML attribute eduPersonTargetedID is deprecated but required by cat.eduroam.org
  • Date: Thu, 18 Feb 2021 08:26:43 +0100

Vlad,

you've identified one potential problem. We can handle that but want to
be sure we've done it in a right way.

Miro


On 18-Feb-21 01:14, Vlad Mencl wrote:
>
>
> On 18/02/21 12:06, Miroslav Milinovic wrote:
>> Hi Vlad,
>>
>> Thanks for you input.
>>
>> Earlier we did such a change which ended with problems for some other
>> IdPs (yes, legacy problem)
>
> It may potentially cause issues if IdPs that currently send EPTID start
> sending samlPairwiseID alongside it - and IFF monitor.eduroam.org starts
> picking up samlPairwiseID instead.  And the users suddenly end up with
> "new" identities.
>
> But such migration issues can be solved (or parked for later) by
> carefully choosing the order in which ID attributes are checked.
>
> I.e., it can be possible to prefer EPTID over samlSubjectID to avoid
> breaking identities for now ... but the identities will have to break at
> some point in time in order to migrate the users from the deprecated
> EPTID to the new attributes.
>
>> Please allow us few days to test and check outcome of the change you
>> propose. I'll let the list know once it has been done.
>
> Thanks - I look forward to hearing from you!
>
> Cheers,
> Vlad
>
>>
>> Miro
>>
>>
>> On 17/02/2021 21:26, Vlad Mencl wrote:
>>>
>>> Hi  Matti, Miro,
>>>
>>> I'm in a very similar situation (except for I'm still preparing the
>>> rollout of samlSubjectId / samlPairwiseId).
>>>
>>> However, the samlSubjectId / samlPairwiseId attributes specify a
>>> standard method of requesting these attributes (via dedicated
>>> EntityAttributes in the SP metadata).
>>>
>>> And the monitor.eduroam.org SP (which acts as a gateway for
>>> cat.eduroam.org) is not using this method.
>>>
>>> It would be a significant waste of everyone's time if each IdP had to
>>> configure the IdP release manually - we would be back to square one with
>>> all attribute release efforts.
>>>
>>> Miro, can you please add the entity attribute to the SP metadata?
>>>
>>> As per
>>> https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html#_Toc536097237,
>>>
>>> the SP should have EntityAttribute
>>> "urn:oasis:names:tc:SAML:profiles:subject-id:req" with the right value -
>>> "any" if either samlSubjectId or samlPairwiseId is sufficient.
>>>
>>> I.e.,
>>>
>>>       <saml:Attribute
>>> Name="urn:oasis:names:tc:SAML:profiles:subject-id:req"
>>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>>>           <saml:AttributeValue>any</saml:AttributeValue>
>>>       </saml:Attribute>
>>>
>>> Shibboleth IdP default config includes rules for releasing samlSubjectId
>>> / samlPairwiseId based on this attribute - so this should work right
>>> away for any IdP supporting these attributes.
>>>
>>> I hope this can be done.
>>>
>>> Cheers,
>>> Vlad
>>>
>>>
>>>
>>> On 18/02/21 01:51, Matti Saarinen wrote:
>>>>
>>>> Hello,
>>>>
>>>> Our IdP admins did now configure our IdP to send pairwise-id. Now, the
>>>> issue changed.
>>>>
>>>> I used to be able to manage the IdP of University of Helsinki. Now, the
>>>> server replies "You are not managing any Identity Provider." Very
>>>> likely
>>>> this is due the fact that the value sent with pairwise-id is diffrerent
>>>> from the one that was sent with eduPersonTargetedID. Should I contact
>>>> FUNET and ask them to invite me to manage our IdP again? Or is there
>>>> any
>>>> easier way?
>>>>
>>>> Cheers,
>>>>
>>>> Matti
>>>>
>>>>> actually this service needs at least one of the following
>>>>> attributes to
>>>>> identify user: eduPersonTargetedID, pairwise-id, subject-id,
>>>>> facebook_targetedID, google_eppn, linkedin_targetedID,
>>>>> twitter_targetedID.
>>>> To unsubscribe, send this message:
>>>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>>>> Or use the following link:
>>>> https://lists.geant.org/sympa/sigrequest/cat-users
>>>>
>>>
>>
>>
>



Archive powered by MHonArc 2.6.19.

Top of Page