Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] Shibboleth integration

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] Shibboleth integration


Chronological Thread 
  • From: Vlad Mencl <vladimir.mencl AT reannz.co.nz>
  • To: Kathy E Wright CCIT <kewrig AT clemson.edu>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
  • Subject: Re: [[cat-users]] Shibboleth integration
  • Date: Sat, 1 Jul 2023 22:34:17 +1200


Hi Kathy,

Loosing access is likely caused by passing a different identifier - which might be either a different value for the same identifier, or switching to a different identifier. That could also be caused by starting to release another attribute accepted by eduroam.org in addition to an attribute used previously - if the new attribute is "preferred" by eduroam.org.

Easiest way to resolve this would be to ask for help the administrators at your National Roaming Operator (NRO) - which for you should be Internet2.

Hope this helps.

Cheers,
Vlad



On 1/07/23 00:30, Kathy E Wright CCIT wrote:
Vlad,


We have updated our release party and Shibboleth integration is now
working.  However, one of our administrators has now lost access to
the eduroam Configuration Assistant Tool.   He is Sam Beckler,
beckle2 AT clemson.edu <mailto:beckle2 AT clemson.edu>.  He will need a new
invite, please.



Please advise, how we should go about getting this done.


Thank you,


Kathy

Kathy E Wright
CCIT - Clemson University

*From: *Vlad Mencl <vladimir.mencl AT reannz.co.nz>
*Date: *Thursday, June 29, 2023 at 7:19 PM
*To: *Kathy E Wright CCIT <kewrig AT clemson.edu>, cat-users AT lists.geant.org <cat-users AT lists.geant.org>
*Subject: *Re: [[cat-users]] Shibboleth integration


Hi Kathy,

CAT (or eduroam.org sites in general) have long supported the
identifiers listed in the error message you received - which (after
leaving out those specific to Google/Facebook/LinkedIn/Twitter) are:

    * eduPersonTargetedID
    * samlPairwiseID
    * samlSubjectID

Note that eduPersonPrincipalName is not on the list.  That attribute is
not considered trustworthy enough, as some institutions use it in a way
where usernames may be reassigned.  Even though many other institutions
use it with usernames that are not reassigned, as the specification did
not explicitly rule it out, the attribute is not trustworthy anymore -
and is thus not accepted by eduroam.org.

If this worked for you before and does not now, your institution must
have made a change, stopping to provide one of the attributes that were
used before.

I suggest you raise it with your institution's IT department.

Hope this helps.

Best regards,
Vlad



On 30/06/23 03:01, Kathy E Wright CCIT (via cat-users Mailing List) wrote:
> Hello,
>
> Our ability to logon to the Eduroam admin portal has broken.  It has
> worked until today.  We are getting the following error message.
>
> We are releasing eduPersonPrincipalName as the unique identifier.
> Please advise if something has changed.
>
> Kathy E Wright
> CCIT - Clemson University
>
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users <mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users>
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users <https://lists.geant.org/sympa/sigrequest/cat-users>

--
Vladimir Mencl
Lead Software Engineer

Research & Education
Advanced Network NZ Ltd

E  vladimir.mencl AT reannz.co.nz
www.reannz.co.nz <http://www.reannz.co.nz>


--
Vladimir Mencl
Lead Software Engineer

Research & Education
Advanced Network NZ Ltd

E vladimir.mencl AT reannz.co.nz
www.reannz.co.nz


  • Re: [[cat-users]] Shibboleth integration, Vlad Mencl, 07/01/2023

Archive powered by MHonArc 2.6.24.

Top of Page