The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Vlad Mencl <vladimir.mencl AT reannz.co.nz>]

Hi Kathy,

Loosing access is likely caused by passing a different identifier - 
which might be either a different value for the same identifier, or 
switching to a different identifier.  That could also be caused by 
starting to release another attribute accepted by eduroam.org in 
addition to an attribute used previously - if the new attribute is 
"preferred" by eduroam.org.

Easiest way to resolve this would be to ask for help the administrators 
at your National Roaming Operator (NRO) - which for you should be Internet2.

Hope this helps.

Cheers,
Vlad



On 1/07/23 00:30, Kathy E Wright CCIT wrote:
> Vlad,
>
>
>   We have updated our release party and Shibboleth integration is now
>   working.  However, one of our administrators has now lost access to
>   the eduroam Configuration Assistant Tool.   He is Sam Beckler,
>   beckle2 AT clemson.edu <mailto:beckle2 AT clemson.edu>.  He will need a new
>   invite, please.
>
>
>
>   Please advise, how we should go about getting this done.
>
>
>   Thank you,
>
>
>   Kathy
>
> Kathy E Wright
> CCIT - Clemson University
>
> *From: *Vlad Mencl <vladimir.mencl AT reannz.co.nz>
> *Date: *Thursday, June 29, 2023 at 7:19 PM
> *To: *Kathy E Wright CCIT <kewrig AT clemson.edu>, 
> cat-users AT lists.geant.org <cat-users AT lists.geant.org>
> *Subject: *Re: [[cat-users]] Shibboleth integration
>
>
> Hi Kathy,
>
> CAT (or eduroam.org sites in general) have long supported the
> identifiers listed in the error message you received - which (after
> leaving out those specific to Google/Facebook/LinkedIn/Twitter) are:
>
>      * eduPersonTargetedID
>      * samlPairwiseID
>      * samlSubjectID
>
> Note that eduPersonPrincipalName is not on the list.  That attribute is
> not considered trustworthy enough, as some institutions use it in a way
> where usernames may be reassigned.  Even though many other institutions
> use it with usernames that are not reassigned, as the specification did
> not explicitly rule it out, the attribute is not trustworthy anymore -
> and is thus not accepted by eduroam.org.
>
> If this worked for you before and does not now, your institution must
> have made a change, stopping to provide one of the attributes that were
> used before.
>
> I suggest you raise it with your institution's IT department.
>
> Hope this helps.
>
> Best regards,
> Vlad
>
>
>
> On 30/06/23 03:01, Kathy E Wright CCIT (via cat-users Mailing List) wrote:
>  > Hello,
>  >
>  > Our ability to logon to the Eduroam admin portal has broken.  It has
>  > worked until today.  We are getting the following error message.
>  >
>  > We are releasing eduPersonPrincipalName as the unique identifier.
>  > Please advise if something has changed.
>  >
>  > Kathy E Wright
>  > CCIT - Clemson University
>  >
>  > To unsubscribe, send this message:
>  > mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users 
> <mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users>
>  > Or use the following link:
>  > https://lists.geant.org/sympa/sigrequest/cat-users 
> <https://lists.geant.org/sympa/sigrequest/cat-users>
>
> --
> Vladimir Mencl
> Lead Software Engineer
>
> Research & Education
> Advanced Network NZ Ltd
>
> E  vladimir.mencl AT reannz.co.nz
> www.reannz.co.nz <http://www.reannz.co.nz>

--
Vladimir Mencl
Lead Software Engineer

Research & Education
Advanced Network NZ Ltd

E  vladimir.mencl AT reannz.co.nz
www.reannz.co.nz