The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

["Stobbe, Erik" <address@concealed>]

Hello everyone,

I am administrator for the IdP of Hochschule für Wirtschaft und Gesellschaft Ludwigshafen (HWG LU) . I’m writing here because I encounter a strange issue when trying to log in to cat.eduroam.org — maybe someone has seen it before or can give advice.

What works:

 

• Login at other SPs (e.g. emp.eduroam.de) works flawlessly — our IdP uses a valid SAML pairwise-id plus correct eduroam entitlement; authentication and attribute release succeed.
• Our IdP configuration has been reviewed multiple times: we generate a scoped pairwise-id (with domain-based scope), using a standard SAML2ScopedString.

 

What fails / what looks strange at cat.eduroam.org:

 

• On cat.eduroam.org the displayed pairwise-id looks unusual: it contains a suffix with !https://…, i.e. after the scope or IdP-EntityID a URL appears.

• After login, the expected attributes (e.g. eduPersonEntitlement, displayName, mail, …) are not shown, and our organization is not recognized / not listed.

 

What we’ve checked:

• Our pairwise-id generation is spec-compliant: scoped attribute, domain as scope, no extraneous attributes, no persistentID/legacy-ID released.
• Login to other non-CAT SPs works — so IdP seems to operate correctly and releases correct identifiers and attributes.
• Despite that, the login to cat.eduroam.org uses a different-looking pairwise-id (with URL suffix), though we have disabled all URL-based persistentID or metadata-related identifiers in our configuration.

Here the attribute-filter.xml from our IDP:

Here the eduPersonEntitlement-attribute:

Thank you very much for any pointers.

Best regards,

 

 

Erik Stobbe

Hochschule für Wirtschaft und Gesellschaft Ludwigshafen

IT-Service / Service Owner Linux / Raum C 1.230
t +49 621 5203 - 183   m +49 1590 1815791

e address@concealed

w www.hwg-lu.de

a Ernst-Boehe-Straße 4-6, 67059 Ludwigshafen