The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <address@concealed>]

Hi,

  first of all - the authentication attribute passed to CAT from the monitor.eduroam.org, which acts as a proxy, is indeed expanded by adding the entityId of the authenicating IdP. This is quite useful, especially in situations where non-scoped attributes like eduPersonTargettedId are used - this way we can be quite sure we will not have a accidental (or intended) clash between values from two different IdPs. This also provides us with a way of being sure that the authentication comes from an eduGAIN IdP (which we require for self-registration)

Therefore the form of the identifier is definitely not the problem in your case.

I have checked that at the moment your CAT institution has one administrator identified with the eduPersonTargettedId attribute. Therefore if you log in with pairwise-id you should be displayed the information that according to authentication information you are entailed to manage the institutions (and there goes the list). You can click accept to become the admin. Are you sure this is not showing on your entrance page? If not could you please mail the screendump of your admin page directly to me? We can then be in contact to debug the situation.

Yours

Tomasz Wolniewicz

W dniu 10.12.2025 o 10:30, "Stobbe, Erik" (via cat-users Mailing List) pisze:

Hello everyone, I am administrator for the IdP of Hochschule für Wirtschaft und Gesellschaft Ludwigshafen (HWG LU) . I’m writing here because I encounter a strange issue when trying to log in to cat.eduroam.org — maybe someone has seen it before or can give advice.

What works:

 

Login at other SPs (e.g. emp.eduroam.de) works flawlessly — our IdP uses a valid SAML pairwise-id plus correct eduroam entitlement; authentication and attribute release succeed. Our IdP configuration has been reviewed multiple times: we generate a scoped pairwise-id (with domain-based scope), using a standard SAML2ScopedString.

 

What fails / what looks strange at cat.eduroam.org:

 

On cat.eduroam.org the displayed pairwise-id looks unusual: it contains a suffix with !https://…, i.e. after the scope or IdP-EntityID a URL appears.

After login, the expected attributes (e.g. eduPersonEntitlement, displayName, mail, …) are not shown, and our organization is not recognized / not listed.

 

What we’ve checked:

Our pairwise-id generation is spec-compliant: scoped attribute, domain as scope, no extraneous attributes, no persistentID/legacy-ID released. Login to other non-CAT SPs works — so IdP seems to operate correctly and releases correct identifiers and attributes. Despite that, the login to cat.eduroam.org uses a different-looking pairwise-id (with URL suffix), though we have disabled all URL-based persistentID or metadata-related identifiers in our configuration. Here the attribute-filter.xml from our IDP:
Here the eduPersonEntitlement-attribute:

Thank you very much for any pointers.

Best regards,

 

 

Erik Stobbe

Hochschule für Wirtschaft und Gesellschaft Ludwigshafen

IT-Service / Service Owner Linux / Raum C 1.230
t +49 621 5203 - 183   m +49 1590 1815791

e address@concealed

w www.hwg-lu.de

a Ernst-Boehe-Straße 4-6, 67059 Ludwigshafen

 

      To
        unsubscribe, send this message:
        mailto:address@concealed?subject=unsubscribe%20cat-users
        Or use the following link:
        https://lists.geant.org/sympa/sigrequest/cat-users
    
-- 
Tomasz Wolniewicz

Attachment: smime.p7s
Description: Kryptograficzna sygnatura S/MIME