Skip to Content.
Sympa Menu

edugain-discuss - [eduGAIN-discuss] eduPersonTargetedID depricated form

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

[eduGAIN-discuss] eduPersonTargetedID depricated form


Chronological Thread 
  • From: Pavel Šipoš <pavel.sipos AT arnes.si>
  • To: "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
  • Subject: [eduGAIN-discuss] eduPersonTargetedID depricated form
  • Date: Wed, 16 May 2018 10:31:44 +0200
  • Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass (1024-bit key) header.d=arnes.si

Hi!

I hope you can help me with eduPersonTargetedID attribute any I am sorry if this was already answered many times.

After Eduroam CAT admin portal updated their SP with simplesaml 1.15.xx, we have problems with releasing attribute eduPersonTargetedID in a correct form. Eduroam CAT expects urn:oid:1.3.6.1.4.1.5923.1.1.1.10 to be in XML form. For example:

       <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
           NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
           <saml:AttributeValue>
               <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                   NameQualifier="https://idp.aai.arnes.si/idp/20090116";
                   
SPNameQualifier="https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp";>629d9939123cddb4444372sssba2c6e8a6fb0963</saml:NameID>
           </saml:AttributeValue>
       </saml:Attribute>

Currently our IdP sends deprecated string form:

       <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
           NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
           
<saml:AttributeValue>629d9939123cddb4444372sssba2c6e8a6fb0963</saml:AttributeValue>
       </saml:Attribute>

I know I can change that in SSPHP by changing nameId to TRUE in the config file:

        'authproc' => array(
                22  => array(
                'class' => 'core:TargetedID',
                'nameId' => TRUE,
                ),
        ),

The problem is that most of SP in our ArnesAAI federation expect deprecated form of eptid. Is it somehow possible to make exceptions to know which form to serve based on SP entityId? What is best way to handle these cases?

Do you have any suggestions how to redefine attribute-map at Shibboleth SP to map received saml:NameID value as eduPersonTargetedID?

Has anyone run into the same problem?

--
Pavel Sipos, Arnes <pavel.sipos AT arnes.si>
ARNES, p.p. 7, SI-1001 Ljubljana, Slovenia
T: +386 1 479 88 00
W: www.arnes.si, aai.arnes.si

Attachment: smime.p7s
Description: Kriptografski podpis S/MIME




Archive powered by MHonArc 2.6.19.

Top of Page