edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
- From: Dubravko Voncina <dubravko.voncina AT srce.hr>
- To: Pavel Šipoš <pavel.sipos AT arnes.si>
- Cc: "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
- Subject: Re: [eduGAIN-discuss] eduPersonTargetedID depricated form
- Date: Wed, 16 May 2018 11:08:47 +0200
Hello Pavel,
I don't know about Shibboleth SP attribute mapping, but as far as
SimpleSAMLphp IdP is concerned, you should be able to set persistent NameID
only for certain Service Providers.
Specifically, for eduroam CAT service you should find entry that starts with:
$metadata['https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp']
= array ( ...
in your ../metadata/saml20-sp-remote.php configuration file and add following
parameters to that enry (it's just an example that has to be adapted
depending on your authentication source):
$metadata['https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp']
= array (
...
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
'attributes.NameFormat' =>
'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'authproc' => array(
10 => array(
'class' => 'saml:PersistentNameID',
'attribute' => 'unique_user_id_attribute_name',
'NameQualifier' => true
),
20 => array(
'class' => 'core:TargetedID',
'nameId' => true
),
30 => array(
'class' => 'core:AttributeMap',
'name2oid'
),
40 => array(
'class' => 'core:AttributeLimit',
'urn:oid:1.3.6.1.4.1.5923.1.1.1.10',
'urn:oid:2.16.840.1.113730.3.1.241', 'urn:oid:0.9.2342.19200300.100.1.3'
),
),
'attributeencodings' => array( 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10' =>
'raw' ),
...
);
This way your IdP will provide eduPersonTargetedID as an XML construct only
for eduroam CAT, while other Service Providers in your federation will
continue to receive eduPersonTargetedID as a string.
And one more thing, if you change your IdP configuration according to the
above specifications, your eduPersonTargetedID value will probably change so
all users from ArnesAAI federation will probably need to get new invitations
to eduroam CAT.
Best Regards,
Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko.voncina AT srce.hr, tel: +385 98 219273, fax: +385 1 6165559
> On 16 May 2018, at 10:31, Pavel Šipoš <pavel.sipos AT arnes.si> wrote:
>
> Hi!
>
> I hope you can help me with eduPersonTargetedID attribute any I am sorry if
> this was already answered many times.
>
> After Eduroam CAT admin portal updated their SP with simplesaml 1.15.xx, we
> have problems with releasing attribute eduPersonTargetedID in a correct
> form. Eduroam CAT expects urn:oid:1.3.6.1.4.1.5923.1.1.1.10 to be in XML
> form. For example:
>
> <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml:AttributeValue>
> <saml:NameID
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
> NameQualifier="https://idp.aai.arnes.si/idp/20090116";
>
> SPNameQualifier="https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp";>629d9939123cddb4444372sssba2c6e8a6fb0963</saml:NameID>
> </saml:AttributeValue>
> </saml:Attribute>
>
> Currently our IdP sends deprecated string form:
>
> <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>
> <saml:AttributeValue>629d9939123cddb4444372sssba2c6e8a6fb0963</saml:AttributeValue>
> </saml:Attribute>
>
> I know I can change that in SSPHP by changing nameId to TRUE in the config
> file:
>
> 'authproc' => array(
> 22 => array(
> 'class' => 'core:TargetedID',
> 'nameId' => TRUE,
> ),
> ),
>
> The problem is that most of SP in our ArnesAAI federation expect deprecated
> form of eptid. Is it somehow possible to make exceptions to know which form
> to serve based on SP entityId? What is best way to handle these cases?
>
> Do you have any suggestions how to redefine attribute-map at Shibboleth SP
> to map received saml:NameID value as eduPersonTargetedID?
>
> Has anyone run into the same problem?
>
> --
> Pavel Sipos, Arnes <pavel.sipos AT arnes.si>
> ARNES, p.p. 7, SI-1001 Ljubljana, Slovenia
> T: +386 1 479 88 00
> W: www.arnes.si, aai.arnes.si
>
- [eduGAIN-discuss] eduPersonTargetedID depricated form, Pavel Šipoš, 16-May-2018
- Re: [eduGAIN-discuss] eduPersonTargetedID depricated form, Dubravko Voncina, 05/16/2018
- Re: [eduGAIN-discuss] eduPersonTargetedID depricated form, Peter Schober, 16-May-2018
- Re: [eduGAIN-discuss] eduPersonTargetedID depricated form, Dubravko Voncina, 16-May-2018
- Re: [eduGAIN-discuss] eduPersonTargetedID depricated form, Dick Visser, 16-May-2018
- Re: [eduGAIN-discuss] eduPersonTargetedID depricated form, Peter Schober, 16-May-2018
- Re: [eduGAIN-discuss] eduPersonTargetedID depricated form, Dubravko Voncina, 16-May-2018
- Re: [eduGAIN-discuss] eduPersonTargetedID depricated form, Pavel Šipoš, 17-May-2018
- Re: [eduGAIN-discuss] eduPersonTargetedID depricated form, Dick Visser, 16-May-2018
- Re: [eduGAIN-discuss] eduPersonTargetedID depricated form, Dubravko Voncina, 16-May-2018
- Re: [eduGAIN-discuss] eduPersonTargetedID depricated form, Peter Schober, 16-May-2018
- Re: [eduGAIN-discuss] eduPersonTargetedID depricated form, Peter Schober, 16-May-2018
- Re: [eduGAIN-discuss] eduPersonTargetedID depricated form, Dubravko Voncina, 05/16/2018
Archive powered by MHonArc 2.6.19.