An open discussion list for topics related to the eduGAIN interfederation service.

[Dick Visser <dick.visser AT geant.org>]

Sorry for hijacking this thread, but I'm in a similar, but opposite
position right now.
Our SP that is published in eduGAIN (entityID "https://terena.org/sp";)
currently accepts both ePTID formats from IdPs.
My intention is to upgrade the SimpleSAMLphp instance on it, but the
new one only accepts an XML formatted ePTID.
If there are any IdPs out there that do *not* use this, then things break.
I've asked around in the eduGAIN slack channel and the consensus is
that this *should not* matter because (as you mentioned) the "string
formatted" ePTID is deprecated/illegal.

But as the OP indicates, it actually does still exist.

My problem is that I will be perceived to be breaking things when I upgrade.
As usual the end user is left in the cold, as the service suddenly is
inaccessible, with no way for them to fix it.
In fact, I think I'd have a hard time trying to persuade a large
institution's IdP admin to change their config at all (if that is my
task, anyway).

"Everything worked fine until you upgraded your SP"

I guess I need to know which of the IdPs that are being used to access
our SP are doing "deprecated/illegal" things....

Dick

On 16 May 2018 at 13:37, Dubravko Voncina <dubravko.voncina AT srce.hr> wrote:
>
>> On 16 May 2018, at 11:21, Peter Schober <peter.schober AT univie.ac.at> wrote:
>>
>> * Dubravko Voncina <dubravko.voncina AT srce.hr> [2018-05-16 11:09]:
>>> I don't know about Shibboleth SP attribute mapping, but as far as
>>> SimpleSAMLphp IdP is concerned, you should be able to set persistent
>>> NameID only for certain Service Providers.
>>>
>>> Specifically, for eduroam CAT service you should find entry that starts 
>>> with:
>>>
>>>  
>>> $metadata['https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp']
>>>  = array ( ...
>>>
>>> in your ../metadata/saml20-sp-remote.php configuration file and add
>>> following parameters to that enry (it's just an example that has to
>>> be adapted depending on your authentication source):
>>
>> How do you update that SP's metadata then, without losing your local
>> configuration changes?
>> I guess you could provide an extra metadata source directory and find
>> out where to put local copies so that your local copy prevails over
>> metarefresh'ed metadata?  But then you "own" the management of the
>> whole entity, meaning you'd have to monitor and merge upstream changes
>> into your local "fork" of that entity's metadata.
>
> Hello Peter,
>
> If I understand your comment correctly, that's exactly what we're doing.
> First, SimpleSAMLphp automatically generates saml20-sp-remote.php 
> configuration file based on data stored in eduGAIN MDS. After that, we run 
> saml20-sp-remote.php file through a custom made script which modifies some 
> SP entries according to our needs.
> Users don't care if we perform some additional tweaking, they just want 
> things to work.
>
> Regards,
>
> Dubravko Voncina
> Middleware and Data Services Department
> University of Zagreb, University Computing Centre, www.srce.unizg.hr
> dubravko.voncina AT srce.hr, tel: +385 98 219273, fax: +385 1 6165559
>
>



-- 
Dick Visser
Trust & Identity Service Operations Manager
GÉANT

GÉANT Vereniging (Association) is registered with the Chamber of
Commerce in Amsterdam with registration number 40535155 and operates
in the UK as a branch of GÉANT Vereniging. Registered office:
Hoekenrode 3, 1102BR Amsterdam, The Netherlands. UK branch address:
City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK.


Want to join us? We're hiring: https://www.geant.org/jobs