Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] eduPersonTargetedID depricated form

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] eduPersonTargetedID depricated form


Chronological Thread 
  • From: Dubravko Voncina <dubravko.voncina AT srce.hr>
  • To: Dick Visser <dick.visser AT geant.org>
  • Cc: edugain-discuss AT lists.geant.org
  • Subject: Re: [eduGAIN-discuss] eduPersonTargetedID depricated form
  • Date: Wed, 16 May 2018 20:08:14 +0200

Hello Dick,

In my humble opinion, you don't have to justify to anyone.

Because of this:

https://simplesamlphp.org/security/201803-01
https://simplesamlphp.org/security/201802-01

you have to upgrade your SimpleSAMLphp SP installation(s) to latest stable
version as soon as possible. There's no discussion about it. It's not your
fault that the latest stable version of SimpleSAMLphp doesn't support invalid
string format of an eduPersonTardetedID attribute.

Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko.voncina AT srce.hr, tel: +385 98 219273, fax: +385 1 6165559



> On 16 May 2018, at 16:56, Dick Visser <dick.visser AT geant.org> wrote:
>
> Sorry for hijacking this thread, but I'm in a similar, but opposite
> position right now.
> Our SP that is published in eduGAIN (entityID "https://terena.org/sp";)
> currently accepts both ePTID formats from IdPs.
> My intention is to upgrade the SimpleSAMLphp instance on it, but the
> new one only accepts an XML formatted ePTID.
> If there are any IdPs out there that do *not* use this, then things break.
> I've asked around in the eduGAIN slack channel and the consensus is
> that this *should not* matter because (as you mentioned) the "string
> formatted" ePTID is deprecated/illegal.
>
> But as the OP indicates, it actually does still exist.
>
> My problem is that I will be perceived to be breaking things when I upgrade.
> As usual the end user is left in the cold, as the service suddenly is
> inaccessible, with no way for them to fix it.
> In fact, I think I'd have a hard time trying to persuade a large
> institution's IdP admin to change their config at all (if that is my
> task, anyway).
>
> "Everything worked fine until you upgraded your SP"
>
> I guess I need to know which of the IdPs that are being used to access
> our SP are doing "deprecated/illegal" things....
>
> Dick
>
> On 16 May 2018 at 13:37, Dubravko Voncina <dubravko.voncina AT srce.hr> wrote:
>>
>>> On 16 May 2018, at 11:21, Peter Schober <peter.schober AT univie.ac.at>
>>> wrote:
>>>
>>> * Dubravko Voncina <dubravko.voncina AT srce.hr> [2018-05-16 11:09]:
>>>> I don't know about Shibboleth SP attribute mapping, but as far as
>>>> SimpleSAMLphp IdP is concerned, you should be able to set persistent
>>>> NameID only for certain Service Providers.
>>>>
>>>> Specifically, for eduroam CAT service you should find entry that starts
>>>> with:
>>>>
>>>> $metadata['https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp']
>>>> = array ( ...
>>>>
>>>> in your ../metadata/saml20-sp-remote.php configuration file and add
>>>> following parameters to that enry (it's just an example that has to
>>>> be adapted depending on your authentication source):
>>>
>>> How do you update that SP's metadata then, without losing your local
>>> configuration changes?
>>> I guess you could provide an extra metadata source directory and find
>>> out where to put local copies so that your local copy prevails over
>>> metarefresh'ed metadata? But then you "own" the management of the
>>> whole entity, meaning you'd have to monitor and merge upstream changes
>>> into your local "fork" of that entity's metadata.
>>
>> Hello Peter,
>>
>> If I understand your comment correctly, that's exactly what we're doing.
>> First, SimpleSAMLphp automatically generates saml20-sp-remote.php
>> configuration file based on data stored in eduGAIN MDS. After that, we run
>> saml20-sp-remote.php file through a custom made script which modifies some
>> SP entries according to our needs.
>> Users don't care if we perform some additional tweaking, they just want
>> things to work.
>>
>> Regards,
>>
>> Dubravko Voncina
>> Middleware and Data Services Department
>> University of Zagreb, University Computing Centre, www.srce.unizg.hr
>> dubravko.voncina AT srce.hr, tel: +385 98 219273, fax: +385 1 6165559
>>
>>
>
>
>
> --
> Dick Visser
> Trust & Identity Service Operations Manager
> GÉANT
>
> GÉANT Vereniging (Association) is registered with the Chamber of
> Commerce in Amsterdam with registration number 40535155 and operates
> in the UK as a branch of GÉANT Vereniging. Registered office:
> Hoekenrode 3, 1102BR Amsterdam, The Netherlands. UK branch address:
> City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK.
>
>
> Want to join us? We're hiring: https://www.geant.org/jobs




Archive powered by MHonArc 2.6.19.

Top of Page