Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] eduPersonTargetedID depricated form

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] eduPersonTargetedID depricated form


Chronological Thread 
  • From: Pavel Šipoš <pavel.sipos AT arnes.si>
  • To: Dubravko Voncina <dubravko.voncina AT srce.hr>, Dick Visser <dick.visser AT geant.org>
  • Cc: edugain-discuss AT lists.geant.org
  • Subject: Re: [eduGAIN-discuss] eduPersonTargetedID depricated form
  • Date: Thu, 17 May 2018 15:25:40 +0200
  • Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass (1024-bit key) header.d=arnes.si

Hi!

Thank you everyone for your responses and all information.

I forgot to mention that we already use Simplesamlphp 1.15.4 but I think this doesn't matter for the problem we're facing.

Just to justify why these things are running in our federation as they are I have to mention, that managing IdP and federation is relativly new to me, as I took over this work last year. I will do my best to keep up. :)

Now, I belive I have sucessfully manage to enable TargetedID with nameId for eduGAIN metadata and I decided to keep invalid form of eptid just in our ArnesAAI federation.

If this helps to anyone, I did this in metarefresh config with enabling authproc core:TargetedId with nameId set to TRUE:

'eduGAIN' => array(
                        'cron'          => array('hourly'),
                        'sources'       => array(
                                array(
                                        'src' => 'https://ds.aai.arnes.si/metadata/arnesaai-edugain.signed.xml',
                                        'validateFingerprint' => '83:89:8D:70:87:9C:41:DA:E6:6C:AA:4E:52:AF:AD:E8:48:67:D6:24',
                                        'template' => array(
                                                'tags'  => array('eduGAIN'),
                                                'authproc' => array(
                                                        22 => array( 'class' => 'core:TargetedID', 'nameId' => TRUE ),
                                                ),
                                        ),
                                ),
                        ),
                        'expireAfter'           => 60*60*24*4, // Maximum 4 days cache time.
                        'outputDir'     => 'metadata/eduGAIN/',
                        'outputFormat' => 'flatfile',
                ),

--
Pavel Sipos, Arnes <pavel.sipos AT arnes.si>
ARNES, p.p. 7, SI-1001 Ljubljana, Slovenia
T: +386 1 479 88 00
W: www.arnes.si, aai.arnes.si

Dubravko Voncina je 16. 05. 18 ob 20:08 napisal:
Hello Dick,

In my humble opinion, you don't have to justify to anyone.

Because of this:

https://simplesamlphp.org/security/201803-01
https://simplesamlphp.org/security/201802-01

you have to upgrade your SimpleSAMLphp SP installation(s) to latest stable
version as soon as possible. There's no discussion about it. It's not your
fault that the latest stable version of SimpleSAMLphp doesn't support invalid
string format of an eduPersonTardetedID attribute.

Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko.voncina AT srce.hr, tel: +385 98 219273, fax: +385 1 6165559



On 16 May 2018, at 16:56, Dick Visser <dick.visser AT geant.org> wrote:

Sorry for hijacking this thread, but I'm in a similar, but opposite
position right now.
Our SP that is published in eduGAIN (entityID "https://terena.org/sp";)
currently accepts both ePTID formats from IdPs.
My intention is to upgrade the SimpleSAMLphp instance on it, but the
new one only accepts an XML formatted ePTID.
If there are any IdPs out there that do *not* use this, then things break.
I've asked around in the eduGAIN slack channel and the consensus is
that this *should not* matter because (as you mentioned) the "string
formatted" ePTID is deprecated/illegal.

But as the OP indicates, it actually does still exist.

My problem is that I will be perceived to be breaking things when I upgrade.
As usual the end user is left in the cold, as the service suddenly is
inaccessible, with no way for them to fix it.
In fact, I think I'd have a hard time trying to persuade a large
institution's IdP admin to change their config at all (if that is my
task, anyway).

"Everything worked fine until you upgraded your SP"

I guess I need to know which of the IdPs that are being used to access
our SP are doing "deprecated/illegal" things....

Dick

On 16 May 2018 at 13:37, Dubravko Voncina <dubravko.voncina AT srce.hr> wrote:
On 16 May 2018, at 11:21, Peter Schober <peter.schober AT univie.ac.at> wrote:

* Dubravko Voncina <dubravko.voncina AT srce.hr> [2018-05-16 11:09]:
I don't know about Shibboleth SP attribute mapping, but as far as
SimpleSAMLphp IdP is concerned, you should be able to set persistent
NameID only for certain Service Providers.

Specifically, for eduroam CAT service you should find entry that starts with:

$metadata['https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp']
= array ( ...

in your ../metadata/saml20-sp-remote.php configuration file and add
following parameters to that enry (it's just an example that has to
be adapted depending on your authentication source):
How do you update that SP's metadata then, without losing your local
configuration changes?
I guess you could provide an extra metadata source directory and find
out where to put local copies so that your local copy prevails over
metarefresh'ed metadata? But then you "own" the management of the
whole entity, meaning you'd have to monitor and merge upstream changes
into your local "fork" of that entity's metadata.
Hello Peter,

If I understand your comment correctly, that's exactly what we're doing.
First, SimpleSAMLphp automatically generates saml20-sp-remote.php
configuration file based on data stored in eduGAIN MDS. After that, we run
saml20-sp-remote.php file through a custom made script which modifies some SP
entries according to our needs.
Users don't care if we perform some additional tweaking, they just want
things to work.

Regards,

Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko.voncina AT srce.hr, tel: +385 98 219273, fax: +385 1 6165559




--
Dick Visser
Trust & Identity Service Operations Manager
GÉANT

GÉANT Vereniging (Association) is registered with the Chamber of
Commerce in Amsterdam with registration number 40535155 and operates
in the UK as a branch of GÉANT Vereniging. Registered office:
Hoekenrode 3, 1102BR Amsterdam, The Netherlands. UK branch address:
City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK.


Want to join us? We're hiring: https://www.geant.org/jobs

Attachment: smime.p7s
Description: Kriptografski podpis S/MIME




Archive powered by MHonArc 2.6.19.

Top of Page