An open discussion list for topics related to the eduGAIN interfederation service.

[Pavel Šipoš <pavel.sipos AT arnes.si>]

Hi!

Thank you everyone for your responses and all information.

I forgot to mention that we already use Simplesamlphp 1.15.4 but I think 
this doesn't matter for the problem we're facing.

Just to justify why these things are running in our federation as they 
are I have to mention, that managing IdP and federation is relativly new 
to me, as I took over this work last year. I will do my best to keep up. :)

Now, I belive I have sucessfully manage to enable TargetedID with nameId 
for eduGAIN metadata and I decided to keep invalid form of eptid just in 
our ArnesAAI federation.

If this helps to anyone, I did this in metarefresh config with enabling 
authproc core:TargetedId with nameId set to TRUE:

'eduGAIN' => array(
                        'cron'          => array('hourly'),
                        'sources'       => array(
                                array(
                                        'src' => 
'https://ds.aai.arnes.si/metadata/arnesaai-edugain.signed.xml',
                                        'validateFingerprint' => 
'83:89:8D:70:87:9C:41:DA:E6:6C:AA:4E:52:AF:AD:E8:48:67:D6:24',
                                        'template' => array(
                                                'tags'  => 
array('eduGAIN'),
                                                'authproc' => array(
                                                        22 => array( 
'class' => 'core:TargetedID', 'nameId' => TRUE ),
                                                ),
                                        ),
                                ),
                        ),
                        'expireAfter'           => 60*60*24*4, // 
Maximum 4 days cache time.
                        'outputDir'     => 'metadata/eduGAIN/',
                        'outputFormat' => 'flatfile',
                ),

--
Pavel Sipos, Arnes <pavel.sipos AT arnes.si>
ARNES, p.p. 7, SI-1001 Ljubljana, Slovenia
T: +386 1 479 88 00
W: www.arnes.si, aai.arnes.si

Dubravko Voncina je 16. 05. 18 ob 20:08 napisal:
> Hello Dick,
>
> In my humble opinion, you don't have to justify to anyone.
>
> Because of this:
>
> https://simplesamlphp.org/security/201803-01
> https://simplesamlphp.org/security/201802-01
>
> you have to upgrade your SimpleSAMLphp SP installation(s) to latest stable 
> version as soon as possible. There's no discussion about it. It's not your 
> fault that the latest stable version of SimpleSAMLphp doesn't support invalid 
> string format of an eduPersonTardetedID attribute.
>
> Dubravko Voncina
> Middleware and Data Services Department
> University of Zagreb, University Computing Centre, www.srce.unizg.hr
> dubravko.voncina AT srce.hr, tel: +385 98 219273, fax: +385 1 6165559
>
>
>
> > On 16 May 2018, at 16:56, Dick Visser <dick.visser AT geant.org> wrote:
> >
> > Sorry for hijacking this thread, but I'm in a similar, but opposite
> > position right now.
> > Our SP that is published in eduGAIN (entityID "https://terena.org/sp";)
> > currently accepts both ePTID formats from IdPs.
> > My intention is to upgrade the SimpleSAMLphp instance on it, but the
> > new one only accepts an XML formatted ePTID.
> > If there are any IdPs out there that do *not* use this, then things break.
> > I've asked around in the eduGAIN slack channel and the consensus is
> > that this *should not* matter because (as you mentioned) the "string
> > formatted" ePTID is deprecated/illegal.
> >
> > But as the OP indicates, it actually does still exist.
> >
> > My problem is that I will be perceived to be breaking things when I upgrade.
> > As usual the end user is left in the cold, as the service suddenly is
> > inaccessible, with no way for them to fix it.
> > In fact, I think I'd have a hard time trying to persuade a large
> > institution's IdP admin to change their config at all (if that is my
> > task, anyway).
> >
> > "Everything worked fine until you upgraded your SP"
> >
> > I guess I need to know which of the IdPs that are being used to access
> > our SP are doing "deprecated/illegal" things....
> >
> > Dick
> >
> > On 16 May 2018 at 13:37, Dubravko Voncina <dubravko.voncina AT srce.hr> wrote:
> > > > On 16 May 2018, at 11:21, Peter Schober <peter.schober AT univie.ac.at> wrote:
> > > >
> > > > * Dubravko Voncina <dubravko.voncina AT srce.hr> [2018-05-16 11:09]:
> > > > > I don't know about Shibboleth SP attribute mapping, but as far as
> > > > > SimpleSAMLphp IdP is concerned, you should be able to set persistent
> > > > > NameID only for certain Service Providers.
> > > > >
> > > > > Specifically, for eduroam CAT service you should find entry that starts with:
> > > > >
> > > > > $metadata['https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp']
> > > > >  = array ( ...
> > > > >
> > > > > in your ../metadata/saml20-sp-remote.php configuration file and add
> > > > > following parameters to that enry (it's just an example that has to
> > > > > be adapted depending on your authentication source):
> > > > How do you update that SP's metadata then, without losing your local
> > > > configuration changes?
> > > > I guess you could provide an extra metadata source directory and find
> > > > out where to put local copies so that your local copy prevails over
> > > > metarefresh'ed metadata?  But then you "own" the management of the
> > > > whole entity, meaning you'd have to monitor and merge upstream changes
> > > > into your local "fork" of that entity's metadata.
> > > Hello Peter,
> > >
> > > If I understand your comment correctly, that's exactly what we're doing.
> > > First, SimpleSAMLphp automatically generates saml20-sp-remote.php 
> > > configuration file based on data stored in eduGAIN MDS. After that, we run 
> > > saml20-sp-remote.php file through a custom made script which modifies some SP 
> > > entries according to our needs.
> > > Users don't care if we perform some additional tweaking, they just want 
> > > things to work.
> > >
> > > Regards,
> > >
> > > Dubravko Voncina
> > > Middleware and Data Services Department
> > > University of Zagreb, University Computing Centre, www.srce.unizg.hr
> > > dubravko.voncina AT srce.hr, tel: +385 98 219273, fax: +385 1 6165559
> >
> >
> > --
> > Dick Visser
> > Trust & Identity Service Operations Manager
> > GÉANT
> >
> > GÉANT Vereniging (Association) is registered with the Chamber of
> > Commerce in Amsterdam with registration number 40535155 and operates
> > in the UK as a branch of GÉANT Vereniging. Registered office:
> > Hoekenrode 3, 1102BR Amsterdam, The Netherlands. UK branch address:
> > City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK.
> >
> >
> > Want to join us? We're hiring: https://www.geant.org/jobs

Attachment: smime.p7s
Description: Kriptografski podpis S/MIME