edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] eduGAIN SAML profile and MDS update

From: Nick Roy <nroy AT internet2.edu>
To: Davide Vaghetti <davide.vaghetti AT garr.it>
Cc: "edugain-sg AT lists.geant.org" <edugain-sg AT lists.geant.org>, "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
Subject: Re: [eduGAIN-discuss] eduGAIN SAML profile and MDS update
Date: Tue, 19 Nov 2019 22:57:51 +0000
Accept-language: en-US
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=internet2.edu; dmarc=pass action=none header.from=internet2.edu; dkim=pass header.d=internet2.edu; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1/iRn7rCN33JRNgyfNiHcQRg6cJ1UwPRfeX2KSzKdxU=; b=M0YuLIId8tBPaxRXlkUor/OCuzOm7Xc+hJDA3DeVBQphWUKeHxT3go/lBdXJW+ryj2AUtPpnG5zMdPpATd9LjK/YKK1mA5A9NkpiGqLZ8eE8VFqFwLempuNz8Vv7fv00cr7ubos7WJrbrqp5p4drmmRBgz7PomvYZ3iybGfr/2zKmu+anpNnvUYp7G0FjzEGPmXk0EMF/60QwYxz4awcVBh1q87lVG/2KDEP7n5xCkG9aFTqckE8FTGnjO6u0pdGbUxB1SXvcGVxp8HtBZwu9XQ6Mak3MNNwdok1Zo8COo/AIkpf6Juv8k/KaNRxXxfiZStiHMWEFKaDhyE8o9rb5w==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TXFJz8ETFp7M6F9VOUt4/8wl3jM1SWHsLBY/sICHe9UWd/GLFsJxvXJjwEqDq3B1Igd6BuYD0zmn/TjVOTYr/S3oJDoLuP79ODVYr+BOdRRmpm8ucYt8bCUFgjV0hfDbHK08JPyEfSFWljMu7i6J4b1lUUmDKTBBhVwEwQhaglqu9aaGJ4yrTc5aSKydx94VSE6z4P2KphyafW9+CokE21ZqEd/8iEgEWKerZvrmrf5FQpFdE18CvoxC9IlVbej9qaB9NrnRMLYbGHMlcPIwkTjK4z439TxMTtbatILJvDxspGvmG5WNSIJHS1Wl8GhPmKXtLdPyGNmeH4qm3adTBA==
Authentication-results: spf=none (sender IP is ) smtp.mailfrom=nroy AT internet2.edu;

Thank you Davide, this is very helpful.

Best Regards,

Nick

On 19 Nov 2019, at 14:53, Davide Vaghetti wrote:

> Hi,
>
> what follows is a brief report on today's eduGAIN MDS updating process.
>
> As you know, today is the deadline for the eduGAIN SAML profile
> adoption. The eduGAIN OT scheduled an update of the eduGAIN MDS along
> those directly targeting the validator and the technical site to support
> the new profile.
>
> The update on eduGAIN MDS was limited to the environment (python
> version) and pyFF itself, which was updated to the latest stable version.
>
> The feed produced by the updated eduGAIN MDS was schema validating
> exactly as the old one.
>
> At 4:10pm CET, Chris Philips (Canarie) alerted us of an error that was
> preventing their MDA to correctly parse some entities in the eduGAIN
> feed. Canarie is using Shibbolteh MDA. The error was:
>
> "ERROR - validateSchema reported: UndeclaredPrefix: Cannot resolve
> 'xs:string' as a QName: the prefix 'xs' is not declared."
>
> We found that there was a difference in how the "xs" namespace was
> declared in the backward eduGAIN feed and in the current one.
>
> With the eduGAIN OT we decided to roll back to the previous eduGAIN MDS
> instance, which happened at 4:47pm CET.
>
> With the help of Ian Young we found out that:
> 1. what is causing the issue is that the "xs" namespace is declared in
> `EntitiesDescriptor` on the latest version of the eduGAIN MDS, versus
> per `AttributeValue` in the previous version.
> 2. we're hitting on an old Shibboleth MDA bug which is preventing the
> MDA to resolve namespaces declared "too far" from the element where they
> are used --- see https://issues.shibboleth.net/jira/browse/MDA-47
> 3. other identity federations using Shibboleth MDA, such as UKf and many
> others, were not hit by the issue because they strip out all the
> `xsi:type="xs:string"` elements as part of their aggregation process.
>
> As already noted on the slack edugain_support channel and on today's
> eduGAIN "Drop in session", there is room for improving the eduGAIN MDS
> updating process: for example letting fed-ops know about possible diffs
> among the current and the updated eduGAIN metadata --- even though both
> are schema valid.
>
> As a very short term measure we are setting up two different feeds:
> production and pre-production. We will keep both active for enough time
> to let federation operators test them and signal potential issues.
>
> Currently we're still relying on the backward eduGAIN MDS. Tomorrow
> morning we will give you further details.
>
> Cheers,
> Davide
>
> --
> Davide Vaghetti
> Consortium GARR
> Tel: +390502213158
> Mobile: +393357779542
> Skype: daserzw

Attachment: signature.asc
Description: OpenPGP digital signature

[eduGAIN-discuss] eduGAIN SAML profile and MDS update, Davide Vaghetti, 19-Nov-2019
- Re: [eduGAIN-discuss] eduGAIN SAML profile and MDS update, Nick Roy, 11/19/2019
- Message not available
  - Re: [eduGAIN-discuss] eduGAIN SAML profile and MDS update, Etienne Dysli Metref, 20-Nov-2019
    - Re: [eduGAIN-discuss] eduGAIN SAML profile and MDS update, Davide Vaghetti, 20-Nov-2019
      - Re: [eduGAIN-discuss] eduGAIN SAML profile and MDS update, Etienne Dysli Metref, 20-Nov-2019
        
        Re: [eduGAIN-discuss] eduGAIN SAML profile and MDS update, Peter Schober, 20-Nov-2019
        
        Re: [eduGAIN-discuss] eduGAIN SAML profile and MDS update, Cantor, Scott, 20-Nov-2019
        
        Re: [eduGAIN-discuss] eduGAIN SAML profile and MDS update, Nick Roy, 20-Nov-2019
        
        Re: [eduGAIN-discuss] eduGAIN SAML profile and MDS update, Etienne Dysli Metref, 21-Nov-2019
    - Re: [eduGAIN-discuss] eduGAIN SAML profile and MDS update, Ian Young, 20-Nov-2019
      - Re: [eduGAIN-discuss] eduGAIN SAML profile and MDS update, Etienne Dysli Metref, 22-Nov-2019
        
        Re: [eduGAIN-discuss] eduGAIN SAML profile and MDS update, Davide Vaghetti, 22-Nov-2019