Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] eduGAIN SAML profile and MDS update

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] eduGAIN SAML profile and MDS update


Chronological Thread 
  • From: Ian Young <ian AT iay.org.uk>
  • To: Etienne Dysli Metref <etienne.dysli-metref AT switch.ch>
  • Cc: edugain-discuss AT lists.geant.org
  • Subject: Re: [eduGAIN-discuss] eduGAIN SAML profile and MDS update
  • Date: Wed, 20 Nov 2019 15:31:54 +0000
  • Feedback-id: 217.155.173.110


On 2019-11-20, at 12:37, Etienne Dysli Metref <etienne.dysli-metref AT switch.ch> wrote:

So what's the way out for users of the Shib MDA? Is there a release
where this bug is fixed (apparently not)? How can I configure the
workaround?

I've updated the JIRA case to clarify that no, there's no fix for this just now. I have had it scheduled as something to try to fix in 0.10.0 for some time, but the fact that it was originally spotted in 2011 is a good indication that it might not prove to be possible.

Later mail by Davide mentions that the clean-import.xsl transform in the ukf-meta repository includes the code to strip these attributes, as well as a number of other defensive actions such as discarding ID values and long ds:X509SerialNumber.

You might need to tweak that file a little depending on the context in which you deploy it, as it currently relies on an old Xalan extension library I wrote and therefore in turn on an endorsed Xalan processor. I happen to be in the process of removing that requirement so that we can all move past Java 8, but for now it's easiest to just remove the templates you don't need or that don't work for you.

You may also have policy objections to some of the things done there, such as the removal of md:RoleDescriptor.  I won't criticise your life choices if you decide you need to import those, but I do reserve the right to say "I told you so". 

I think it's worth federations consuming metadata (whether or not they use the MDA, and whether or not they noticed a problem the other day) to be somewhat defensive in the metadata they accept for republication where there are known issues. I know of no downside to doing the things that clean-import.xsl does, and we've had that in place essentially from the beginning so someone would probably have beat me up by now if there _was_ a problem. But then, I've always disliked xsi:type as a mechanism given the wacky semantics (namespace declarations are used in a way that's only visible to a schema-validating processor).

Cheers,

    -- Ian




Attachment: smime.p7s
Description: S/MIME cryptographic signature




Archive powered by MHonArc 2.6.19.

Top of Page