edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
RE: [eduGAIN-discuss] Problems and issues with SAML SPs in federations and eduGAIN
Chronological Thread
- From: Alan Lewis <alan.lewis AT geant.org>
- To: Peter Schober <peter.schober AT univie.ac.at>, "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
- Subject: RE: [eduGAIN-discuss] Problems and issues with SAML SPs in federations and eduGAIN
- Date: Thu, 15 Apr 2021 12:58:51 +0000
- Accept-language: en-GB, en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=geant.org; dmarc=pass action=none header.from=geant.org; dkim=pass header.d=geant.org; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZoYxabDuPu/JTDoYzeiSXVkfXq2XBDV43HUo5i+BkN4=; b=It2P7UWBPlSYXa11iVXpzkyJigAPOlx0beATMsQdA0WrXgRElze0DizLmX7wyPhlNf6Upm/Yh3YlCZRDXHmmF96pyEstYWoYwDLM8JMmJACd9eynIktLRGIwyEpcolOeSLePbkFUKDO2PJgNIjGNaKTlZBhYxBE4c9pdrz1ZtwLUmRtWMo8F9myox9d97av6+CdHIpEw9yWWGVRNgG0+PYOajYFgxhPcYGEVX8BkjRVpVEh2xeuOYDOa6RgQfcdOaURGAvhwmTG241eZW0b5D/JZSUp003AlFraFAZEy19+OWb9xuE00KYwsb4V7y0KyATh3A8Ji+aIyDsUqbB50Jg==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BgtQp/cLosK8pb7tc+4dytFLLJYzOsicFXW45sv807uXJVcI9F/xHGLv1bW/InVuRPty/x+hRuEUZJ2qGgCC+PQPdileVuAeeXFCLAKz+fPUAVn/3BTeon+KNo+Nc17qesjEAhZNYqO+r4l5v/qfAH0qW4dj3yFEWT5tiy5nBKVI4+1Ox20H27XmsMHXGl4DnnCD2GLb2aABaP9hZklT1Qpv9HHiY5kBX+lLLgK6RxWqgG/MmyHLbQKybTP9mqyomYRaHF/MQe8TbiFycr+pdMpCpq9IoIh62ghAI/8eVB110FvSZ0zfuQx22kGjAPGa8MISQ768GLCu6Y4ELfT+MA==
- Authentication-results: univie.ac.at; dkim=none (message not signed) header.d=none;univie.ac.at; dmarc=none action=none header.from=geant.org;
Hello Peter,
Thanks for the feedback.
Comments below.
Best regards
Alan
Alan Lewis
Trust and Identity Services Product Manager
GÉANT
Direct Tel: +44 (0)1223 371409
Mobile: +44 (0) 7500 891616
Switchboard: +44 (0)1223 371300
Networks • Services • People
Learn more at www.geant.org
GÉANT Vereniging (Association) is registered with the Chamber of Commerce in
Amsterdam with registration number 40535155 and operates in the UK as a
branch of GÉANT Vereniging. Registered office: Hoekenrode 3, 1102BR
Amsterdam, The Netherlands. UK branch address: City House, 126-130 Hills
Road, Cambridge CB2 1PQ, UK.
-----Original Message-----
From: edugain-discuss-request AT lists.geant.org
<edugain-discuss-request AT lists.geant.org> On Behalf Of Peter Schober
Sent: 15 April 2021 13:29
To: edugain-discuss AT lists.geant.org
Subject: Re: [eduGAIN-discuss] Problems and issues with SAML SPs in
federations and eduGAIN
Btw, would this have anything to do with the
https://access-check.edugain.org/ IDP in eduGAIN?
>> No, this is a separate activity although clearly here is some
>> complementarity.
* Alan Lewis <alan.lewis AT geant.org> [2021-04-15 12:40]:
> To make any service as useful as possible it would be very helpful to
> understand as many situations as possible where the SAML flow with an
> SP fails.
A currently "popular" issue is the one of supported encryption algorithms in
light of finally moving away from known-bad algos (such as AES-CBC) and
towards better replacements (such as AES-GCM).
So testing with "AES-GCM" encryption enforced by the IDP would be
interesting, I think, and could possibly be used to motivate the SP to add
support for that, or (at the very least) to have the SP's metadata amended
with (only) AES-CBC (if that's still missing) to clearly signal its broken
nature.
>> The idea of motivating SPs to follow a particular behaviour is one that
>> has some up. The concept of the 'goodness' of an SP has been >> raised,
>> but this leads various problems around subjectivity and compulsion versus
>> guidance. Nevertheless, it is something to >> >> >> consider and the
>> example of encryption algorithm 'best practice' falls into this category I
>> think.
But of course I'd also like to know this for the many more SPs only available
in my local federation, so we probably would have to do something about that
ourselfs (or expose such an IDP also to local federations and vice versa have
it also load non-eduGAIN metadata feeds).
>> The Test IdP exercise is not focused specifically on eduGAIN, although
>> this is clearly and aspect. Given that federation policies differ, >>
>> developing a Test IdP service that was applicable in a homogeneous form
>> sounds impractical, but perhaps some degree of >>
>> configurability could assist here from the perspective of the Test IdP
>> admin.
-peter
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- [eduGAIN-discuss] Problems and issues with SAML SPs in federations and eduGAIN, Alan Lewis, 15-Apr-2021
- Re: [eduGAIN-discuss] Problems and issues with SAML SPs in federations and eduGAIN, Thijs Kinkhorst, 15-Apr-2021
- RE: [eduGAIN-discuss] Problems and issues with SAML SPs in federations and eduGAIN, Alan Lewis, 15-Apr-2021
- Re: [eduGAIN-discuss] Problems and issues with SAML SPs in federations and eduGAIN, Peter Schober, 15-Apr-2021
- RE: [eduGAIN-discuss] Problems and issues with SAML SPs in federations and eduGAIN, Alan Lewis, 04/15/2021
- Re: [eduGAIN-discuss] Problems and issues with SAML SPs in federations and eduGAIN, Thijs Kinkhorst, 15-Apr-2021
Archive powered by MHonArc 2.6.19.