Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] Assessment of Nigeria / eduID.ng

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] Assessment of Nigeria / eduID.ng


Chronological Thread 
  • From: Alex Stuart <Alex.Stuart AT jisc.ac.uk>
  • To: "owen AT eko-konnect.org.ng" <owen AT eko-konnect.org.ng>, "aichafe AT udusok.edu.ng" <aichafe AT udusok.edu.ng>
  • Cc: "jiny92 AT kisti.re.kr" <jiny92 AT kisti.re.kr>, Terry Smith <t.smith AT aaf.edu.au>, "edugain-sg AT lists.geant.org" <edugain-sg AT lists.geant.org>, "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
  • Subject: Re: [eduGAIN-discuss] Assessment of Nigeria / eduID.ng
  • Date: Fri, 12 Nov 2021 14:34:36 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jisc.ac.uk; dmarc=pass action=none header.from=jisc.ac.uk; dkim=pass header.d=jisc.ac.uk; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=xyhxzJ1U+PntQf+LUmG2bgFW47sbIbqI6rRC13ly2C8=; b=OEN3ZGoB84lkm/pBpEwbnhkS+HrXKJu6KHJUCg+EwOtaOLj1b2nyJPOh9XLuh5M1XNdlSZsey9/9bHYkelJ+Td+U7g4iVf5+qsRiHBjIQiVj+sYDJRqgmW2GchX9Of4+NspkmUpLaxFmcxbujzWuKuvp/hBzCDYt1pQ+Lu++4LzsCsyu/jxJH9OZqMKWLU930y+Gydf/B+8cLgnT68hhXMS56mfEADvxd8h31Oxcc5piw+0bTRCLjJ8cYp/TBgBpuYstGqu8GAMWz8MqGUq7t/DEeu6r7x+8Qkqtm5EAuOfSqYOxMBNlKee/g++xOzTqax7vx9Ev4k9UdwdL5DKmaQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NJVrKzaDC9iGJPj+jsuzeRFnjsYY0qsNsxEq8zGRexvESp9oBfkh7utf+w+iyrKJSv+YTRAVB+2vKc/GnK3RcCKADL0OsIHlMcHM9DgGkajiriVfNVoZpqvcgSvsSPkq26GQM9nFsjFfNyTTFH8FsIo93FgcuYIMgnn1JeKvNviKgcpnYaqlbWSV3eM2WwfDjIplpfvrr/a/8I3Cw8h6Efv2WprdFE98Sob7QKiNYMgS8N6pR/+l02jck9/KIUJEAPocQmhEnOVzK8fohBgv/H70LJj4tdX9AfQRwqgNvgVBIZ55IMMxpdcsXTT+ERrEWxsmNdw1CnLo1dkgdTzPsg==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=jisc.ac.uk;

Hello Owen and Ahmed,

I've looked at your MRPS. In section 5.3 on entity validation it says:

"On entity registration, the Federation Operator SHALL carry out entity
validations checks. These checks include [...] Ensuring endpoints are
properly protected with TLS / SSL Certificates."

You should explain what "properly protected" means. Do you require
TLS-protected endpoints, and that's the extent of your requirement? If you're
also conducting checks on the TLS protocol / ciphersuites supported by the
entities (through SSL Labs or similar) it would be good to describe the
process you use. Good practice in TLS configuration is a moving target so I
would not add too much detail here.


I'd also like to expand on a couple of points from Jinyong JO

> On 2 Nov 2021, at 01:48, JO Jinyong <jinyong.jo AT gmail.com> wrote:
>
> 1. It seems that eduId.ng's federation metadata does not comply with its
> MRPS.
> Please check: https://technical.edugain.org/validator2?fed_id=EDUID-NG
>

I've also run the metadata against the UK federation's metadata checking
framework. We find a couple of other issues.

- The mdui:PrivacyStatementURL for
https://moodle.cloud.ren.ng/simplesaml/module.php/saml/sp/metadata.php/default-sp
has a typo. It currently says "htpps://ren.ng/policy".

- The DigestMethod and SigningMethod algorithms registered for the two
Shibboleth SPs include several unexpected algorithms. There are 2 algorithms
which use MD5, and there are some HMAC algorithms where we would expect
signature algorithms. These algorithms are not found in the
automatically-generated metadata from the SPs (which can be found at
https://registry.eduid.ng/Shibboleth.sso/Metadata and
https://moodle.cloud.ren.ng/Shibboleth.sso/Metadata). Do you know how the
metadata mismatch arises between the SP software and that published by your
federation metadata management tool?


> 5. In the MRPS document (p.5): recommend changing the Metadata format in
> the box (e.g., registrationAuthority="http://eduid.ng";).
>

...and the value you decide on should then be used consistently in metadata.
Currently, there is
mdrpi:RegistrationInfo/@registrationAuthority="www.eduid.ng" and
mdrpi:PublicationInfo/@publisher="https://www.eduid.ng";

Regards,
Alex


Alex Stuart (he/him)
Technical Development Manager (Trust and Identity)
alex.stuart AT jisc.ac.uk







Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under company number. 05747339, VAT
number GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol,
BS1 6NB. T 0203 697 5800.


Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited
by guarantee which is registered in England under company number 02881024,
VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane,
Bristol, BS1 6NB. T 0203 697 5800.


Jisc Commercial Limited is a wholly owned Jisc subsidiary and a company
limited by shares which is registered in England under company number
09316933, VAT number GB 197 0632 86. The registered office is: 4 Portwall
Lane, Bristol, BS1 6NB. T 0203 697 5800.


For more details on how Jisc handles your data see our privacy notice here:
https://www.jisc.ac.uk/website/privacy-notice



Archive powered by MHonArc 2.6.19.

Top of Page