Skip to Content.

geteduroam - Re: Findings

Subject: An open discussion list for topics related to the geteduroam service

List archive


Re: Findings


Chronological Thread 
  • From: Wenche Backman-Kamila <wenche.backman-kamila AT csc.fi>
  • To: Paul Dekkers <paul.dekkers AT surf.nl>
  • Cc: geteduroam <geteduroam AT lists.geant.org>
  • Subject: Re: Findings
  • Date: Fri, 12 Mar 2021 15:23:14 +0200 (EET)

Hi,

Yes, it was about EncryptedAssertion, and I guess only relevant for shibboleth-idp (v4 -> ).

I still don't see CSC in the geteduroam app on neither Android 10 phone. Even reinstalling the app did not help. Very strange. Also, in the eduroam CAT app there is a geteduroam profile for CSC but if I select I get Configuration File Error Read Error with Config File.

Regards,

Wenche


From: "Paul Dekkers" <paul.dekkers AT surf.nl>
To: "Wenche Backman-Kamila" <wenche.backman-kamila AT csc.fi>, "geteduroam" <geteduroam AT lists.geant.org>
Sent: Friday, 12 March, 2021 14:46:36
Subject: Re: Findings

Hi Wenche,

I guess I misinterpreted your remark about ciphers on our SP:

On 12/03/2021 13:13, Paul Dekkers wrote:
0c03d731-d810-68ce-0b9b-d26b8296ca31 AT surf.nl">

Hi Wenche,

@list; for people that are unaware of the "hosted version" Wenche is talking about, this hasn't been advertised here yet (I think) but a bit more can be found at:
https://wiki.geant.org/display/gn43wp5/geteduroam+for+NROs+and+IdPs%2C+proposal+for+pilot+service

Basically, it allows you to connect an eduGAIN IdP to a hosted version of a pseudo-account service for geteduroam (comparable to and complementing the managed IdP, with eduroam credential creation based on eduGAIN authentication instead of invites).

On 12/03/2021 12:03, Wenche Backman-Kamila wrote:
1294031521.7589101.1615546999290.JavaMail.zimbra AT csc.fi">
Hi,

While taking geteduroam into use we'd like to report the following:

- You seem to use old crypto (CBC) for 'https://get.eduroam.org'. Is it possible to support also modern GCM crypto. We had to make an exception for this entity ID to make it work, but it works now.

Of course! We do support GCM, but *also* CBC, I think that's where the problem is? Do you have a pointer to eduGAIN guidelines for this, if there are any? I wasn't aware about a requirement.

And I'm afraid I looked no further than the A+ rating of ssllabs that we already had ;-) We still are A+, but with less ciphers. Hope this works out better.

I may have misinterpreted; is this about the SAML EncryptedAssertion? I understand it's common for Shib IdP's to require AES-GCM, but it's only recently in SimpleSAMLphp. (And in SURFconext, I believe we still purely rely on the transport security.)

I almost assume this is something Shibboleth users stumble upon more often. I will look at supporting this in the near future to be more compatible. Good feedback. I'm not aware of eduGAIN guidelines about this to be honest, but welcome pointers.

0c03d731-d810-68ce-0b9b-d26b8296ca31 AT surf.nl">

1294031521.7589101.1615546999290.JavaMail.zimbra AT csc.fi">
- CSC has been added to the institution list on Windows 10, but I cannot see CSC in the institution list in Android 10 (tested with both Samsung and Motorola). How come?

We actually improved the metadata creation very recently to reduce stale sessions in cache; I myself see CSC (with 2 profiles) on Android. Don't you?


Regards,

Paul





  • Findings, Wenche Backman-Kamila, 03/12/2021
    • Re: Findings, Paul Dekkers, 03/12/2021
      • Re: Findings, Paul Dekkers, 03/12/2021
        • Re: Findings, Wenche Backman-Kamila, 03/12/2021

Archive powered by MHonArc 2.6.19.

Top of Page