InCommon Library Services

[Tod Olson <>]

On Jun 16, 2011, at 3:40 PM, Steven Carmody wrote:

> On 6/16/11 3:45 PM, Tod Olson wrote:
>   So, I contacted
>> OCLC Support.  They replied (attached) that it's a known issue,
>> they're working on it, but no ETA (which in my experience generally
> 
> Tod,
> 
> I didn't see any attachment ? Did my email service eat it (again) ?

Right you are, I had copied only part of the message from Dave Langenberg, 
our IdM guy.  the entire message is attached.


-Tod

Tod Olson 
<>
Systems Librarian
University of Chicago Library

--- Begin Message ---

• From: David Langenberg <>
• To: Tod Olson <>
• Cc: Tamra Valadez <>
• Subject: EZProxy & Shibboleth
• Date: Wed, 15 Jun 2011 09:42:41 -0500
• Accept-language: en-US

Hi Tod,

I was wondering if you could help me with something shibboleth related :-).  The current version of the Shibboleth IdP which we are running (2.2.1) is vulnerable to a cross-site-scripting attack.  The Shibboleth community has therefore released Shibboleth 2.3.0 which fixes the problem.  The shib folks have also stated that they will not backport a fix to the 2.1.x series IdP.  In attempting to upgrade our IdP I found in testing that EZ Proxy broke.  I spent awhile poking at it including attempting to upgrade EZ Proxy to the latest version in test & still couldn't get it working.  So, I contacted OCLC Support.  They replied (attached) that it's a known issue, they're working on it, but no ETA (which in my experience generally also means low priority).  They also mentioned that they only support the vulnerable series of Shibboleth.  So, we here in IT Services were wondering if you would perhaps have better leverage in getting out of OCLC an ETA as well as raising the priority of them coming up with a fix for EZ Proxy?

Thanks for anything you could do.

Dave

---------- Forwarded message ----------
From: OCLC Customer Support <>
Date: Tue, Jun 14, 2011 at 4:49 PM
Subject: 1-1124194266 : EZproxy Support Request - University of Chicago
To: David Langenberg <>


Hello David,

Thank you for contacting OCLC Product Support and I will be happy to assist. To begin with, what you are reporting is a known bug with EZproxy 5.3 and up (EZPROX-530). Unfortunately, at this time we have no workaround for this matter and no ETR as to when it will be resolved. Though, please rest assured that our DEV team is aware of it and are looking into this matter.

Side note: EZproxy only supports IDP 2.1.x at this time.

Thank you,

Madi: Akshar
Sr. Support Analyst
http://www.oclc.org/support
800.848.5800

[THREAD ID:1-ILBA0M]

-----Original Message-----

From:  
Sent:  6/14/2011 03:06:31 PM
To:  <>
Subject:  EZproxy Support Request - University of Chicago

EZproxy Support Request

Dear David Langenberg,

Thank you for providing this information. An OCLC representative will contact you shortly.

Institution: University of Chicago
Contact Name: David Langenberg
Phone: 773-702-7155
E-mail:
Job Function: IT Staff
Country: US


Issue documented? No

Specific documentation feedback:
-------------------------
receiving: 2011-06-14 13:54:09 SAMLVerifySignature start node not found for //md:EntityDescriptor[@entityID='https://shibboleth-dev2.uchicago.edu/idp/shibboleth']/md:IDPSSODescriptor/md:KeyDescriptor[1]

Have verified the key/cert is good on the IdP & local metadata, have verified cert on ezproxy to be the correct one & on IdP metadata.

Inquiry type: Install
"Other" description:
-------------------------


Server Status: Worked before other circumstances
"Other" status:
-------------------------
upgrade of IdP to 2.3.0 caused system to no longer work

Affected parties: All users

EZproxy version: 5.4.0

Upgrade status: Has upgraded

Unable to upgrade because:
-------------------------


EZproxy Server URL: https://proxy2.uchicago.edu

Password: p6ssw9Rd

Steps to reproduce problem:
-------------------------
when returning from the shibboleth IdP after login you receive inter institutional access failure.  log shows

 SAMLVerifySignature start node not found for //md:EntityDescriptor[@entityID='https://shibboleth-dev2.uchicago.edu/idp/shibboleth']/md:IDPSSODescriptor/md:KeyDescriptor[1]





Additional Comments or Questions
-------------------------

--
================================
David Langenberg
Identity Management
The University of Chicago
================================

--- End Message ---