Skip to Content.
Sympa Menu

inc-librsvcs - Re: [inc-librsvcs] Shib 2.3.0 and EZproxy

Subject: InCommon Library Services

List archive

Re: [inc-librsvcs] Shib 2.3.0 and EZproxy


Chronological Thread 
  • From: Tod Olson <>
  • To: Rich Wenger <>
  • Cc: Olson Tod <>, inc-librsvcs <>, David Langenberg <>
  • Subject: Re: [inc-librsvcs] Shib 2.3.0 and EZproxy
  • Date: Thu, 16 Jun 2011 18:36:37 -0500
Regarding the error in EZproxy 5.4:

"""
The specific error we see (under 5.4) is 

2011-06-14 13:54:09 SAMLVerifySignature start node not found for //md:EntityDescriptor[@entityID='https://shibboleth-dev2.uchicago.edu/idp/shibboleth']/md:IDPSSODescriptor/md:KeyDescriptor[1]
2011-06-14 13:54:09 SAMLVerifySignature signature failed verification

I have verified that the certs are good & the metadata is good & the metadata has a key at that spot referenced in the log.
"""

I've copied Dave Langenberg, our IdM guy, on this message, since I'm out of town for about 10 days after tomorrow.

-Tod

On Jun 16, 2011, at 3:58 PM, Rich Wenger wrote:

We also hit the Shib - EZproxy problem.


Rich Wenger
E-Resource Systems Manager, MIT Libraries

617-253-0035 



-----Original Message-----
From: [mailto:] On Behalf Of Tod Olson
Sent: Thursday, June 16, 2011 3:46 PM
To: inc-librsvcs
Cc: Tod Olson
Subject: [inc-librsvcs] Shib 2.3.0 and EZproxy

InCommon-Library,

Our IdM folks have contacted me with an issue they are having with EZproxy and the most recent Shibboleth, and I thought the InC-Library community might be interested.

Here's the issue:

"""
The current version of the Shibboleth IdP which we are running (2.2.1) is vulnerable to a cross-site-scripting attack.  The Shibboleth community has therefore released Shibboleth 2.3.0 which fixes the problem.  The shib folks have also stated that they will not backport a fix to the 2.1.x series IdP.  In attempting to upgrade our IdP I found in testing that EZ Proxy broke.  I spent awhile poking at it including attempting to upgrade EZ Proxy to the latest version in test & still couldn't get it working.  So, I contacted OCLC Support.  They replied (attached) that it's a known issue, they're working on it, but no ETA (which in my experience generally also means low priority).  They also mentioned that they only support the vulnerable series of Shibboleth.  So, we here in IT Services were wondering if you would perhaps have better leverage in getting out of OCLC an ETA as well as raising the priority of them coming up with a fix for EZ Proxy?
"""

So we have a security issue that the Shib upgrade will fix, but EZproxy breaks.  Since EZproxy is a recommended approach, was wondering whether others in InC-Library might have run into this problem?

-Tod

Tod Olson <>
Systems Librarian
University of Chicago Library




Tod Olson <>
Systems Librarian
University of Chicago Library




Archive powered by MHonArc 2.6.16.

Top of Page