inc-ops-notifications - [InCommon NOTICE] InCommon eduGAIN import ruleset changing on February 28
Subject: InCommon Operations Notifications
List archive
- From: Nick Roy <>
- To: "" <>
- Subject: [InCommon NOTICE] InCommon eduGAIN import ruleset changing on February 28
- Date: Thu, 22 Feb 2018 20:19:39 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:FAL65BTuesSn/Qg7JU+Y8eUcN9psv+yvbD5Q0YIujvd0So/mwa67ZR2Et8tkgFKBZ4jH8fUM07OQ7/i7HzRYqb+681k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRoLerpBIHSk9631+ev8JHPfglEnjWwba98IRmssQndqtQdjJd/JKo21hbHuGZDdf5MxWNvK1KTnhL86dm18ZV+7SleuO8v+tBZX6nicKs2UbJXDDI9M2Ao/8LrrgXMTRGO5nQHTGoblAdDDhXf4xH7WpfxtTb6tvZ41SKHM8D6Uaw4VDK/5KptVRTmijoINyQh/W/XlMJ+kb5brhyiqRx+34Hbb5qYNP9icq/BZ94WWXZNUthXWidcAo28dYwPD+8ZMOhAronyu1gOpgaiCwmrBOLk1zhFhnns3a090+UsCgDG3Ao8H90QqnTUqsv6NLsMXeyv0qbH0CjDYupQ1Dzg5obIdRUhruuNXbJ2acfR1E8vGB/fglqOtIPlIimZ2f4Xs2SD4etvT+Kui2A9pw5soTij3twshZPGh4IUzVDE8z91wIAxJdGgUkF7esWkH4VLtyGBMot5XMUiQ31ytCkn1LIGp4a3fDILyJQlwR7fav6Hc5OT4h39UOadOzF4hHZ9dLKiiRa96lKvxvfnWcmuyFpFszRKkt3QtnAM0BzT7NKLSv15/ku51jaP0B7T5vtDIUAxjabbMYAuwrgqmZoPq0vPBDH5l1jrjKOMakok/fCk6/7gYrr6v5OcMY50igP7MqswlcywH+I4PhIIX2if/+m3yb7t/VXhTblUlPI6jrTVvZXHKcgGu6K0BgFV34k/5xqjCjqm3soXkHYHIV9AfR+KjZblNlHWLPzlDPqyjU6gnClryv3IJLHsDZrAImLenLv9Zbp95VBTxQkvwd1a4p9ZCrIMIPz2V0LyqtDXFQE2Pgm1zuvmDdhw14MTVnyOD6KfLajcq0WH5vg1LOmJfIIVuCjyK/wi5/P2lXE0hVgTcbW30ZcOdn23HOlqL1yeYXX3nNgNC2AKvhciTOPxj12CTDhTaGuoU6Ik/DE7D56mApnfSYCxgbyB2yG7EodRZmBbFlCMFXDod4KHW/sWdC2SJcphniQFVbinVYAhyQmjuBHgxLZ7M+bZ/zAUuY/+2NVw6e3emg0++SBxAsSTzW6AQGF5k2YNSjI0wqxyoVRxylKZ3qh5h/xYG8ZT5/RMUgoiM57c1et6CtDpVwLAeNeJVEipQs+gAT4vUtI93cUCbFhgFNW/lhzDxTalA6cJl7yXA5w56qPc337tKMZ6znbG0a4hj188TstIL22mibdz9wnVB4HVikmZkL6qdb8F0C7L82eD0WuOvE9ZUAFsS6rFQXEfZkzQrdTi/U7CS76uCa87Mgta18KOMKpKatv1jVpYXvfjPsrRY36vl2uqGxmH266MP8LWfDBX3SPWTU8ciEUV+mqHOwk1DzugpGTFJD1oHlXqZkTqt+5kpznzGk4yxESNd1Yk0b2p+xAUjvWASvQVxZoFviwmrjBzGhC6xd2AWPSaoA80WqRXYpsH50YPgWTDsB1VP5q8Irpki0JENQl7ohW9hF1MFoxcnJ1y/zsRxw1oJPfA3Q==
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
Hello,
On February 28, InCommon will release version 8 of its eduGAIN import
ruleset [1].
This ruleset allows us to remove our ban on the importation of regular
expression scopes in metadata, but imposes some validity checks on
scopes to try to limit security exposure from malformed, overly-broad or
otherwise problematic scopes (regular expression or otherwise). Within
the next few days, we will publish our updated edugain import policy
rules at [2]. I encourage you to take a look at those rules both now and
after they are updated (you can add a 'watch' to the page to see when it
changes) and let me know if you have any comments. That page also
contains links to our daily metadata filtering reports, which you can
also examine.
The following is a summary of expected changes to imported metadata that
will take place on February 28. We have also provided a detailed report
(attached), which includes details of the issues affecting these
filtered entity descriptors.
Entity descriptors which will not be imported starting on February 28th:
Issues with invalid, overly-broad or non-public-domain scopes:
https://id-dev.unc.edu.ar/idp/shibboleth
https://sso.saxion.nl/opensso
http://sts.deltion.nl/adfs/services/trust
http://sts.roc-nijmegen.nl/adfs/services/trust
http://fed.rijnijssel.nl/adfs/services/trust
https://cafe.ufba.br/idp/shibboleth
https://birk.wayf.dk/birk.php/wayf.aau.dk
https://idp.renata.edu.co/idp/shibboleth
https://idp.trc.gov.om/idp/shibboleth
Issues with ACS, SSO or SLO endpoints that do not use TLS:
urn:mace:feide.no:services:no.inspera.assessment.dev
RequstedAttribute lacks a NameFormat attribute:
https://elixir.mf.uni-lj.si/sp/201506181025
https://elixir.mf.uni-lj.si/sp/20150622
[1] https://github.internet2.edu/InCommon/inc-meta/releases/tag/incommon-v8
[2] https://spaces.internet2.edu/x/TgCNBQ
Thank you and best regards,
Nick Roy
Director of Technology and Strategy, InCommon / Internet2 Trust and
Identity Services
i2-denv-10:inc-meta nroy$ ant inc.edugain.report
Buildfile: /Users/nroy/Dropbox/i2-tsg-git/mda-working/inc-meta/build.xml
inc.edugain.report:
[echo] Looking for errors in eduGAIN entities from
/Users/nroy/Dropbox/i2-tsg-git/mda-working/inc-meta/mdx/incommon/edugain.xml...
[echo] Running incommon report flow.
[java] ERROR - Item https://id-dev.unc.edu.ar/idp/shibboleth (AR) was
marked with the following Error status messages
[java] ERROR - domainName/publicSuffix: scope is a public suffix:
'edu.ar'
[java] ERROR - domainName/publicSuffix: scope is a public suffix:
'edu.ar'
[java] ERROR - Item
https://login.aaiedu.hr/edugain/saml2/idp/metadata.php (HR) was marked with
the following Error status messages
[java] ERROR - check_sirtfi: SIRTFI requires a REFEDS security
contact
[java] ERROR - Item
https://welcome.lifescienceid.org/metadata/backend.xml (NL) was marked with
the following Error status messages
[java] ERROR - check_bindings: invalid binding
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' on
md:AssertionConsumerService
[java] ERROR - check_rands_member: REFEDS R+S requires
mdui:DisplayName
[java] ERROR - Item https://sso.saxion.nl/opensso (NL) was marked with
the following Error status messages
[java] ERROR - checkScopes/literalTail: regular expression
'.*@saxion\.nl$' does not end with a literal tail
[java] ERROR - Item http://sts.deltion.nl/adfs/services/trust (NL) was
marked with the following Error status messages
[java] ERROR - domainName/noPublicSuffix: scope is not under a
public suffix: 'ow.deltion.local'
[java] ERROR - Item http://sts.roc-nijmegen.nl/adfs/services/trust (NL)
was marked with the following Error status messages
[java] ERROR - domainName/noPublicSuffix: scope is not under a
public suffix: 'roc-nijmegen.local'
[java] ERROR - Item http://fed.rijnijssel.nl/adfs/services/trust (NL)
was marked with the following Error status messages
[java] ERROR - domainName/noPublicSuffix: scope is not under a
public suffix: 'rij.local'
[java] ERROR - Item urn:mace:feide.no:services:no.inspera.assessment.dev
(NO) was marked with the following Error status messages
[java] ERROR - check_sp_tls: SingleLogoutService Location does not
start with https://
[java] ERROR - check_sp_tls: AssertionConsumerService Location does
not start with https://
[java] ERROR - Item http://sts1.vib.be/adfs/services/trust (BE) was
marked with the following Error status messages
[java] ERROR - check_bindings: invalid binding
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' on
md:AssertionConsumerService
[java] ERROR - Item https://cafe.ufba.br/idp/shibboleth (BR) was marked
with the following Error status messages
[java] ERROR - domainName/publicSuffix: scope is a public suffix:
'br'
[java] ERROR - domainName/publicSuffix: scope is a public suffix:
'edu.br'
[java] ERROR - Item https://birk.wayf.dk/birk.php/wayf.aau.dk (DK) was
marked with the following Error status messages
[java] ERROR - checkScopes/domainName: scope is not a valid domain
name:
[java] ERROR - checkScopes/domainName: scope is not a valid domain
name:
[java] ERROR - checkScopes/domainName: scope is not a valid domain
name:
[java] ERROR - checkScopes/domainName: scope is not a valid domain
name:
[java] ERROR - checkScopes/domainName: scope is not a valid domain
name:
[java] ERROR - checkScopes/domainName: scope is not a valid domain
name:
[java] ERROR - checkScopes/domainName: scope is not a valid domain
name:
[java] ERROR - checkScopes/domainName: scope is not a valid domain
name:
[java] ERROR - checkScopes/domainName: scope is not a valid domain
name:
[java] ERROR - checkScopes/domainName: scope is not a valid domain
name:
[java] ERROR - checkScopes/domainName: scope is not a valid domain
name:
[java] ERROR - checkScopes/domainName: scope is not a valid domain
name:
[java] ERROR - checkScopes/domainName: scope is not a valid domain
name:
[java] ERROR - checkScopes/domainName: scope is not a valid domain
name:
[java] ERROR - Item
https://birk.wayf.dk/birk.php/wayf.supportcenter.dk/aip/saml2/idp/metadata.php?unit=aip
(DK) was marked with the following Error status messages
[java] ERROR - checkScopes/domainName: scope is not a valid domain
name: via.dk/
[java] ERROR - Item
urn:mace:ac.uk:sdss.ac.uk:provider:identity:uhi.ac.uk (UK) was marked with
the following Error status messages
[java] ERROR - check_idp_non_saml2: IdP does not support the SAML 2
HTTP-Redirect binding
[java] ERROR - Item https://www.westlaw.co.uk/metadata (UK) was marked
with the following Error status messages
[java] ERROR - check_sp_non_saml2: SP does not support the SAML 2
HTTP-POST binding
[java] ERROR - Item
https://auth.cs.serialssolutions.com/auth/Metadata/Shib (UK) was marked with
the following Error status messages
[java] ERROR - check_sp_non_saml2: SP does not support the SAML 2
HTTP-POST binding
[java] ERROR - Item https://auth.services.bmj.com/auth (UK) was marked
with the following Error status messages
[java] ERROR - check_sp_non_saml2: SP does not support the SAML 2
HTTP-POST binding
[java] ERROR - Item
https://auth.search.serialssolutions.com/auth/Metadata/Shib (UK) was marked
with the following Error status messages
[java] ERROR - check_sp_non_saml2: SP does not support the SAML 2
HTTP-POST binding
[java] ERROR - Item https://www.crcnetbase.com/shibboleth (UK) was
marked with the following Error status messages
[java] ERROR - check_sp_non_saml2: SP does not support the SAML 2
HTTP-POST binding
[java] ERROR - Item https://test.ingentaconnect.com/shibboleth (UK) was
marked with the following Error status messages
[java] ERROR - check_sp_non_saml2: SP does not support the SAML 2
HTTP-POST binding
[java] ERROR - Item https://www.ingentaconnect.com/shibboleth (UK) was
marked with the following Error status messages
[java] ERROR - check_sp_non_saml2: SP does not support the SAML 2
HTTP-POST binding
[java] ERROR - Item
https://test.worldbank.pub2web.ingenta.com/shibboleth (UK) was marked with
the following Error status messages
[java] ERROR - check_sp_non_saml2: SP does not support the SAML 2
HTTP-POST binding
[java] ERROR - Item https://beta.ingentaconnect.com/shibboleth (UK) was
marked with the following Error status messages
[java] ERROR - check_sp_non_saml2: SP does not support the SAML 2
HTTP-POST binding
[java] ERROR - Item https://beta.jbep.pub2web.ingenta.com/shibboleth
(UK) was marked with the following Error status messages
[java] ERROR - check_sp_non_saml2: SP does not support the SAML 2
HTTP-POST binding
[java] ERROR - Item https://www.jbe-platform.com/shibboleth (UK) was
marked with the following Error status messages
[java] ERROR - check_sp_non_saml2: SP does not support the SAML 2
HTTP-POST binding
[java] ERROR - Item https://beta.aip.pub2web.ingenta.com/shibboleth (UK)
was marked with the following Error status messages
[java] ERROR - check_sp_non_saml2: SP does not support the SAML 2
HTTP-POST binding
[java] ERROR - Item https://x-oecd-beta-01.ingenta.com/shibboleth (UK)
was marked with the following Error status messages
[java] ERROR - check_sp_non_saml2: SP does not support the SAML 2
HTTP-POST binding
[java] ERROR - Item https://test.oecd-ilibrary.org/shibboleth (UK) was
marked with the following Error status messages
[java] ERROR - check_sp_non_saml2: SP does not support the SAML 2
HTTP-POST binding
[java] ERROR - Item https://www.oecd-ilibrary.org/shibboleth (UK) was
marked with the following Error status messages
[java] ERROR - check_sp_non_saml2: SP does not support the SAML 2
HTTP-POST binding
[java] ERROR - Item https://beta.sgm.pub2web.ingenta.com/shibboleth (UK)
was marked with the following Error status messages
[java] ERROR - check_sp_non_saml2: SP does not support the SAML 2
HTTP-POST binding
[java] ERROR - Item https://www.microbiologyresearch.org/shibboleth (UK)
was marked with the following Error status messages
[java] ERROR - check_sp_non_saml2: SP does not support the SAML 2
HTTP-POST binding
[java] ERROR - Item https://elixir.mf.uni-lj.si/sp/201506181025 (SI) was
marked with the following Error status messages
[java] ERROR - check_reqattr: RequestedAttribute sn lacks NameFormat
attribute (implicitly
'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified')
[java] ERROR - check_reqattr: RequestedAttribute givenName lacks
NameFormat attribute (implicitly
'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified')
[java] ERROR - check_reqattr: RequestedAttribute mail lacks
NameFormat attribute (implicitly
'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified')
[java] ERROR - check_reqattr: RequestedAttribute
eduPersonPrincipalName lacks NameFormat attribute (implicitly
'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified')
[java] ERROR - Item https://elixir.mf.uni-lj.si/sp/20150622 (SI) was
marked with the following Error status messages
[java] ERROR - check_reqattr: RequestedAttribute sn lacks NameFormat
attribute (implicitly
'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified')
[java] ERROR - check_reqattr: RequestedAttribute givenName lacks
NameFormat attribute (implicitly
'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified')
[java] ERROR - check_reqattr: RequestedAttribute mail lacks
NameFormat attribute (implicitly
'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified')
[java] ERROR - check_reqattr: RequestedAttribute
eduPersonPrincipalName lacks NameFormat attribute (implicitly
'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified')
[java] ERROR - Item https://idp.renata.edu.co/idp/shibboleth (CO) was
marked with the following Error status messages
[java] ERROR - domainName/publicSuffix: scope is a public suffix:
'edu.co'
[java] ERROR - domainName/publicSuffix: scope is a public suffix:
'edu.co'
[java] ERROR - Item https://idp.trc.gov.om/idp/shibboleth
(https://home.trc.gov.om) was marked with the following Error status messages
[java] ERROR - domainName/publicSuffix: scope is a public suffix:
'gov.om'
[java] ERROR - domainName/publicSuffix: scope is a public suffix:
'gov.om'
[echo] Completed incommon report flow.
[echo] Report complete.
BUILD SUCCESSFUL
Total time: 38 seconds
- [InCommon NOTICE] InCommon eduGAIN import ruleset changing on February 28, Nick Roy, 02/22/2018
- [InCommon NOTICE] InCommon eduGAIN import ruleset change RESCHEDULED to March 7, Nick Roy, 02/26/2018
Archive powered by MHonArc 2.6.19.