InCommon Operations Notifications

[Nick Roy <>]

Hello,

On February 28, InCommon will release version 8 of its eduGAIN import
ruleset [1].

This ruleset allows us to remove our ban on the importation of regular
expression scopes in metadata, but imposes some validity checks on
scopes to try to limit security exposure from malformed, overly-broad or
otherwise problematic scopes (regular expression or otherwise). Within
the next few days, we will publish our updated edugain import policy
rules at [2]. I encourage you to take a look at those rules both now and
after they are updated (you can add a 'watch' to the page to see when it
changes) and let me know if you have any comments. That page also
contains links to our daily metadata filtering reports, which you can
also examine.

The following is a summary of expected changes to imported metadata that
will take place on February 28. We have also provided a detailed report
(attached), which includes details of the issues affecting these
filtered entity descriptors.

Entity descriptors which will not be imported starting on February 28th:

Issues with invalid, overly-broad or non-public-domain scopes:
https://id-dev.unc.edu.ar/idp/shibboleth
https://sso.saxion.nl/opensso
http://sts.deltion.nl/adfs/services/trust
http://sts.roc-nijmegen.nl/adfs/services/trust
http://fed.rijnijssel.nl/adfs/services/trust
https://cafe.ufba.br/idp/shibboleth
https://birk.wayf.dk/birk.php/wayf.aau.dk
https://idp.renata.edu.co/idp/shibboleth
https://idp.trc.gov.om/idp/shibboleth

Issues with ACS, SSO or SLO endpoints that do not use TLS:
urn:mace:feide.no:services:no.inspera.assessment.dev

RequstedAttribute lacks a NameFormat attribute:
https://elixir.mf.uni-lj.si/sp/201506181025
https://elixir.mf.uni-lj.si/sp/20150622

[1] https://github.internet2.edu/InCommon/inc-meta/releases/tag/incommon-v8
[2] https://spaces.internet2.edu/x/TgCNBQ

Thank you and best regards,

Nick Roy
Director of Technology and Strategy, InCommon / Internet2 Trust and
Identity Services
i2-denv-10:inc-meta nroy$ ant inc.edugain.report
Buildfile: /Users/nroy/Dropbox/i2-tsg-git/mda-working/inc-meta/build.xml

inc.edugain.report:
     [echo] Looking for errors in eduGAIN entities from 
/Users/nroy/Dropbox/i2-tsg-git/mda-working/inc-meta/mdx/incommon/edugain.xml...
     [echo] Running incommon report flow.
     [java] ERROR - Item https://id-dev.unc.edu.ar/idp/shibboleth (AR) was 
marked with the following Error status messages
     [java] ERROR -     domainName/publicSuffix: scope is a public suffix: 
'edu.ar'
     [java] ERROR -     domainName/publicSuffix: scope is a public suffix: 
'edu.ar'
     [java] ERROR - Item 
https://login.aaiedu.hr/edugain/saml2/idp/metadata.php (HR) was marked with 
the following Error status messages
     [java] ERROR -     check_sirtfi: SIRTFI requires a REFEDS security 
contact
     [java] ERROR - Item 
https://welcome.lifescienceid.org/metadata/backend.xml (NL) was marked with 
the following Error status messages
     [java] ERROR -     check_bindings: invalid binding 
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' on 
md:AssertionConsumerService
     [java] ERROR -     check_rands_member: REFEDS R+S requires 
mdui:DisplayName
     [java] ERROR - Item https://sso.saxion.nl/opensso (NL) was marked with 
the following Error status messages
     [java] ERROR -     checkScopes/literalTail: regular expression 
'.*@saxion\.nl$' does not end with a literal tail
     [java] ERROR - Item http://sts.deltion.nl/adfs/services/trust (NL) was 
marked with the following Error status messages
     [java] ERROR -     domainName/noPublicSuffix: scope is not under a 
public suffix: 'ow.deltion.local'
     [java] ERROR - Item http://sts.roc-nijmegen.nl/adfs/services/trust (NL) 
was marked with the following Error status messages
     [java] ERROR -     domainName/noPublicSuffix: scope is not under a 
public suffix: 'roc-nijmegen.local'
     [java] ERROR - Item http://fed.rijnijssel.nl/adfs/services/trust (NL) 
was marked with the following Error status messages
     [java] ERROR -     domainName/noPublicSuffix: scope is not under a 
public suffix: 'rij.local'
     [java] ERROR - Item urn:mace:feide.no:services:no.inspera.assessment.dev 
(NO) was marked with the following Error status messages
     [java] ERROR -     check_sp_tls: SingleLogoutService Location does not 
start with https://
     [java] ERROR -     check_sp_tls: AssertionConsumerService Location does 
not start with https://
     [java] ERROR - Item http://sts1.vib.be/adfs/services/trust (BE) was 
marked with the following Error status messages
     [java] ERROR -     check_bindings: invalid binding 
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' on 
md:AssertionConsumerService
     [java] ERROR - Item https://cafe.ufba.br/idp/shibboleth (BR) was marked 
with the following Error status messages
     [java] ERROR -     domainName/publicSuffix: scope is a public suffix: 
'br'
     [java] ERROR -     domainName/publicSuffix: scope is a public suffix: 
'edu.br'
     [java] ERROR - Item https://birk.wayf.dk/birk.php/wayf.aau.dk (DK) was 
marked with the following Error status messages
     [java] ERROR -     checkScopes/domainName: scope is not a valid domain 
name: 

     [java] ERROR -     checkScopes/domainName: scope is not a valid domain 
name: 

     [java] ERROR -     checkScopes/domainName: scope is not a valid domain 
name: 

     [java] ERROR -     checkScopes/domainName: scope is not a valid domain 
name: 

     [java] ERROR -     checkScopes/domainName: scope is not a valid domain 
name: 

     [java] ERROR -     checkScopes/domainName: scope is not a valid domain 
name: 

     [java] ERROR -     checkScopes/domainName: scope is not a valid domain 
name: 

     [java] ERROR -     checkScopes/domainName: scope is not a valid domain 
name: 

     [java] ERROR -     checkScopes/domainName: scope is not a valid domain 
name: 

     [java] ERROR -     checkScopes/domainName: scope is not a valid domain 
name: 

     [java] ERROR -     checkScopes/domainName: scope is not a valid domain 
name: 

     [java] ERROR -     checkScopes/domainName: scope is not a valid domain 
name: 

     [java] ERROR -     checkScopes/domainName: scope is not a valid domain 
name: 

     [java] ERROR -     checkScopes/domainName: scope is not a valid domain 
name: 

     [java] ERROR - Item 
https://birk.wayf.dk/birk.php/wayf.supportcenter.dk/aip/saml2/idp/metadata.php?unit=aip
 (DK) was marked with the following Error status messages
     [java] ERROR -     checkScopes/domainName: scope is not a valid domain 
name: via.dk/
     [java] ERROR - Item 
urn:mace:ac.uk:sdss.ac.uk:provider:identity:uhi.ac.uk (UK) was marked with 
the following Error status messages
     [java] ERROR -     check_idp_non_saml2: IdP does not support the SAML 2 
HTTP-Redirect binding
     [java] ERROR - Item https://www.westlaw.co.uk/metadata (UK) was marked 
with the following Error status messages
     [java] ERROR -     check_sp_non_saml2: SP does not support the SAML 2 
HTTP-POST binding
     [java] ERROR - Item 
https://auth.cs.serialssolutions.com/auth/Metadata/Shib (UK) was marked with 
the following Error status messages
     [java] ERROR -     check_sp_non_saml2: SP does not support the SAML 2 
HTTP-POST binding
     [java] ERROR - Item https://auth.services.bmj.com/auth (UK) was marked 
with the following Error status messages
     [java] ERROR -     check_sp_non_saml2: SP does not support the SAML 2 
HTTP-POST binding
     [java] ERROR - Item 
https://auth.search.serialssolutions.com/auth/Metadata/Shib (UK) was marked 
with the following Error status messages
     [java] ERROR -     check_sp_non_saml2: SP does not support the SAML 2 
HTTP-POST binding
     [java] ERROR - Item https://www.crcnetbase.com/shibboleth (UK) was 
marked with the following Error status messages
     [java] ERROR -     check_sp_non_saml2: SP does not support the SAML 2 
HTTP-POST binding
     [java] ERROR - Item https://test.ingentaconnect.com/shibboleth (UK) was 
marked with the following Error status messages
     [java] ERROR -     check_sp_non_saml2: SP does not support the SAML 2 
HTTP-POST binding
     [java] ERROR - Item https://www.ingentaconnect.com/shibboleth (UK) was 
marked with the following Error status messages
     [java] ERROR -     check_sp_non_saml2: SP does not support the SAML 2 
HTTP-POST binding
     [java] ERROR - Item 
https://test.worldbank.pub2web.ingenta.com/shibboleth (UK) was marked with 
the following Error status messages
     [java] ERROR -     check_sp_non_saml2: SP does not support the SAML 2 
HTTP-POST binding
     [java] ERROR - Item https://beta.ingentaconnect.com/shibboleth (UK) was 
marked with the following Error status messages
     [java] ERROR -     check_sp_non_saml2: SP does not support the SAML 2 
HTTP-POST binding
     [java] ERROR - Item https://beta.jbep.pub2web.ingenta.com/shibboleth 
(UK) was marked with the following Error status messages
     [java] ERROR -     check_sp_non_saml2: SP does not support the SAML 2 
HTTP-POST binding
     [java] ERROR - Item https://www.jbe-platform.com/shibboleth (UK) was 
marked with the following Error status messages
     [java] ERROR -     check_sp_non_saml2: SP does not support the SAML 2 
HTTP-POST binding
     [java] ERROR - Item https://beta.aip.pub2web.ingenta.com/shibboleth (UK) 
was marked with the following Error status messages
     [java] ERROR -     check_sp_non_saml2: SP does not support the SAML 2 
HTTP-POST binding
     [java] ERROR - Item https://x-oecd-beta-01.ingenta.com/shibboleth (UK) 
was marked with the following Error status messages
     [java] ERROR -     check_sp_non_saml2: SP does not support the SAML 2 
HTTP-POST binding
     [java] ERROR - Item https://test.oecd-ilibrary.org/shibboleth (UK) was 
marked with the following Error status messages
     [java] ERROR -     check_sp_non_saml2: SP does not support the SAML 2 
HTTP-POST binding
     [java] ERROR - Item https://www.oecd-ilibrary.org/shibboleth (UK) was 
marked with the following Error status messages
     [java] ERROR -     check_sp_non_saml2: SP does not support the SAML 2 
HTTP-POST binding
     [java] ERROR - Item https://beta.sgm.pub2web.ingenta.com/shibboleth (UK) 
was marked with the following Error status messages
     [java] ERROR -     check_sp_non_saml2: SP does not support the SAML 2 
HTTP-POST binding
     [java] ERROR - Item https://www.microbiologyresearch.org/shibboleth (UK) 
was marked with the following Error status messages
     [java] ERROR -     check_sp_non_saml2: SP does not support the SAML 2 
HTTP-POST binding
     [java] ERROR - Item https://elixir.mf.uni-lj.si/sp/201506181025 (SI) was 
marked with the following Error status messages
     [java] ERROR -     check_reqattr: RequestedAttribute sn lacks NameFormat 
attribute (implicitly 
'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified')
     [java] ERROR -     check_reqattr: RequestedAttribute givenName lacks 
NameFormat attribute (implicitly 
'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified')
     [java] ERROR -     check_reqattr: RequestedAttribute mail lacks 
NameFormat attribute (implicitly 
'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified')
     [java] ERROR -     check_reqattr: RequestedAttribute 
eduPersonPrincipalName lacks NameFormat attribute (implicitly 
'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified')
     [java] ERROR - Item https://elixir.mf.uni-lj.si/sp/20150622 (SI) was 
marked with the following Error status messages
     [java] ERROR -     check_reqattr: RequestedAttribute sn lacks NameFormat 
attribute (implicitly 
'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified')
     [java] ERROR -     check_reqattr: RequestedAttribute givenName lacks 
NameFormat attribute (implicitly 
'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified')
     [java] ERROR -     check_reqattr: RequestedAttribute mail lacks 
NameFormat attribute (implicitly 
'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified')
     [java] ERROR -     check_reqattr: RequestedAttribute 
eduPersonPrincipalName lacks NameFormat attribute (implicitly 
'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified')
     [java] ERROR - Item https://idp.renata.edu.co/idp/shibboleth (CO) was 
marked with the following Error status messages
     [java] ERROR -     domainName/publicSuffix: scope is a public suffix: 
'edu.co'
     [java] ERROR -     domainName/publicSuffix: scope is a public suffix: 
'edu.co'
     [java] ERROR - Item https://idp.trc.gov.om/idp/shibboleth 
(https://home.trc.gov.om) was marked with the following Error status messages
     [java] ERROR -     domainName/publicSuffix: scope is a public suffix: 
'gov.om'
     [java] ERROR -     domainName/publicSuffix: scope is a public suffix: 
'gov.om'
     [echo] Completed incommon report flow.
     [echo] Report complete.

BUILD SUCCESSFUL
Total time: 38 seconds