InCommon metadata support

[Nick Roy <>]

Thanks - I have James Babb, InCommon support engineer, assigned to follow 
this with Ian and get it released. Cheers!

Nick

On 25 Feb 2019, at 9:07, Stijn De Weirdt wrote:

> hi nick,
>
> that is great news. looking forward to the fix and thanks again. i owe
> you a few beers ;)
>
> stijn
>
> On 2/25/19 5:05 PM, Nick Roy wrote:
>> After a brief discussion with Ian, we believe it is safe to allow 
>> mixed-case scopes, so we will work to get this updated. I will ping Ian on 
>> the status of the fix after Global Summit (week of March 11).
>>
>> Best,
>>
>> Nick
>>
>> On 19 Feb 2019, at 11:10, Albert Wu wrote:
>>
>>> Hi Scott and Stijin,
>>>
>>>
>>>
>>> I just briefed Nick Roy regarding this case. He is taking this to the Ops 
>>> Advisory Group to determine a course of action.
>>>
>>>
>>>
>>> To the best of my understanding, InCommon filters upper case lettering in 
>>> the scope to guard against potential identity mismatch in SP’s due to 
>>> inconsistent handling of case sensitivities in identifiers.
>>>
>>>
>>>
>>> Thank you for your patience. I will follow up as soon as the Ops Advisory 
>>> Group produces a recommendation.
>>>
>>>
>>>
>>> albert
>>>
>>>
>>>
>>> **From:** Scott Koranda <>
>>> **Date:** Tuesday, February 19, 2019 at 5:15 AM
>>> **To:** David Shafer  <>, Albert Wu 
>>> <>
>>> **Cc:** ""  <>, 
>>> "Fleury, Terry" <>, "" 
>>> <>, "" <>, 
>>> Stijn De Weirdt <>, Scott Koranda 
>>> <>
>>> **Subject:** Re: [Metadata-Support] ERROR - checkScopes/upperCase: scope 
>>> 'UGent.be' includes upper-case characters
>>>
>>>
>>>
>>> Hi Dave and Albert,
>>>
>>>
>>>
>>> Can you provide an update on this issue?
>>>
>>>
>>>
>>> Thanks,
>>>
>>>
>>>
>>> Scott K
>>>
>>>
>>>
>>> On Wed, Feb 13, 2019 at 8:55 AM David Shafer 
>>> <[](<>)> wrote:
>>>
>>>> Jim, just letting you know that I received this message from Feb. 13, 
>>>> but not the earlier messages from Feb. 12 or Feb. 8. Checking the list 
>>>> archives at 
>>>> <https://lists.incommon.org/sympa/arc/metadata-support/2019-02/> 
>>>> confirms the earlier messages didn't get through (but they might be 
>>>> waiting in an approval queue?).
>>>>
>>>>  We'll investigate the original metadata issue-- and the apparent email 
>>>> list issue-- and get back to everyone.
>>>>
>>>>  Thanks,
>>>>
>>>>  Dave
>>>>
>>>>  \-----Original Message-----
>>>>  From: 
>>>> <[](<>)>
>>>>  on behalf of "Basney, Jim" 
>>>> <[](<>)>
>>>>  Reply-To: 
>>>> "[](<>)"
>>>>  
>>>> <[](<>)>
>>>>  Date: Wednesday, February 13, 2019 at 3:46 AM
>>>>  To: Stijn De Weirdt 
>>>> <[](<>)>, Scott 
>>>> Koranda 
>>>> <[](<>)>,
>>>>  
>>>> "[](<>)"
>>>>  
>>>> <[](<>)>
>>>>  Cc: "Fleury, Terry" 
>>>> <[](<>)>, 
>>>> "[](<>)" 
>>>> <[](<>)>, 
>>>> "" <>
>>>>  Subject: [Metadata-Support] ERROR - checkScopes/upperCase: scope 
>>>> 'UGent.be' includes upper-case characters
>>>>
>>>>      Hi,
>>>>
>>>>      I think our messages aren't getting through to 
>>>> [](<>). 
>>>> I'm trying again to see if we can get assistance with this InCommon 
>>>> eduGAIN metadata import problem.
>>>>
>>>>      -Jim
>>>>      ________________________________________
>>>>      From: Stijn De Weirdt 
>>>> <[](<>)>
>>>>      Sent: Tuesday, February 12, 2019 12:30 PM
>>>>      To: Scott Koranda; 
>>>> [](<>)
>>>>      Cc: Fleury, Terry; [](<>); 
>>>> 
>>>>      Subject: Re: testidp with qa idp
>>>>
>>>>      hello all,
>>>>
>>>>      can we help with some more info or something else to get some 
>>>> progress
>>>>      on this?
>>>>
>>>>      many thanks,
>>>>
>>>>      stijn
>>>>
>>>>      On 2/8/19 12:26 PM, Scott Koranda wrote:
>>>>      >
>>>>      > This time including ...
>>>>      >
>>>>      >> Hi Stijn,
>>>>      >>
>>>>      >> I am forwarding your note to 
>>>> [](<>). 
>>>> They will be
>>>>      >> able to explain in detail why the metadata for your IdP has been
>>>>      >> excluded from the InCommon metadata feed that CILogon uses. They 
>>>> will
>>>>      >> also be able if necessary to consult with eduGAIN and the Belnet
>>>>      >> Federation operators.
>>>>      >>
>>>>      >> Thanks,
>>>>      >>
>>>>      >> Scott K for CILogon
>>>>      >>
>>>>      >>> hi terry,
>>>>      >>>
>>>>      >>>> [java] ERROR - Item 
>>>> <https://identity.ugent.be/simplesaml/saml2/idp/metadata.php> (BE) was 
>>>> marked with the following Error status messages
>>>>      >>>> [java] ERROR -     checkScopes/upperCase: scope 'UGent.be' 
>>>> includes upper-case characters
>>>>      >>> oh boy...
>>>>      >>>
>>>>      >>>>
>>>>      >>>>
>>>>      >>>> The rules for eduGAIN metadata import can be found at
>>>>      >>>> 
>>>> <https://spaces.at.internet2.edu/display/InCFederation/Interfederation+Technical+Policy>
>>>>      >>> the rules do not mention anything about not allowing uppercase 
>>>> letters
>>>>      >>> (not that we checked upfront years ago, but still).
>>>>      >>>
>>>>      >>>> .
>>>>      >>>>
>>>>      >>>> After you fix this issue in your local federation metadata,
>>>>      >>> unfortunately, that will not happen that easily. we would need 
>>>> to change
>>>>      >>> our scope, and who knows what the fallout will be.
>>>>      >>>
>>>>      >>> we would also need some very good argument why this is needed 
>>>> (aside
>>>>      >>> from the fatc that we need the CILogon service ;)
>>>>      >>> ideally there is some document stating that uppercase is not 
>>>> allowed;
>>>>      >>> but edugain doesn't seem to mind.
>>>>      >>> eg if
>>>>      >>> 
>>>> <https://github.internet2.edu/InCommon/inc-meta/blob/master/mdx/incommon/edugain-policy.xml>
>>>>      >>> is an actual edugain policy, we are clearly not compliant with 
>>>> edugain
>>>>      >>> (and that is (or might be) a valid reason to fix it, even with 
>>>> large
>>>>      >>> fallout)
>>>>      >>>
>>>>      >>> however, if it is not, then we have a serious problem.
>>>>      >>>
>>>>      >>> it is also annoying that even for regexps, uppercase is not 
>>>> allowed.
>>>>      >>> and to make it worse in our case, even with uppercase regex 
>>>> allowed, the
>>>>      >>> regex literal tail is a valid existing domainname;
>>>>      >>> on the other hand if the uppercase regex would constitute a 
>>>> valid
>>>>      >>> domain, then we should be able to use it as valid scope.
>>>>      >>>
>>>>      >>> do you have any contact info for the people who are familiar 
>>>> with this
>>>>      >>> policy?
>>>>      >>>
>>>>      >>> many thanks,
>>>>      >>>
>>>>      >>>
>>>>      >>> stijn
>>>>
>>>>      \--
>>>>      You received this message because you are subscribed to the Google 
>>>> Groups "help" group.
>>>>      To unsubscribe from this group and stop receiving emails from it, 
>>>> send an email to 
>>>> [](<>).
>>>>
>>>>
>>>>
>>
>>
>>

Attachment: signature.asc
Description: OpenPGP digital signature