InCommon metadata support

[Stijn De Weirdt <>]

hi all,

i can now login on cilogon.

a big thanks to all involved for fixing this!


stijn


On 3/20/19 8:59 PM, James Babb wrote:
> Stijn and all--
> 
> The new MDA is deployed as of this afternoon. After tomorrow's metadata 
> signing and publication (3PM-ish US Eastern Daylight Time), 
> https://identity.ugent.be/simplesaml/saml2/idp/metadata.php will be in the 
> published metadata available to CILogon. 
> 
> 
> On 3/19/19, 11:12 AM, "Stijn De Weirdt" <> wrote:
> 
>     hi nick,
>     
>     thanks for the update. clearly i was just a bit too impatient ;)
>     
>     stijn
>     
>     On 3/19/19 5:08 PM, Nick Roy wrote:
>     > Hi Stijn,
>     > 
>     > We plan to release the MDA upgrade tomorrow, after we sign metadata, 
> about 3-4 p.m. US Eastern Time. If for some reason we aren't able to do it 
> then, we will plan for Monday, March 25th.
>     > 
>     > Best,
>     > 
>     > Nick
>     > 
>     > On 18 Mar 2019, at 10:46, Stijn De Weirdt wrote:
>     > 
>     >> hi all,
>     >>
>     >> is there any news (or an ETA) on resolving this issue?
>     >>
>     >> many thanks,
>     >>
>     >> stijn
>     >>
>     >> On 2/25/19 5:26 PM, Nick Roy wrote:
>     >>> Thanks - I have James Babb, InCommon support engineer, assigned to 
> follow this with Ian and get it released. Cheers!
>     >>>
>     >>> Nick
>     >>>
>     >>> On 25 Feb 2019, at 9:07, Stijn De Weirdt wrote:
>     >>>
>     >>>> hi nick,
>     >>>>
>     >>>> that is great news. looking forward to the fix and thanks again. i 
> owe
>     >>>> you a few beers ;)
>     >>>>
>     >>>> stijn
>     >>>>
>     >>>> On 2/25/19 5:05 PM, Nick Roy wrote:
>     >>>>> After a brief discussion with Ian, we believe it is safe to allow 
> mixed-case scopes, so we will work to get this updated. I will ping Ian on 
> the status of the fix after Global Summit (week of March 11).
>     >>>>>
>     >>>>> Best,
>     >>>>>
>     >>>>> Nick
>     >>>>>
>     >>>>> On 19 Feb 2019, at 11:10, Albert Wu wrote:
>     >>>>>
>     >>>>>> Hi Scott and Stijin,
>     >>>>>>
>     >>>>>>
>     >>>>>>
>     >>>>>> I just briefed Nick Roy regarding this case. He is taking this 
> to the Ops Advisory Group to determine a course of action.
>     >>>>>>
>     >>>>>>
>     >>>>>>
>     >>>>>> To the best of my understanding, InCommon filters upper case 
> lettering in the scope to guard against potential identity mismatch in SP’s 
> due to inconsistent handling of case sensitivities in identifiers.
>     >>>>>>
>     >>>>>>
>     >>>>>>
>     >>>>>> Thank you for your patience. I will follow up as soon as the Ops 
> Advisory Group produces a recommendation.
>     >>>>>>
>     >>>>>>
>     >>>>>>
>     >>>>>> albert
>     >>>>>>
>     >>>>>>
>     >>>>>>
>     >>>>>> **From:** Scott Koranda <>
>     >>>>>> **Date:** Tuesday, February 19, 2019 at 5:15 AM
>     >>>>>> **To:** David Shafer  <>, Albert Wu 
> <>
>     >>>>>> **Cc:** ""  
> <>, "Fleury, Terry" <>, 
> "" <>, "" 
> <>, Stijn De Weirdt <>, Scott 
> Koranda <>
>     >>>>>> **Subject:** Re: [Metadata-Support] ERROR - 
> checkScopes/upperCase: scope 'UGent.be' includes upper-case characters
>     >>>>>>
>     >>>>>>
>     >>>>>>
>     >>>>>> Hi Dave and Albert,
>     >>>>>>
>     >>>>>>
>     >>>>>>
>     >>>>>> Can you provide an update on this issue?
>     >>>>>>
>     >>>>>>
>     >>>>>>
>     >>>>>> Thanks,
>     >>>>>>
>     >>>>>>
>     >>>>>>
>     >>>>>> Scott K
>     >>>>>>
>     >>>>>>
>     >>>>>>
>     >>>>>> On Wed, Feb 13, 2019 at 8:55 AM David Shafer 
> <[](<>)> wrote:
>     >>>>>>
>     >>>>>>> Jim, just letting you know that I received this message from 
> Feb. 13, but not the earlier messages from Feb. 12 or Feb. 8. Checking the 
> list archives at 
> <https://lists.incommon.org/sympa/arc/metadata-support/2019-02/> confirms 
> the earlier messages didn't get through (but they might be waiting in an 
> approval queue?).
>     >>>>>>>
>     >>>>>>>  We'll investigate the original metadata issue-- and the 
> apparent email list issue-- and get back to everyone.
>     >>>>>>>
>     >>>>>>>  Thanks,
>     >>>>>>>
>     >>>>>>>  Dave
>     >>>>>>>
>     >>>>>>>  \-----Original Message-----
>     >>>>>>>  From: 
> <[](<>)>
>  on behalf of "Basney, Jim" 
> <[](<>)>
>     >>>>>>>  Reply-To: 
> "[](<>)" 
> <[](<>)>
>     >>>>>>>  Date: Wednesday, February 13, 2019 at 3:46 AM
>     >>>>>>>  To: Stijn De Weirdt 
> <[](<>)>, Scott 
> Koranda 
> <[](<>)>,
>  "[](<>)" 
> <[](<>)>
>     >>>>>>>  Cc: "Fleury, Terry" 
> <[](<>)>, 
> "[](<>)" 
> <[](<>)>, "" 
> <>
>     >>>>>>>  Subject: [Metadata-Support] ERROR - checkScopes/upperCase: 
> scope 'UGent.be' includes upper-case characters
>     >>>>>>>
>     >>>>>>>      Hi,
>     >>>>>>>
>     >>>>>>>      I think our messages aren't getting through to 
> [](<>). 
> I'm trying again to see if we can get assistance with this InCommon eduGAIN 
> metadata import problem.
>     >>>>>>>
>     >>>>>>>      -Jim
>     >>>>>>>      ________________________________________
>     >>>>>>>      From: Stijn De Weirdt 
> <[](<>)>
>     >>>>>>>      Sent: Tuesday, February 12, 2019 12:30 PM
>     >>>>>>>      To: Scott Koranda; 
> [](<>)
>     >>>>>>>      Cc: Fleury, Terry; 
> [](<>); 
>     >>>>>>>      Subject: Re: testidp with qa idp
>     >>>>>>>
>     >>>>>>>      hello all,
>     >>>>>>>
>     >>>>>>>      can we help with some more info or something else to get 
> some progress
>     >>>>>>>      on this?
>     >>>>>>>
>     >>>>>>>      many thanks,
>     >>>>>>>
>     >>>>>>>      stijn
>     >>>>>>>
>     >>>>>>>      On 2/8/19 12:26 PM, Scott Koranda wrote:
>     >>>>>>>      >
>     >>>>>>>      > This time including ...
>     >>>>>>>      >
>     >>>>>>>      >> Hi Stijn,
>     >>>>>>>      >>
>     >>>>>>>      >> I am forwarding your note to 
> [](<>). 
> They will be
>     >>>>>>>      >> able to explain in detail why the metadata for your IdP 
> has been
>     >>>>>>>      >> excluded from the InCommon metadata feed that CILogon 
> uses. They will
>     >>>>>>>      >> also be able if necessary to consult with eduGAIN and 
> the Belnet
>     >>>>>>>      >> Federation operators.
>     >>>>>>>      >>
>     >>>>>>>      >> Thanks,
>     >>>>>>>      >>
>     >>>>>>>      >> Scott K for CILogon
>     >>>>>>>      >>
>     >>>>>>>      >>> hi terry,
>     >>>>>>>      >>>
>     >>>>>>>      >>>> [java] ERROR - Item 
> <https://identity.ugent.be/simplesaml/saml2/idp/metadata.php> (BE) was 
> marked with the following Error status messages
>     >>>>>>>      >>>> [java] ERROR -     checkScopes/upperCase: scope 
> 'UGent.be' includes upper-case characters
>     >>>>>>>      >>> oh boy...
>     >>>>>>>      >>>
>     >>>>>>>      >>>>
>     >>>>>>>      >>>>
>     >>>>>>>      >>>> The rules for eduGAIN metadata import can be found at
>     >>>>>>>      >>>> 
> <https://spaces.at.internet2.edu/display/InCFederation/Interfederation+Technical+Policy>
>     >>>>>>>      >>> the rules do not mention anything about not allowing 
> uppercase letters
>     >>>>>>>      >>> (not that we checked upfront years ago, but still).
>     >>>>>>>      >>>
>     >>>>>>>      >>>> .
>     >>>>>>>      >>>>
>     >>>>>>>      >>>> After you fix this issue in your local federation 
> metadata,
>     >>>>>>>      >>> unfortunately, that will not happen that easily. we 
> would need to change
>     >>>>>>>      >>> our scope, and who knows what the fallout will be.
>     >>>>>>>      >>>
>     >>>>>>>      >>> we would also need some very good argument why this is 
> needed (aside
>     >>>>>>>      >>> from the fatc that we need the CILogon service ;)
>     >>>>>>>      >>> ideally there is some document stating that uppercase 
> is not allowed;
>     >>>>>>>      >>> but edugain doesn't seem to mind.
>     >>>>>>>      >>> eg if
>     >>>>>>>      >>> 
> <https://github.internet2.edu/InCommon/inc-meta/blob/master/mdx/incommon/edugain-policy.xml>
>     >>>>>>>      >>> is an actual edugain policy, we are clearly not 
> compliant with edugain
>     >>>>>>>      >>> (and that is (or might be) a valid reason to fix it, 
> even with large
>     >>>>>>>      >>> fallout)
>     >>>>>>>      >>>
>     >>>>>>>      >>> however, if it is not, then we have a serious problem.
>     >>>>>>>      >>>
>     >>>>>>>      >>> it is also annoying that even for regexps, uppercase 
> is not allowed.
>     >>>>>>>      >>> and to make it worse in our case, even with uppercase 
> regex allowed, the
>     >>>>>>>      >>> regex literal tail is a valid existing domainname;
>     >>>>>>>      >>> on the other hand if the uppercase regex would 
> constitute a valid
>     >>>>>>>      >>> domain, then we should be able to use it as valid 
> scope.
>     >>>>>>>      >>>
>     >>>>>>>      >>> do you have any contact info for the people who are 
> familiar with this
>     >>>>>>>      >>> policy?
>     >>>>>>>      >>>
>     >>>>>>>      >>> many thanks,
>     >>>>>>>      >>>
>     >>>>>>>      >>>
>     >>>>>>>      >>> stijn
>     >>>>>>>
>     >>>>>>>      \--
>     >>>>>>>      You received this message because you are subscribed to 
> the Google Groups "help" group.
>     >>>>>>>      To unsubscribe from this group and stop receiving emails 
> from it, send an email to 
> [](<>).
>     >>>>>>>
>     >>>>>>>
>     >>>>>>>
>     >>>>>
>     >>>>>
>     >>>>>
>     
>