- Saml-admins - lists3.sunet.se

Fwd: Jetty for Windows installer updated to 12.0.20

by Björn Mattsson

Hej. För kännedom till er som kör Shibboleth IdP på Windows. Inget akut att uppdatera mer om ni vill ha en lite fräshare jetty :-) // Björn M. > Begin forwarded message: > > From: "Cantor, Scott via announce" <announce(a)shibboleth.net> > Subject: Jetty for Windows installer updated to 12.0.20 > Date: 12 May 2025 at 16:35:23 CEST > To: "announce(a)shibboleth.net" <announce(a)shibboleth.net> > Cc: "Cantor, Scott" <cantor.2(a)osu.edu> > Reply-To: users(a)shibboleth.net > > There was a DoS vulnerability [1] in Jetty when HTTP/2 is enabled, which isn't really something we support in our packaging for Windows, but out of caution we have refreshed it to 12.0.20 as it was fairly stale anyway. [2] > > Monitoring that download point is the main way to keep track but as always, running (and patching) your own container is strongly advised. > > -- Scott > > [1] https://www.eclipse.org/lists/jetty-announce/msg00198.html > [2] https://shibboleth.net/downloads/identity-provider/jetty-windows/ > > > -- > To unsubscribe from this list send an email to announce-unsubscribe(a)shibboleth.net

7 months, 2 weeks

1
0
0 0

SSO Login Harica (Shibboleth)

by Mats Luspa

Hej! Enligt dokumentation här https://wiki.geant.org/pages/viewpage.action?spaceKey=TCSNT&title=TCS+2025+… så kräver Harica följande attribut: givenName (oid:2.5.4.42) surname (oid:2.5.4.4) mail (oid:0.9.2342.19200300.100.1.3) edupersonTargetedID (oid:1.3.6.1.4.1.5923.1.1.1.10) Men jag har problem att få iväg attributet edupersonTargetedID till Harica. I attribute-filter har jag följande: <AttributeFilterPolicy id="Harica"> <PolicyRequirementRule xsi:type="Requester" value="https://www.harica.gr/simplesamlphp/module.php/saml/sp/metadata.php/pki-grn…" /> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="surname"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <AttributeRule attributeID="mail"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="edupersonTargetedID"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <AttributeRule attributeID="tcsPersonalEntitlement"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <AttributeRule attributeID="schacHomeOrganization"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <AttributeRule attributeID="eduPersonPrimaryAffiliation"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> </AttributeFilterPolicy> I attribute-resolver: <AttributeDefinition xsi:type="SAML2NameID" xmlns="urn:mace:shibboleth:2.0:resolver" id="edupersonTargetedID" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"> <InputDataConnector ref="StoredId" attributeNames="persistentId"/> <AttributeEncoder xsi:type="SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" /> <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="edupersonTargetedID" /> </AttributeDefinition> När jag loggar in så skickas attributet edupersonTargetedID enligt bilaga, men det ser ut som Harica vägrar att ta emot detta då jag får felmeddelande: Cannot create your account Your Identity Provider (IdP) does not provide HARICA with the appropriate info (attributes) for your account. Please contact your IdP, to fix this issue. Testade även med https://cm.harica.gr/loginsaml/test.php och då får jag att dessa attibut kommer fram (trots att attributen skickas enligt bilaga alltså): eduPersonPrincipalName: matsl(a)irf.se schacHomeOrganization: irf.se sn: Luspa eduPersonEntitlement: urn:mace:terena.org:tcs:personal-user eduPersonPrimaryAffiliation: The Swedish Institute of Space Physics givenName: Mats mail: mats.luspa(a)irf.se groups: realm-irf.se, users, members Är det någon i denna lista som fått SSO login till Harica att fungera med idp shibboleth (ver. 5.1.4)? /MVH Mats -- -- Mats Luspa Phone: +46 (0)980 79 022 Cellular phone: +46 (0)725813330 Institutet för rymdfysik Fax: +46 (0)980 79 050 Swedish Institute of Space Physics email: matsl(a)irf.se Visiting/Delivery address: Bengt Hultqvists väg 1, SE-981 92 Kiruna Postal address: Box 812, SE-981 28 Kiruna -- PGP Public Key: https://www.irf.se/pgp/matsl Digital vcard: https://www.irf.se/vcard/mats.luspa

7 months, 4 weeks

6
18
0 0

Fwd: IDP Documentation Survey

by Paul Scott

Shibboleth projekt vill gärna få feedback och förslag till förbättringar av IDP dokumentationen. Se mail nedan. -------- Forwarded Message -------- From: Steven Premeau via users <users(a)shibboleth.net<mailto:users@shibboleth.net>> Reply-To: Shib Users <users(a)shibboleth.net<mailto:users@shibboleth.net>> To: users(a)shibboleth.net<mailto:users@shibboleth.net> Cc: Steven Premeau <shibboleth(a)premeauenterprises.com<mailto:shibboleth@premeauenterprises.com>> Subject: IDP Documentation Survey Date: 11/04/25 17:04:34 Some of you may recognize me from my former roles in the University of Maine and University of Wisconsin systems. I am working with the Shibboleth Consortium to identify and prioritize options for improving the IDP (and IDP related) documentation -- one of the items on the Shibboleth Project Roadmap 2025-2026<https://shibboleth.atlassian.net/wiki/x/AQDS0#Enhanced-Product-Documentatio…>. If you are running the Shibboleth Identity Provider in production OR have utilized the existing documentation site(s), you are invited to participate in this effort by completing a survey sharing your experiences. The survey can be found at: https://forms.gle/1BD4uLkvWDrkEuEV9 The survey can be completed anonymously. Optionally, an email address can be provided -- it will only be used if there are any follow-up questions. The survey will close on Wednesday, April 30th. Thank you in advance, Steve. När du skickar e-post till Karlstads universitet behandlar vi dina personuppgifter<https://www.kau.se/gdpr>. When you send an e-mail to Karlstad University, we will process your personal data<https://www.kau.se/en/gdpr>.

8 months, 1 week

1
0
0 0

Omstart av release-check.swamid.se

by Johan Wassberg

Hej! Omstart av release-check.swamid.se <http://release-check.swamid.se/> kommer se under förmiddagen vilket kommer skapa ett kort avbrott i tjänsten. -- jocar SWAMID Operations

8 months, 1 week

1
0
0 0

FW: Sunetdagarna närmar sig – har du anmält dig?

by Pål Axelsson

Hej, Här kommer en påminnelse om Sunetdagarna i början av mig och att det är hög tid att anmäla sig. Pål From: Sunet <noreply(a)nyhetsbrev.sunet.se> Sent: Tuesday, March 25, 2025 2:40 PM To: Pål Axelsson <pax(a)sunet.se> Subject: Sunetdagarna närmar sig – har du anmält dig? Du får inte ofta e-post från noreply(a)nyhetsbrev.sunet.se<mailto:noreply@nyhetsbrev.sunet.se>. Läs om varför det här är viktigt<https://aka.ms/LearnAboutSenderIdentification> Sunetdagarna 2025 Webbversion<https://evt.ungpd.com/Issues/f46f2583-b836-4ee4-9939-f19aeb217e17/Click?Con…> [Omslagsbild "Sunetdagarna 2025"]<https://evt.ungpd.com/Issues/f46f2583-b836-4ee4-9939-f19aeb217e17/Click?Con…> Glöm inte att anmäla dig! Snart är det dags för Sunetdagarna i Luleå! Den 6–8 maj ses vi på LTU för tre dagar fyllda med inspiration, kunskap och nätverkande. Anmäl dig senast den 11 april på sunetdagarna.se<https://evt.ungpd.com/Issues/f46f2583-b836-4ee4-9939-f19aeb217e17/Click?Con…>. Till anmälan<https://evt.ungpd.com/Issues/f46f2583-b836-4ee4-9939-f19aeb217e17/Click?Con…> Exempel på sessioner – Från norrsken till Jupiter: rymdforskning för att förstå vårt solsystem – AI ur ett användarperspektiv – Nätverkssäkerhet och överbelastningsattacker – Kubernetes och Jupyter Notebooks för smidig molnbaserad utveckling – Framtidens säkerhet: Hot, insikter och lösningar – Identitetshantering 101 – Workshop och Demo: Proctoring vid examination Se fler sessioner i programmet på sunetdagarna.se<https://evt.ungpd.com/Issues/f46f2583-b836-4ee4-9939-f19aeb217e17/Click?Con…>. Datum: 6–8 maj 2025 Plats: Luleå tekniska universitet. Det går ej att delta digitalt. Anmälan: Konferensen är kostnadsfri men platserna är begränsade så vänta inte för länge med din anmälan. Anmälan stänger den 11 april klockan 13.00. Sunetdagarna är för dig som arbetar i en Sunetansluten organisation eller är intresserad av Sunets verksamhet. [Logotyp Luleå tekniska universitet]<https://evt.ungpd.com/Issues/f46f2583-b836-4ee4-9939-f19aeb217e17/Click?Con…> Frågor? Kontakta info(a)sunetdagarna.se<mailto:info@sunetdagarna.se?subject=%20> [Sunet logotyp]<https://evt.ungpd.com/Issues/f46f2583-b836-4ee4-9939-f19aeb217e17/Click?Con…> Webb: sunet.se Telefon: 090-205 91 00 Besöksadress: Tulegatan 11, 113 53 Stockholm Sunet är en del av Vetenskapsrådet<https://evt.ungpd.com/Issues/f46f2583-b836-4ee4-9939-f19aeb217e17/Click?Con…> Avprenumerera<https://ui.ungpd.com/Contacts/6c47c5b8-6387-48df-ac1d-10f0bc78ac3b/Unsubscr…>

8 months, 2 weeks

1
1
0 0

Vilka MFA-metoder används inom swamid?

by Roger Mårtensson

Hej! Tänkte höra mig för vilka MFA-metoder som används eller funderar på att användas som uppfyller de krav som AL2 och AL3 ställer? Dvs, tekniker som uppfyller kraven och möjligen fungerar efter 2025/2027? Vad är det för produkter som används? Hur "brett" använder ni dessa? Är det någon som använder samma MFA-lösning i andra system utöver er IDP? Tror frågorna räcker. Anledningen är att vi tittar på att uppdatera AL2 (eller AL3) där vi försöker få tips på vilka tekniker som finns och som går/kommer gå att använda inom Swamid idag och i framtiden. Roger Mårtensson System specialist / Systemspecialist MID SWEDEN UNIVERSITY Avdelningen för infrastruktur / Division of infrastructure E-mail: roger.martensson(a)miun.se<mailto:roger.martensson@miun.se> Information about processing of personal data at Mid Sweden University: www.miun.se/en/personaldata<https://www.miun.se/en/personaldata>

8 months, 2 weeks

8
12
0 0

Fwd: Shibboleth IdP TOTP plugin V2.3.0 available

by Björn Mattsson

Hej, För kännedom till er som kör. Tänk dock på att mjukvara TOTP inte är tillåtet i SWAMID efter 2025. // Björn M > Begin forwarded message: > > From: "Cantor, Scott via announce" <announce(a)shibboleth.net> > Subject: Shibboleth IdP TOTP plugin V2.3.0 available > Date: 1 April 2025 at 16:01:34 GMT+1 > To: "announce(a)shibboleth.net" <announce(a)shibboleth.net> > Cc: "Cantor, Scott" <cantor.2(a)osu.edu> > Reply-To: users(a)shibboleth.net > > [You don't often get email from announce(a)shibboleth.net. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] > > A new version of the TOTP plugin for the IdP is now available, V2.3.0. > > The only additional feature is adding success/failure audit logging along the lines of the other authentication flows. > > -- Scott > > > -- > To unsubscribe from this list send an email to announce-unsubscribe(a)shibboleth.net

8 months, 3 weeks

2
1
0 0

mysql-client/server

by Vyacheslav Lytvynenko

Hej Jag stötte på ett litet problem när jag försökte uppgradera OSet på vår IDP-server (Ubuntu). Det är två paket som inte kan autouppdateras och verkar behöva skötas manuellt - mysql-server och mysql-client. Två frågor, vad exakt används dessa till på IDP-servern (den server kör endast IDP) och vad är smidigaste sättet att uppdatera dessa på (om det nu behövs)? Bifogar texten från /var/log/unattended-upgrades/unattended-upgrades.log 2025-04-01 12:39:26,031 INFO Starting unattended upgrades script 2025-04-01 12:39:26,032 INFO Allowed origins are: o=Ubuntu,a=focal, o=Ubuntu,a=focal-security, o=UbuntuESMApps,a=focal-apps-security, o=UbuntuESM,a=focal-infra-security 2025-04-01 12:39:26,032 INFO Initial blacklist: 2025-04-01 12:39:26,032 INFO Initial whitelist (not strict): 2025-04-01 12:39:26,734 WARNING package mysql-client upgradable but fails to be marked for upgrade (E:Unable to correct problems, you have held broken packages.) 2025-04-01 12:39:27,052 WARNING package mysql-client upgradable but fails to be marked for upgrade (E:Unable to correct problems, you have held broken packages.) 2025-04-01 12:39:27,383 WARNING package mysql-server upgradable but fails to be marked for upgrade (E:Unable to correct problems, you have held broken packages.) 2025-04-01 12:39:27,702 WARNING package mysql-server upgradable but fails to be marked for upgrade (E:Unable to correct problems, you have held broken packages.) 2025-04-01 12:39:28,092 INFO No packages found that can be upgraded unattended and no pending auto-removals 2025-04-01 12:39:28,221 INFO Package mysql-client is kept back because a related package is kept back or due to local apt_preferences(5). 2025-04-01 12:39:28,222 INFO Package mysql-server is kept back because a related package is kept back or due to local apt_preferences(5). 2025-04-01 12:46:47,746 INFO Starting unattended upgrades script 2025-04-01 12:46:47,746 INFO Allowed origins are: o=Ubuntu,a=focal, o=Ubuntu,a=focal-security, o=UbuntuESMApps,a=focal-apps-security, o=UbuntuESM,a=focal-infra-security 2025-04-01 12:46:47,746 INFO Initial blacklist: 2025-04-01 12:46:47,747 INFO Initial whitelist (not strict): 2025-04-01 12:46:48,604 WARNING package mysql-client upgradable but fails to be marked for upgrade (E:Unable to correct problems, you have held broken packages.) 2025-04-01 12:46:48,929 WARNING package mysql-client upgradable but fails to be marked for upgrade (E:Unable to correct problems, you have held broken packages.) 2025-04-01 12:46:49,366 WARNING package mysql-server upgradable but fails to be marked for upgrade (E:Unable to correct problems, you have held broken packages.) 2025-04-01 12:46:49,677 WARNING package mysql-server upgradable but fails to be marked for upgrade (E:Unable to correct problems, you have held broken packages.) 2025-04-02 06:34:52,497 INFO Starting unattended upgrades script 2025-04-02 06:34:52,497 INFO Allowed origins are: o=Ubuntu,a=focal, o=Ubuntu,a=focal-security, o=UbuntuESMApps,a=focal-apps-security, o=UbuntuESM,a=focal-infra-security 2025-04-02 06:34:52,498 INFO Initial blacklist: 2025-04-02 06:34:52,498 INFO Initial whitelist (not strict): 2025-04-02 06:34:53,450 WARNING package mysql-client upgradable but fails to be marked for upgrade (E:Unable to correct problems, you have held broken packages.) 2025-04-02 06:34:53,783 WARNING package mysql-client upgradable but fails to be marked for upgrade (E:Unable to correct problems, you have held broken packages.) 2025-04-02 06:34:54,249 WARNING package mysql-server upgradable but fails to be marked for upgrade (E:Unable to correct problems, you have held broken packages.) 2025-04-02 06:34:54,584 WARNING package mysql-server upgradable but fails to be marked for upgrade (E:Unable to correct problems, you have held broken packages.) 2025-04-02 06:34:55,611 INFO Packages that will be upgraded: linux-generic linux-headers-generic linux-image-generic 2025-04-02 06:34:55,611 INFO Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log 2025-04-02 06:35:40,243 INFO All upgrades installed 2025-04-02 06:35:52,104 INFO Packages that were successfully auto-removed: linux-headers-5.4.0-208 linux-headers-5.4.0-208-generic linux-image-5.4.0-208-generic linux-modules-5.4.0-208-generic linux-modules-extra-5.4.0-208-generic 2025-04-02 06:35:52,104 INFO Packages that are kept back: 2025-04-02 06:35:52,347 INFO Package mysql-client is kept back because a related package is kept back or due to local apt_preferences(5). 2025-04-02 06:35:52,348 INFO Package mysql-server is kept back because a related package is kept back or due to local apt_preferences(5). Mvh Vyacheslav Lytvynenko IT-avdelningen Högskolan i Skövde

8 months, 3 weeks

2
1
0 0

Fwd: Shibboleth Identity Provider Security Advisory [26 March 2025]

by Björn Mattsson

Hej, För kännedom. Är samma säkerhetshål som för Shibboleth SP som vi skickar om förra veckan. Men nu är det IdP:n som har fått en fix. Inte lika akut som SP:n men ni bör nog uppgradera ändå. Infon skickad till saml-admins + admin, teknik och säkerhetskontakt i metadatat för de Shibboleth IdP jag hittat i SWAMID // Björn M > Begin forwarded message: > > From: "Cantor, Scott via announce" <announce(a)shibboleth.net> > Subject: Shibboleth Identity Provider Security Advisory [26 March 2025] > Date: 27 March 2025 at 15:04:56 CET > To: "announce(a)shibboleth.net" <announce(a)shibboleth.net> > Cc: "Cantor, Scott" <cantor.2(a)osu.edu> > Reply-To: users(a)shibboleth.net > > Shibboleth Identity Provider Security Advisory [26 March 2025] > > An updated version of the OpenSAML Java library is available > which corrects a parameter manipulation vulnerability when > using SAML bindings that rely on non-XML signatures. > > The Shibboleth Identity Provider is impacted by this issue, and > it manifests as a low to moderate security issue in that context, > depending on its configuration. > > A separate advisory may be issued discussing the broader > implications for those using the OpenSAML library directly. > > Parameter manipulation allows the forging of signed SAML messages > ================================================================= > Vulnerabilities in the OpenSAML library used by the Shibboleth > Identity Provider allowed for creative manipulation of parameters > combined with reuse of the contents of older requests to fool the > library's signature verification of non-XML based signed messages. > > The uses of that feature involve very low or low impact use cases > without significant security implications, and allow an attacker > to forge signed messages used to request authentication or logout, > neither of which presents a major concern. > > The IdP's support for inbound SAML assertions (proxying SAML > authentication) did partially support the POST-SimpleSign binding > but is not believed vulnerable to an attack. This support was > not documented and has been removed in this patch out of caution. > > A moderate issue resulting in potential information disclosure (but > not forged logins) exists when the "skipEndpointValidationWhenSigned" > profile configuration option is used [1]. This option does not > implement standardized SAML behavior, and allows an IdP to be > manipulated into sending responses to any URL contained in a > request, provided the request is signed. > > This vulnerability allows an attacker to manipulate the IdP into > responding to a URL of the attacker's choice, but in doing so the > response can only be used compliantly by a Service Provider > operating under the expected entityID and at that exact location. > Furthermore, in most cases the enclosed data would be encrypted > under a key known only to the legitimate SP. It would be an > unusual and deliberate decision to implement this feature with > an SP *not* also having an encryption key to use, and moreover > to do so while relying on the known-vulnerable AES-CBC encryption > algorithm. > > Thus, a combination of a number of deliberate, and to some extent > poor, configuration choices create an information disclosure > concern. > > Recommendations > =============== > Update to V5.1.4 (or later) of the Identity Provider software. > > In the meantime, avoiding use of the "skipEndpointValidationWhenSigned" > profile option in conjunction with an SP without an encryption key > or which does not support the modern AES-GCM data encryption algorithm > is advisable as a mitigation. > > Credits > ======= > Thanks to Alexander Tan of SecureSAML for discovering and reporting > this vulnerability. > > > [1] https://shibboleth.atlassian.net/wiki/x/yKC0vg > [2] https://shibboleth.atlassian.net/wiki/x/koO0vg > > URL for this Security Advisory: > https://shibboleth.net/community/advisories/secadv_20250326.txt

9 months

1
0
0 0

Underhåll på metadata.swamid.se - onsdag 26 mars

by Johan Wassberg

Hallihallå! Onsdag 26 mars med start klockan 09.00 kommer vi göra underhåll på metadata.swamid.se. Borde gå snabbt och smärtfritt, meddelar via denna kanal när allting är klart och verktyget redo att användas igen. -- jocar

9 months

1
1
1 0

2025

2024

2023

2022

2021

Saml-admins