Tracing edupersontargetedid to usernames

David Langenberg davel at uchicago.edu
Tue May 27 13:28:14 EDT 2014 

We use the computedID connector here &

echo -n '<SP EntityID>!<NetID>!<Secret>' |openssl dgst -binary -sha1
|openssl base64

is what we use when we have to build a rainbow table for a particular
service. Before we go building said table though we do work with the
service to get a narrow window for the suspicious activity and then use our
audit logs to narrow down the list of users to just those who accessed the
service during the window.

Dave



On Tue, May 27, 2014 at 10:39 AM, Steve Glover <steve.glover at ed.ac.uk>
wrote:

> On 27/05/14 15:56, Peter Schober wrote:
>
> >> Or am I missing something horribly obvious?
>
> (clearly, I was)
>
> > Not sure what you're saying, the aacli doesn't take ePTId as an
> > input. Are you suggesting to loop over all userids with the aacli?
>
> I had been. I didn't consider the issues involved in scaling up from a
> test IdP with less than ten "users"
>
> > That would work but I'm guessing will be /much/ slower than simply
> > finding and re-implementing the algorithm used in the generation of
> > the values and doing the looping outside of repeated JVM startups and
> > teardowns for every single subject.
>
> Hadn't realised there was quite so much overhead - I just went to
> another screen and left the script running (once I'd found out about the
> whole missing servlet-api.jar thing and upgraded to 2.4.0).
>
> But yeah, on checking, running the aacli.sh script eight times took
> 2m48s - scaling to any useful number of users to generate the epTID
> would be silly (that said, "simply finding and re-implementing the
> algorithm" would probably take me an even more ridiculous amount of time).
>
> It occurs to me that a tool to generate ePTIDs for all an IdP's users
> might be useful for just this sort of occasion
>
> Steve
>
>
>
> > -peter
> > --
> > To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
> >
> >
> >
>
>
> --
> Steve Glover: SDSS, EDINA, Causewayside House, 160 Causewayside EH9 1PR
> e:steve.glover at ed.ac.uk t:0131 650 2908 f:0131 650 3308 m:07961 446 902
>
> The University of Edinburgh is a charitable body, registered in
> Scotland, with registration number SC005336.
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>



-- 
David Langenberg
Identity & Access Management
The University of Chicago
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140527/19a314a9/attachment.html

More information about the users mailing list