Tracing edupersontargetedid to usernames
Steve Glover
steve.glover at ed.ac.uk
Tue May 27 14:05:18 EDT 2014
On 27/05/14 18:28, David Langenberg wrote:
> We use the computedID connector here &
>
> echo -n '<SP EntityID>!<NetID>!<Secret>' |openssl dgst -binary -sha1
> |openssl base64
Simple as that! Wow - many thanks!
Cheers
Steve
> is what we use when we have to build a rainbow table for a particular
> service. Before we go building said table though we do work with the
> service to get a narrow window for the suspicious activity and then use our
> audit logs to narrow down the list of users to just those who accessed the
> service during the window.
>
> Dave
>
>
>
> On Tue, May 27, 2014 at 10:39 AM, Steve Glover <steve.glover at ed.ac.uk>
> wrote:
>
>> On 27/05/14 15:56, Peter Schober wrote:
>>
>>>> Or am I missing something horribly obvious?
>>
>> (clearly, I was)
>>
>>> Not sure what you're saying, the aacli doesn't take ePTId as an
>>> input. Are you suggesting to loop over all userids with the aacli?
>>
>> I had been. I didn't consider the issues involved in scaling up from a
>> test IdP with less than ten "users"
>>
>>> That would work but I'm guessing will be /much/ slower than simply
>>> finding and re-implementing the algorithm used in the generation of
>>> the values and doing the looping outside of repeated JVM startups and
>>> teardowns for every single subject.
>>
>> Hadn't realised there was quite so much overhead - I just went to
>> another screen and left the script running (once I'd found out about the
>> whole missing servlet-api.jar thing and upgraded to 2.4.0).
>>
>> But yeah, on checking, running the aacli.sh script eight times took
>> 2m48s - scaling to any useful number of users to generate the epTID
>> would be silly (that said, "simply finding and re-implementing the
>> algorithm" would probably take me an even more ridiculous amount of time).
>>
>> It occurs to me that a tool to generate ePTIDs for all an IdP's users
>> might be useful for just this sort of occasion
>>
>> Steve
>>
>>
>>
>>> -peter
>>> --
>>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>>
>>>
>>>
>>
>>
>> --
>> Steve Glover: SDSS, EDINA, Causewayside House, 160 Causewayside EH9 1PR
>> e:steve.glover at ed.ac.uk t:0131 650 2908 f:0131 650 3308 m:07961 446 902
>>
>> The University of Edinburgh is a charitable body, registered in
>> Scotland, with registration number SC005336.
>> --
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
>
>
>
>
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
--
Steve Glover: SDSS, EDINA, Causewayside House, 160 Causewayside EH9 1PR
e:steve.glover at ed.ac.uk t:0131 650 2908 f:0131 650 3308 m:07961 446 902
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
More information about the users
mailing list