Please help reduce SAML 1 usage in the UK federation (was: SAML1.1 attribute release on Shib 3)

Dave Perry Dave.Perry at hull-college.ac.uk
Mon Feb 20 05:14:02 EST 2017 

I tried sending this off-list but my saved email address for you seems to be dead (used Andi's command).

HTH,
Dave

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group (Monday - Thursday)

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning at hull-college.ac.uk<mailto:elearning at hull-college.ac.uk> *

From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Todd, James
Sent: 20 February 2017 10:00
To: Shib Users
Subject: RE: Please help reduce SAML 1 usage in the UK federation (was: SAML1.1 attribute release on Shib 3)


Alex



Not running a Shib IdP but still this is the list of SPs we had to specify SAML1.1 for on our PingFederate IdP


Connection Name

ConnectionID

 Brill Online

https://booksandjournals.brillonline.com/shibboleth

 Edinburgh University Press

https://www.euppublishing.com/shibboleth

 Ingenta Connect

https://www.ingentaconnect.com/shibboleth

 Karger SAML1.1

https://www.karger.com/shibboleth

 Lexis-Nexis

https://shib.lexisnexis.com

 Microbiology Research

https://www.microbiologyresearch.org/shibboleth

 MIT Press Journals

https://www.mitpressjournals.org/shibboleth

 Safari UK DataService

https://safari.data-archive.ac.uk/shibboleth-sp

 saml1.1 MedicinesComplete

https://www.medicinescomplete.com/mc/shibboleth

 Westlaw

https://www.westlaw.co.uk/metadata




Thanks

James

_____________________________________

James Todd | Data Centre & Operations Analyst

Edinburgh Napier University

Craiglockhart Campus

Edinburgh

EH14 1DJ

Tel: 0131 455 4313

Email: j.todd at napier.ac.uk<mailto:j.todd at napier.ac.uk>



-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Alex Stuart
Sent: 16 February 2017 17:38
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: Please help reduce SAML 1 usage in the UK federation (was: SAML1.1 attribute release on Shib 3)



Hi Folks,



I'd just like to outline what the UK federation been doing to deal with its chronic SAML 1 usage, and I have a request for assistance to Shibboleth IdP operators.



Some history: By the end of 2013, all entities registered in the UK federation had a directly embedded key, enabling IdPs to encrypt SAML 2 assertions to SPs, although we had approximately 250 registered IdPs and 100 SPs that did not support SAML 2. Since then, we've been slowly chipping away at the SAML 1-only entities. In 2016, we made an effort to obtain SAML 2 metadata for all entities and we are now in the position that less than 2% of registered entities (22 SPs and 14 IdPs) do not support SAML 2 in metadata.



Even so, we know that SAML 1 is still being used by SPs which appear to support SAML 2: because SPs use the WAYF protocol with our Central Discovery Service; from discussion here; and because we have many calls to the service desk about SAML 1 Attribute Queries.



I've asked some IdP operators if they can provide anonymised data on SPs that are using SAML 1. I intend to collate the results, draw up a prioritised list, and work with the SP operators to reduce SAML 1 usage.



If you're running a Shibboleth IdP in the UK federation and wish to help us, please let me know directly or through the UK federation service desk (service at ukfederation.org.uk<mailto:service at ukfederation.org.uk>) which SPs are using SAML 1 with your IdP. Even better, by providing frequencies of SAML 1 and SAML 2 usage, we can determine whether there are conditions that trigger SAML 1 in a predominantly SAML 2-using SP. The output from a command like these would be super (it should output the SP entityID, the profiles used, and the number of each):



cat idp-audit.log | cut -d\| -f4,5 | sort | uniq -c



cat idp-audit-2017-01*.log | cut -d\| -f4,5 | sort | uniq -c



Any advice appreciated.



Thanks,

Alex





> On 15 Feb 2017, at 16:57, Todd, James <J.Todd at napier.ac.uk<mailto:J.Todd at napier.ac.uk>> wrote:

>

> You'd be surprised, seems to be quite a few in the UK Federation that I've had to deal with in the last couple of months.

>

>

> -----Original Message-----

> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor,

> Scott

> Sent: 15 February 2017 16:41

> To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>

> Subject: Re: SAML1.1 attribute release on Shib 3

>

> On 2/15/17, 11:34 AM, "users on behalf of Morris, Andi" <users-bounces at shibboleth.net on behalf of amorris at cardiffmet.ac.uk<mailto:users-bounces at shibboleth.net%20on%20behalf%20of%20amorris at cardiffmet.ac.uk>> wrote:

>

>> We configured the backchannel as per the Jetty config page on the

>> Shib wiki, so I would hope it is correct. I'll definitely look

>> further at that, as well as the metadata. We just used the default metadata created during the install (this is just a dev server).

>

> Is there really that much SAML 1 left you need to support? Your time may be better spent chasing down as many as you can and figuring out why they're using a 15 year old standard 12 years after it was replaced.

>

> I have basically two left myself: National Institutes of Health and OhioLink. Low enough volume that I can simply push the attributes and move on.

>

> -- Scott

>

>

> --

> To unsubscribe from this list send an email to

> users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net> This message and its attachment(s) are intended for the addressee(s) only and should not be read, copied, disclosed, forwarded or relied upon by any person other than the intended addressee(s) without the permission of the sender. If you are not the intended addressee you must not take any action based on this message and its attachment(s) nor must you copy or show them to anyone. Please respond to the sender and ensure that this message and its attachment(s) are deleted.

>

> It is your responsibility to ensure that this message and its attachment(s) are scanned for viruses or other defects. Edinburgh Napier University does not accept liability for any loss or damage which may result from this message or its attachment(s), or for errors or omissions arising after it was sent. Email is not a secure medium. Emails entering Edinburgh Napier University's system are subject to routine monitoring and filtering by Edinburgh Napier University.

>

> Edinburgh Napier University is a registered Scottish charity.

> Registration number SC018373

>

> --

> To unsubscribe from this list send an email to

> users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>

>



-

Alex Stuart

UK federation support team

alex.stuart at jisc.ac.uk<mailto:alex.stuart at jisc.ac.uk>







This message and its attachment(s) are intended for the addressee(s) only and should not be read, copied, disclosed, forwarded or relied upon by any person other than the intended addressee(s) without the permission of the sender. If you are not the intended addressee you must not take any action based on this message and its attachment(s) nor must you copy or show them to anyone. Please respond to the sender and ensure that this message and its attachment(s) are deleted.

It is your responsibility to ensure that this message and its attachment(s) are scanned for viruses or other defects. Edinburgh Napier University does not accept liability for any loss or damage which may result from this message or its attachment(s), or for errors or omissions arising after it was sent. Email is not a secure medium. Emails entering Edinburgh Napier University's system are subject to routine monitoring and filtering by Edinburgh Napier University.

Edinburgh Napier University is a registered Scottish charity. Registration number SC018373



**********************************************************************
This message is sent in confidence for the addressee
only. It may  contain confidential or sensitive
information.  The contents are not to be disclosed
to anyone other than the addressee.  Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission.  Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College.  Nothing in this
message should be construed as creating a contract.

Hull College Group owns the email infrastructure, including the contents.

Hull College Group is committed to sustainability, please reflect before printing this email.
**********************************************************************

TEXT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170220/e7c90100/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: alex_saml1-2017-hcuk.log
Type: application/octet-stream
Size: 1113 bytes
Desc: alex_saml1-2017-hcuk.log
URL: <http://shibboleth.net/pipermail/users/attachments/20170220/e7c90100/attachment-0001.obj>

More information about the users mailing list