Please help reduce SAML 1 usage in the UK federation (was: SAML1.1 attribute release on Shib 3)
Dave Perry
Dave.Perry at hull-college.ac.uk
Mon Feb 20 05:14:02 EST 2017
I tried sending this off-list but my saved email address for you seems to be dead (used Andi's command).
HTH,
Dave
_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group (Monday - Thursday)
Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930
* Need a fast reply? Try elearning at hull-college.ac.uk<mailto:elearning at hull-college.ac.uk> *
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Todd, James
Sent: 20 February 2017 10:00
To: Shib Users
Subject: RE: Please help reduce SAML 1 usage in the UK federation (was: SAML1.1 attribute release on Shib 3)
Alex
Not running a Shib IdP but still this is the list of SPs we had to specify SAML1.1 for on our PingFederate IdP
Connection Name
ConnectionID
Brill Online
https://booksandjournals.brillonline.com/shibboleth
Edinburgh University Press
https://www.euppublishing.com/shibboleth
Ingenta Connect
https://www.ingentaconnect.com/shibboleth
Karger SAML1.1
https://www.karger.com/shibboleth
Lexis-Nexis
https://shib.lexisnexis.com
Microbiology Research
https://www.microbiologyresearch.org/shibboleth
MIT Press Journals
https://www.mitpressjournals.org/shibboleth
Safari UK DataService
https://safari.data-archive.ac.uk/shibboleth-sp
saml1.1 MedicinesComplete
https://www.medicinescomplete.com/mc/shibboleth
Westlaw
https://www.westlaw.co.uk/metadata
Thanks
James
_____________________________________
James Todd | Data Centre & Operations Analyst
Edinburgh Napier University
Craiglockhart Campus
Edinburgh
EH14 1DJ
Tel: 0131 455 4313
Email: j.todd at napier.ac.uk<mailto:j.todd at napier.ac.uk>
-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Alex Stuart
Sent: 16 February 2017 17:38
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: Please help reduce SAML 1 usage in the UK federation (was: SAML1.1 attribute release on Shib 3)
Hi Folks,
I'd just like to outline what the UK federation been doing to deal with its chronic SAML 1 usage, and I have a request for assistance to Shibboleth IdP operators.
Some history: By the end of 2013, all entities registered in the UK federation had a directly embedded key, enabling IdPs to encrypt SAML 2 assertions to SPs, although we had approximately 250 registered IdPs and 100 SPs that did not support SAML 2. Since then, we've been slowly chipping away at the SAML 1-only entities. In 2016, we made an effort to obtain SAML 2 metadata for all entities and we are now in the position that less than 2% of registered entities (22 SPs and 14 IdPs) do not support SAML 2 in metadata.
Even so, we know that SAML 1 is still being used by SPs which appear to support SAML 2: because SPs use the WAYF protocol with our Central Discovery Service; from discussion here; and because we have many calls to the service desk about SAML 1 Attribute Queries.
I've asked some IdP operators if they can provide anonymised data on SPs that are using SAML 1. I intend to collate the results, draw up a prioritised list, and work with the SP operators to reduce SAML 1 usage.
If you're running a Shibboleth IdP in the UK federation and wish to help us, please let me know directly or through the UK federation service desk (service at ukfederation.org.uk<mailto:service at ukfederation.org.uk>) which SPs are using SAML 1 with your IdP. Even better, by providing frequencies of SAML 1 and SAML 2 usage, we can determine whether there are conditions that trigger SAML 1 in a predominantly SAML 2-using SP. The output from a command like these would be super (it should output the SP entityID, the profiles used, and the number of each):
cat idp-audit.log | cut -d\| -f4,5 | sort | uniq -c
cat idp-audit-2017-01*.log | cut -d\| -f4,5 | sort | uniq -c
Any advice appreciated.
Thanks,
Alex
> On 15 Feb 2017, at 16:57, Todd, James <J.Todd at napier.ac.uk<mailto:J.Todd at napier.ac.uk>> wrote:
>
> You'd be surprised, seems to be quite a few in the UK Federation that I've had to deal with in the last couple of months.
>
>
> -----Original Message-----
> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor,
> Scott
> Sent: 15 February 2017 16:41
> To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
> Subject: Re: SAML1.1 attribute release on Shib 3
>
> On 2/15/17, 11:34 AM, "users on behalf of Morris, Andi" <users-bounces at shibboleth.net on behalf of amorris at cardiffmet.ac.uk<mailto:users-bounces at shibboleth.net%20on%20behalf%20of%20amorris at cardiffmet.ac.uk>> wrote:
>
>> We configured the backchannel as per the Jetty config page on the
>> Shib wiki, so I would hope it is correct. I'll definitely look
>> further at that, as well as the metadata. We just used the default metadata created during the install (this is just a dev server).
>
> Is there really that much SAML 1 left you need to support? Your time may be better spent chasing down as many as you can and figuring out why they're using a 15 year old standard 12 years after it was replaced.
>
> I have basically two left myself: National Institutes of Health and OhioLink. Low enough volume that I can simply push the attributes and move on.
>
> -- Scott
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net> This message and its attachment(s) are intended for the addressee(s) only and should not be read, copied, disclosed, forwarded or relied upon by any person other than the intended addressee(s) without the permission of the sender. If you are not the intended addressee you must not take any action based on this message and its attachment(s) nor must you copy or show them to anyone. Please respond to the sender and ensure that this message and its attachment(s) are deleted.
>
> It is your responsibility to ensure that this message and its attachment(s) are scanned for viruses or other defects. Edinburgh Napier University does not accept liability for any loss or damage which may result from this message or its attachment(s), or for errors or omissions arising after it was sent. Email is not a secure medium. Emails entering Edinburgh Napier University's system are subject to routine monitoring and filtering by Edinburgh Napier University.
>
> Edinburgh Napier University is a registered Scottish charity.
> Registration number SC018373
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
>
-
Alex Stuart
UK federation support team
alex.stuart at jisc.ac.uk<mailto:alex.stuart at jisc.ac.uk>
This message and its attachment(s) are intended for the addressee(s) only and should not be read, copied, disclosed, forwarded or relied upon by any person other than the intended addressee(s) without the permission of the sender. If you are not the intended addressee you must not take any action based on this message and its attachment(s) nor must you copy or show them to anyone. Please respond to the sender and ensure that this message and its attachment(s) are deleted.
It is your responsibility to ensure that this message and its attachment(s) are scanned for viruses or other defects. Edinburgh Napier University does not accept liability for any loss or damage which may result from this message or its attachment(s), or for errors or omissions arising after it was sent. Email is not a secure medium. Emails entering Edinburgh Napier University's system are subject to routine monitoring and filtering by Edinburgh Napier University.
Edinburgh Napier University is a registered Scottish charity. Registration number SC018373
**********************************************************************
This message is sent in confidence for the addressee
only. It may contain confidential or sensitive
information. The contents are not to be disclosed
to anyone other than the addressee. Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission. Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College. Nothing in this
message should be construed as creating a contract.
Hull College Group owns the email infrastructure, including the contents.
Hull College Group is committed to sustainability, please reflect before printing this email.
**********************************************************************
TEXT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170220/e7c90100/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: alex_saml1-2017-hcuk.log
Type: application/octet-stream
Size: 1113 bytes
Desc: alex_saml1-2017-hcuk.log
URL: <http://shibboleth.net/pipermail/users/attachments/20170220/e7c90100/attachment-0001.obj>
More information about the users
mailing list