<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
        {mso-style-name:msonormal;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
p.gmail-m-8010283298614748262msoplaintext, li.gmail-m-8010283298614748262msoplaintext, div.gmail-m-8010283298614748262msoplaintext
        {mso-style-name:gmail-m_-8010283298614748262msoplaintext;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
span.EmailStyle19
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri",sans-serif;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hey, Nate,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">For us, the Apache OIDC module was sufficient. I’ll also note that a quick Google search produces a number of existing OIDC test clients. If we start doing things
 with OIDC federations that the masses currently aren’t doing, I can see some value in this, but not yet.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thanks for tossing out the idea, though.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Keith<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></a></p>
<span style="mso-bookmark:_MailEndCompose"></span>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Nate Klingenstein <ndk@sudonym.me>
<br>
<b>Sent:</b> Thursday, May 23, 2019 10:45 AM<br>
<b>To:</b> Shib Users <users@shibboleth.net><br>
<b>Cc:</b> Wessel, Keith <kwessel@illinois.edu><br>
<b>Subject:</b> Re: Testing OIDC client registration<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">All,<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I write this with great trepidation as we have a large and growing pile of other things to do, but Signet might be willing to set up an OIDC testing service like SAMLtest if there's the popular demand.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Are we at the stage where such a service would be useful?  Do people really need one, or is it simple enough to configure on one's own servers?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Best wishes,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Nate.<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Thu, May 23, 2019 at 12:09 AM Janne Lauros <<a href="mailto:janne.lauros@csc.fi">janne.lauros@csc.fi</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Hi Keith and all,<br>
<br>
>> Geant folks, one item missing from your documentation.<br>
Thanks for pointing that out. Adding the keyset is mentioned in <a href="https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki/Installing-from-archive#profile-configurations" target="_blank">
https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki/Installing-from-archive#profile-configurations</a> and in
<a href="https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki/OIDC.Keyset" target="_blank">
https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki/OIDC.Keyset</a>. The example activation in
<a href="https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki/DynamicClientRegistration" target="_blank">
https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki/DynamicClientRegistration</a> was bad and you propably copied the example losing the keyset configuration. I changed the wording and also the example to prevent that. I hope it is better now.
<br>
<br>
Br Janne<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div class="MsoNormal" align="center" style="text-align:center"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">
<hr size="2" width="100%" align="center" id="gmail-m_-8010283298614748262zwchr">
</span></div>
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">From:
</span></b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">"Keith Wessel" <<a href="mailto:kwessel@illinois.edu" target="_blank">kwessel@illinois.edu</a>><br>
<b>To: </b>"users" <<a href="mailto:users@shibboleth.net" target="_blank">users@shibboleth.net</a>><br>
<b>Sent: </b>Wednesday, 22 May, 2019 17:00:02<br>
<b>Subject: </b>RE: Testing OIDC client registration<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hi, all,</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Just wanted to report that I did get this working without having to manually download the OP metadata.</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Geant folks, one item missing from your documentation. You mention that the OIDC.Registration bean
 has to be added to the UnverifiedRelyingParty configratuion. That gets the registration done, but the client can’t retrieve the keyset. I also had to add the OIDC.Keyset bean.</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">And for anyone trying to test this with Apache mod_auth_openidc, my config looks like this:</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>
<p class="gmail-m-8010283298614748262msoplaintext"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">OIDCClientID test_rp<o:p></o:p></span></p>
<p class="gmail-m-8010283298614748262msoplaintext"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">OIDCClientSecret <redacted><o:p></o:p></span></p>
<p class="gmail-m-8010283298614748262msoplaintext"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">OIDCProviderIssuer
<a href="https://idp.example.edu%20#%20matching%20issuer%20from%20IdP's%20OIDC%20extension%20configuration%20and%20a%20resolvable%20URL%20that,%20when%20appended%20with%20.well-known/openid-configuration,%20will%20result%20in%20your%20OIDC%20provider%20config)u" target="_blank">
https://idp.example.edu # matching issuer from IdP’s OIDC extension configuration and a resolvable URL that, when appended with .well-known/openid-configuration, will result in your OIDC provider config)u</a><o:p></o:p></span></p>
<p class="gmail-m-8010283298614748262msoplaintext"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">OIDCOAuthSSLValidateServer Off # Test client doesn’t have https<o:p></o:p></span></p>
<p class="gmail-m-8010283298614748262msoplaintext"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">OIDCSSLValidateServer Off<o:p></o:p></span></p>
<p class="gmail-m-8010283298614748262msoplaintext"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">OIDCRedirectURI
<a href="http://client.example.edu/protected/redirect_uri" target="_blank">http://client.example.edu/protected/redirect_uri</a><o:p></o:p></span></p>
<p class="gmail-m-8010283298614748262msoplaintext"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">OIDCCryptoPassphrase <redacted><o:p></o:p></span></p>
<p class="gmail-m-8010283298614748262msoplaintext"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">OIDCResponseType "code"<o:p></o:p></span></p>
<p class="gmail-m-8010283298614748262msoplaintext"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">OIDCScope "openid profile email address phone"<o:p></o:p></span></p>
<p class="gmail-m-8010283298614748262msoplaintext"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">OIDCMetadataDir /var/cache/httpd/mod_auth_openidc/metadata<o:p></o:p></span></p>
<p class="gmail-m-8010283298614748262msoplaintext"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">OIDCCacheDir /var/cache/httpd/mod_auth_openidc/cache<o:p></o:p></span></p>
<p class="gmail-m-8010283298614748262msoplaintext"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> <o:p></o:p></span></p>
<p class="gmail-m-8010283298614748262msoplaintext"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><Location /protected><o:p></o:p></span></p>
<p class="gmail-m-8010283298614748262msoplaintext"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">AuthType openid-connect<o:p></o:p></span></p>
<p class="gmail-m-8010283298614748262msoplaintext"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"># And whatever Require or Grant directives go here<o:p></o:p></span></p>
<p class="gmail-m-8010283298614748262msoplaintext"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"></Location><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">The first time you log in, you’ll be prompted by the Apache module to enter your provider. If you type
 in the full issuer ID including the <a href="https://">https://</a>, it should go to .well-known/opened-configuration and retrieve everything it needs to know. It will then perform a client registration, and everything should work from there on out for logging
 in and getting back claims.</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><a name="m_-8010283298614748262__MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Keith</span></a><span style="mso-bookmark:m_-8010283298614748262__MailEndCompose"></span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> users
 <<a href="mailto:users-bounces@shibboleth.net" target="_blank">users-bounces@shibboleth.net</a>>
<b>On Behalf Of </b>Liam Hoekenga<br>
<b>Sent:</b> Wednesday, May 15, 2019 5:30 PM<br>
<b>To:</b> Shib Users <<a href="mailto:users@shibboleth.net" target="_blank">users@shibboleth.net</a>><br>
<b>Subject:</b> Re: Testing OIDC client registration</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> <o:p></o:p></span></p>
<div>
<div>
<div>
<div>
<div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">One question before I try this, though: why do I have to manually download the OP’s metadata and install
 it? Isn’t part of the whole thing the module’s ability to dynamically discover and download the OP’s information?</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">I think that it's supposed to be able to download the metadata. <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">I believe if you give it a hostname, it's supposed to try to find the well-known information, and I think
 that <a href="mailto:username@example.edu" target="_blank">username@example.edu</a> looks require that .well-known information be located at
<a href="https://example.edu" target="_blank">https://example.edu</a>.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">I think that hostname based discovery has issues (at least it did in mid-March).   If I don't specify the
 protocol, it complains..<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">[Fri Mar 15 16:09:00 2019] [error] [client xxx.xxx.xxx.xxx] oidc_metadata_provider_is_valid: requested
 issuer (<a href="http://idp.example.edu" target="_blank">idp.example.edu</a>) does not match the "issuer" value in the provider metadata file:
<a href="https://idp.example.edu" target="_blank">https://idp.example.edu</a>, referer:
<a href="https://sp.example.umich.edu/oidc/" target="_blank">https://sp.example.umich.edu/oidc/</a><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">The spec says iss is supposed to be a case sensitive HTTPS url.   I had assumed the hostname was sufficient
 based on the default form and "<a href="http://mitreid.org" target="_blank">mitreid.org</a>" (but even
<a href="http://mitreid.org" target="_blank">mitreid.org</a> generates an error, requiring "<a href="https://mitreid.org" target="_blank">https://mitreid.org</a>" to work).<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">I asked the developer (Hans Zandbelt) and he said he believed that it was due to a change at some point
 in the code where he started to put more strict requirements on the provided issuer values because of recent attacks but failed to adapt the HTML discovery pages.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Liam<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> <o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black;border:solid windowtext 1.0pt;padding:0in"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="gmail-m_-8010283298614748262_x005f_x0000_i1025" src="cid:image001.jpg@01D51156.C4D80A10" alt="Image removed by sender."></span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>
</div>
</div>
</div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><br>
-- <br>
For Consortium Member technical support, see <a href="https://wiki.shibboleth.net/confluence/x/coFAAg" target="_blank">
https://wiki.shibboleth.net/confluence/x/coFAAg</a><br>
To unsubscribe from this list send an email to <a href="mailto:users-unsubscribe@shibboleth.net" target="_blank">
users-unsubscribe@shibboleth.net</a><o:p></o:p></span></p>
</div>
</div>
</div>
<p class="MsoNormal">-- <br>
For Consortium Member technical support, see <a href="https://wiki.shibboleth.net/confluence/x/coFAAg" target="_blank">
https://wiki.shibboleth.net/confluence/x/coFAAg</a><br>
To unsubscribe from this list send an email to <a href="mailto:users-unsubscribe@shibboleth.net" target="_blank">
users-unsubscribe@shibboleth.net</a><o:p></o:p></p>
</blockquote>
</div>
</div>
</body>
</html>