Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT

This page lists entity metadata values that are well known as source of operational issues affecting SAML2 implementations in eduGAIN. The eduGAIN OT will take all the possible measures to limit the damages caused by the issue according to its severity, rejection of the feed included.

According to the severity of the issues, the eduGAIN OT may reject the feed containing the metadata. Whatever the action the eduGAIN OT will undertake, it will promptly contact the Identity Federation responsible for the feed and it will try to solve the issue without any service interruption if possible.whenever possible.

When the rejection of the feed is unavoidable, the eduGAIN OT will support the Identity Federation to restore the feed as soon as possible. Please note that even in the case of rejection, the last usable feed will continue to be published as part of the eduGAIN metadata aggregate until its validity (set by the ValidUntil attribute) expires which according to the eduGAIN SAML profile will give the Federation a minimum of 5 days to react.

Known Metadata Operational Issues table

republish their
CodeUpstream ConditionsDownstream Code ConditionsKnow Operational IssuesPossible actionsActions
CRan

The upstream metadata feed

from

of an

identity federation

eduGAIN member contains a CR (Carriage Return) as a literal character reference ("
"  or "
")

  • the feed is aggregated as is in the eduGAIN metadata
  • another identity federation pick

    .

    An eduGAIN member picks up the eduGAIN metadata aggreagate and

    republishes it to

    its own parties leaving untouched the CR literal character reference.

    (2016) Relying parties not able to validate the metadata.

    (2019-08-21) .NET based signature validation fails  (ADFSToolkit and other Powershell aggregate handlers impacted) - signaled by InCommon member to ADFSToolkit team via ADFSToolkit issue tracker, escalated and resolved by InCommon support. 

    (2020) .NET based signature validation fails (ADFSToolkit and  other Powershell aggregate handlers not able to validate the metadata).

    • Reject the upstream feed containing the CR.
    • Immediately notify Warn and remedy by the Identity Federation responsible for the feed
    • Reject the upstream feed containing the CR
    • in order to fix it.

    Notes

    2020-10-15 side note on Code CR from Chris Phillips:

    ...

    "The engineering team has finished their investigation and determined it does not meet the bar for servicing. They were not able to determine a situation where this would be exploitable, and at worst the system returns a 'not valid' response when it should return 'valid' meaning it's failing in a more secure direction."

    ...