Differenze tra le versioni di "Idp4noGCMsps"
(35 versioni intermedie di 7 utenti non mostrate) | |||
Riga 3: | Riga 3: | ||
E' possibile utilizzare l'elenco per forzare l'utilizzo del vecchio algoritmo AES128-CBC, vedi sotto. | E' possibile utilizzare l'elenco per forzare l'utilizzo del vecchio algoritmo AES128-CBC, vedi sotto. | ||
− | ==Elenco | + | ==Elenco dei Service Provider che non supportano l'algoritmo AES128-GCM== |
− | '''IMPORTANTE''': La lista nasce grazie | + | '''IMPORTANTE''': La lista nasce grazie alla segnalazione di alcuni IdP Admin che hanno condiviso i risultati dei test effettuati con il proprio idp Shibboleth v4 verso le risorse elettroniche presenti in IDEM/eduGAIN. Invitiamo tutti gli IdP Admin della Federazione IDEM a segnalarci eventuali ulteriori SP affetti dal problema e non ancora presenti in lista. |
<br /> | <br /> | ||
*<nowiki>https://nildeutenti.bo.cnr.it/sp</nowiki> | *<nowiki>https://nildeutenti.bo.cnr.it/sp</nowiki> | ||
*<nowiki>https://sp.tshhosting.com/shibboleth</nowiki> | *<nowiki>https://sp.tshhosting.com/shibboleth</nowiki> | ||
+ | *<nowiki>https://shibboleth.highwire.org/entity/secure-sp</nowiki> | ||
+ | *<nowiki>https://auth.osa.org/oa/entity</nowiki> | ||
+ | *<nowiki>https://www.spiedigitallibrary.org/oa/entity</nowiki> | ||
+ | *<nowiki>https://www.degruyter.com/shibboleth</nowiki> | ||
+ | *<nowiki>https://www.degruyter.com/ssp</nowiki> | ||
+ | *<s><nowiki>https://wiki.idem.garr.it/rp</nowiki></s> | ||
+ | *<nowiki>https://gins.garr.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</nowiki> | ||
+ | *<nowiki>https://aai.openaire.eu/proxy/module.php/saml/sp/metadata.php/sso</nowiki> | ||
+ | *<nowiki>urn:federation:MicrosoftOnline</nowiki> | ||
*<nowiki>https://ticket.iop.org/shibboleth</nowiki> | *<nowiki>https://ticket.iop.org/shibboleth</nowiki> | ||
+ | *<nowiki>https://bestr.it/shibboleth</nowiki> | ||
*<nowiki>https://iam.atypon.com/shibboleth</nowiki> | *<nowiki>https://iam.atypon.com/shibboleth</nowiki> | ||
+ | *<nowiki>https://shibboleth.cambridge.org/shibboleth-sp</nowiki> | ||
+ | *<nowiki>https://idem.mulino.it/module.php/saml/sp/metadata.php/mulino-sp</nowiki> | ||
+ | *<nowiki>https://bioone.org/oa/entity</nowiki> | ||
+ | *<nowiki>https://journals.aps.org/oa/entity</nowiki> | ||
+ | *<nowiki>https://federation.nih.gov/FederationGateway</nowiki> | ||
*<nowiki>https://fsso.springer.com</nowiki> | *<nowiki>https://fsso.springer.com</nowiki> | ||
+ | *<nowiki>https://kluwerlawonline.com/oa/entity</nowiki> | ||
+ | *<nowiki>https://secure.nature.com/shibboleth</nowiki> | ||
+ | *<nowiki>https://shibboleth2sp.sams.oup.com/shibboleth</nowiki> | ||
+ | *<nowiki>https://clas.cineca.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</nowiki> | ||
+ | *<nowiki>https://zeroshell.irccs-stellamaris.it:12081/shibboleth</nowiki> | ||
*... | *... | ||
− | ==Esempio di <MetadataFilter> per SP che supportano solo AES128-CBC== | + | ==Esempio di <MetadataFilter> con DynamicHTTPMetadataProvider (MDX), per SP che supportano solo AES128-CBC== |
+ | Per forzare l'utilizzo di AES128-CBC con i Service Provider che ancora non supportano AES128-CGM, è possibile utilizzare un <code>MetadataFilter</code> all'interno della definizione del o dei <code>MetadataProvider</code> configurati per il proprio Identity Provider, come mostrato nell'esempio che segue. <syntaxhighlight lang="xml"> | ||
+ | <MetadataProvider id="DynamicEntityMetadata" xsi:type="DynamicHTTPMetadataProvider" | ||
+ | connectionRequestTimeout="PT2S" | ||
+ | connectionTimeout="PT2S" | ||
+ | socketTimeout="PT4S" | ||
+ | refreshDelayFactor="0.75" | ||
+ | maxCacheDuration="PT48H"> | ||
+ | |||
+ | <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" | ||
+ | certificateFile="%{idp.home}/credentials/idem-mdx-service-crt.pem"/> | ||
+ | |||
+ | <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P3D"/> | ||
+ | |||
+ | <MetadataFilter xsi:type="Algorithm"> | ||
+ | |||
+ | <!-- CBC-only SPs. --> | ||
+ | <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" /> | ||
+ | <Entity>https://nildeutenti.bo.cnr.it/sp</Entity> | ||
+ | <Entity>https://sp.tshhosting.com/shibboleth</Entity> | ||
+ | <Entity>https://shibboleth.highwire.org/entity/secure-sp</Entity> | ||
+ | <Entity>https://auth.osa.org/oa/entity</Entity> | ||
+ | <Entity>https://www.spiedigitallibrary.org/oa/entity</Entity> | ||
+ | <Entity>https://www.degruyter.com/shibboleth</Entity> | ||
+ | <Entity>https://www.degruyter.com/ssp</Entity> | ||
+ | <Entity>https://gins.garr.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</Entity> | ||
+ | <Entity>https://aai.openaire.eu/proxy/module.php/saml/sp/metadata.php/sso</Entity> | ||
+ | <Entity>urn:federation:MicrosoftOnline</Entity> | ||
+ | <Entity>https://ticket.iop.org/shibboleth</Entity> | ||
+ | <Entity>https://bestr.it/shibboleth</Entity> | ||
+ | <Entity>https://iam.atypon.com/shibboleth</Entity> | ||
+ | <Entity>https://shibboleth.cambridge.org/shibboleth-sp</Entity> | ||
+ | <Entity>https://idem.mulino.it/module.php/saml/sp/metadata.php/mulino-sp</Entity> | ||
+ | <Entity>https://bioone.org/oa/entity</Entity> | ||
+ | <Entity>https://journals.aps.org/oa/entity</Entity> | ||
+ | <Entity>https://federation.nih.gov/FederationGateway</Entity> | ||
+ | <Entity>https://fsso.springer.com</Entity> | ||
+ | <Entity>https://kluwerlawonline.com/oa/entity</Entity> | ||
+ | <Entity>https://secure.nature.com/shibboleth</Entity> | ||
+ | <Entity>https://shibboleth2sp.sams.oup.com/shibboleth</Entity> | ||
+ | <Entity>https://clas.cineca.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</Entity> | ||
+ | <Entity>https://zeroshell.irccs-stellamaris.it:12081/shibboleth</Entity> | ||
+ | </MetadataFilter> | ||
+ | |||
+ | <!-- Base URL for MDQ --> | ||
+ | <MetadataQueryProtocol>https://mdx.idem.garr.it/edugain/</MetadataQueryProtocol> | ||
+ | |||
+ | </MetadataProvider> | ||
+ | </syntaxhighlight> | ||
+ | ==Esempio di <MetadataFilter> con FileBackedHTTPMetadataProvider, per SP che supportano solo AES128-CBC== | ||
Per forzare l'utilizzo di AES128-CBC con i Service Provider che ancora non supportano AES128-CGM, è possibile utilizzare un <code>MetadataFilter</code> all'interno della definizione del o dei <code>MetadataProvider</code> configurati per il proprio Identity Provider, come mostrato nell'esempio che segue. <syntaxhighlight lang="xml"> | Per forzare l'utilizzo di AES128-CBC con i Service Provider che ancora non supportano AES128-CGM, è possibile utilizzare un <code>MetadataFilter</code> all'interno della definizione del o dei <code>MetadataProvider</code> configurati per il proprio Identity Provider, come mostrato nell'esempio che segue. <syntaxhighlight lang="xml"> | ||
<MetadataProvider id="URLMD-EDUGAIN2IDEM-Federation" | <MetadataProvider id="URLMD-EDUGAIN2IDEM-Federation" | ||
− | xsi:type="FileBackedHTTPMetadataProvider | + | xsi:type="FileBackedHTTPMetadataProvider" |
− | backingFile="%{idp.home}/metadata/ | + | backingFile="%{idp.home}/metadata/edugain2idem-metadata-sha256.xml" |
metadataURL="http://md.idem.garr.it/metadata/edugain2idem-metadata-sha256.xml"> | metadataURL="http://md.idem.garr.it/metadata/edugain2idem-metadata-sha256.xml"> | ||
Riga 36: | Riga 105: | ||
<Entity>https://nildeutenti.bo.cnr.it/sp</Entity> | <Entity>https://nildeutenti.bo.cnr.it/sp</Entity> | ||
<Entity>https://sp.tshhosting.com/shibboleth</Entity> | <Entity>https://sp.tshhosting.com/shibboleth</Entity> | ||
+ | <Entity>https://shibboleth.highwire.org/entity/secure-sp</Entity> | ||
+ | <Entity>https://auth.osa.org/oa/entity</Entity> | ||
+ | <Entity>https://www.spiedigitallibrary.org/oa/entity</Entity> | ||
+ | <Entity>https://www.degruyter.com/shibboleth</Entity> | ||
+ | <Entity>https://www.degruyter.com/ssp</Entity> | ||
+ | <Entity>https://gins.garr.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</Entity> | ||
+ | <Entity>https://aai.openaire.eu/proxy/module.php/saml/sp/metadata.php/sso</Entity> | ||
+ | <Entity>urn:federation:MicrosoftOnline</Entity> | ||
<Entity>https://ticket.iop.org/shibboleth</Entity> | <Entity>https://ticket.iop.org/shibboleth</Entity> | ||
+ | <Entity>https://bestr.it/shibboleth</Entity> | ||
<Entity>https://iam.atypon.com/shibboleth</Entity> | <Entity>https://iam.atypon.com/shibboleth</Entity> | ||
+ | <Entity>https://shibboleth.cambridge.org/shibboleth-sp</Entity> | ||
+ | <Entity>https://idem.mulino.it/module.php/saml/sp/metadata.php/mulino-sp</Entity> | ||
+ | <Entity>https://bioone.org/oa/entity</Entity> | ||
+ | <Entity>https://journals.aps.org/oa/entity</Entity> | ||
+ | <Entity>https://federation.nih.gov/FederationGateway</Entity> | ||
<Entity>https://fsso.springer.com</Entity> | <Entity>https://fsso.springer.com</Entity> | ||
− | + | <Entity>https://kluwerlawonline.com/oa/entity</Entity> | |
+ | <Entity>https://secure.nature.com/shibboleth</Entity> | ||
+ | <Entity>https://shibboleth2sp.sams.oup.com/shibboleth</Entity> | ||
+ | <Entity>https://clas.cineca.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</Entity> | ||
+ | <Entity>https://zeroshell.irccs-stellamaris.it:12081/shibboleth</Entity> | ||
</MetadataFilter> | </MetadataFilter> | ||
</MetadataProvider> | </MetadataProvider> | ||
</syntaxhighlight><br /> | </syntaxhighlight><br /> |
Versione attuale delle 12:57, 24 nov 2022
In questa pagina vengono raccolti tutti i Service Provider (SP) che non supportano l'algoritmo di criptazione delle asserzioni AES128-GCM usato in modo predefinito dallo Shibboleth Identity Provider versione 4.x.
E' possibile utilizzare l'elenco per forzare l'utilizzo del vecchio algoritmo AES128-CBC, vedi sotto.
Elenco dei Service Provider che non supportano l'algoritmo AES128-GCM
IMPORTANTE: La lista nasce grazie alla segnalazione di alcuni IdP Admin che hanno condiviso i risultati dei test effettuati con il proprio idp Shibboleth v4 verso le risorse elettroniche presenti in IDEM/eduGAIN. Invitiamo tutti gli IdP Admin della Federazione IDEM a segnalarci eventuali ulteriori SP affetti dal problema e non ancora presenti in lista.
- https://nildeutenti.bo.cnr.it/sp
- https://sp.tshhosting.com/shibboleth
- https://shibboleth.highwire.org/entity/secure-sp
- https://auth.osa.org/oa/entity
- https://www.spiedigitallibrary.org/oa/entity
- https://www.degruyter.com/shibboleth
- https://www.degruyter.com/ssp
https://wiki.idem.garr.it/rp- https://gins.garr.it/simplesaml/module.php/saml/sp/metadata.php/default-sp
- https://aai.openaire.eu/proxy/module.php/saml/sp/metadata.php/sso
- urn:federation:MicrosoftOnline
- https://ticket.iop.org/shibboleth
- https://bestr.it/shibboleth
- https://iam.atypon.com/shibboleth
- https://shibboleth.cambridge.org/shibboleth-sp
- https://idem.mulino.it/module.php/saml/sp/metadata.php/mulino-sp
- https://bioone.org/oa/entity
- https://journals.aps.org/oa/entity
- https://federation.nih.gov/FederationGateway
- https://fsso.springer.com
- https://kluwerlawonline.com/oa/entity
- https://secure.nature.com/shibboleth
- https://shibboleth2sp.sams.oup.com/shibboleth
- https://clas.cineca.it/simplesaml/module.php/saml/sp/metadata.php/default-sp
- https://zeroshell.irccs-stellamaris.it:12081/shibboleth
- ...
Esempio di <MetadataFilter> con DynamicHTTPMetadataProvider (MDX), per SP che supportano solo AES128-CBC
Per forzare l'utilizzo di AES128-CBC con i Service Provider che ancora non supportano AES128-CGM, è possibile utilizzare un MetadataFilter
all'interno della definizione del o dei MetadataProvider
configurati per il proprio Identity Provider, come mostrato nell'esempio che segue.
<MetadataProvider id="DynamicEntityMetadata" xsi:type="DynamicHTTPMetadataProvider"
connectionRequestTimeout="PT2S"
connectionTimeout="PT2S"
socketTimeout="PT4S"
refreshDelayFactor="0.75"
maxCacheDuration="PT48H">
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="%{idp.home}/credentials/idem-mdx-service-crt.pem"/>
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P3D"/>
<MetadataFilter xsi:type="Algorithm">
<!-- CBC-only SPs. -->
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<Entity>https://nildeutenti.bo.cnr.it/sp</Entity>
<Entity>https://sp.tshhosting.com/shibboleth</Entity>
<Entity>https://shibboleth.highwire.org/entity/secure-sp</Entity>
<Entity>https://auth.osa.org/oa/entity</Entity>
<Entity>https://www.spiedigitallibrary.org/oa/entity</Entity>
<Entity>https://www.degruyter.com/shibboleth</Entity>
<Entity>https://www.degruyter.com/ssp</Entity>
<Entity>https://gins.garr.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</Entity>
<Entity>https://aai.openaire.eu/proxy/module.php/saml/sp/metadata.php/sso</Entity>
<Entity>urn:federation:MicrosoftOnline</Entity>
<Entity>https://ticket.iop.org/shibboleth</Entity>
<Entity>https://bestr.it/shibboleth</Entity>
<Entity>https://iam.atypon.com/shibboleth</Entity>
<Entity>https://shibboleth.cambridge.org/shibboleth-sp</Entity>
<Entity>https://idem.mulino.it/module.php/saml/sp/metadata.php/mulino-sp</Entity>
<Entity>https://bioone.org/oa/entity</Entity>
<Entity>https://journals.aps.org/oa/entity</Entity>
<Entity>https://federation.nih.gov/FederationGateway</Entity>
<Entity>https://fsso.springer.com</Entity>
<Entity>https://kluwerlawonline.com/oa/entity</Entity>
<Entity>https://secure.nature.com/shibboleth</Entity>
<Entity>https://shibboleth2sp.sams.oup.com/shibboleth</Entity>
<Entity>https://clas.cineca.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</Entity>
<Entity>https://zeroshell.irccs-stellamaris.it:12081/shibboleth</Entity>
</MetadataFilter>
<!-- Base URL for MDQ -->
<MetadataQueryProtocol>https://mdx.idem.garr.it/edugain/</MetadataQueryProtocol>
</MetadataProvider>
Esempio di <MetadataFilter> con FileBackedHTTPMetadataProvider, per SP che supportano solo AES128-CBC
Per forzare l'utilizzo di AES128-CBC con i Service Provider che ancora non supportano AES128-CGM, è possibile utilizzare un MetadataFilter
all'interno della definizione del o dei MetadataProvider
configurati per il proprio Identity Provider, come mostrato nell'esempio che segue.
<MetadataProvider id="URLMD-EDUGAIN2IDEM-Federation"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/edugain2idem-metadata-sha256.xml"
metadataURL="http://md.idem.garr.it/metadata/edugain2idem-metadata-sha256.xml">
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="${idp.home}/credentials/idem-signer-20220121.pem"/>
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P10D"/>
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
<MetadataFilter xsi:type="Algorithm">
<!-- CBC-only SPs. -->
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<Entity>https://nildeutenti.bo.cnr.it/sp</Entity>
<Entity>https://sp.tshhosting.com/shibboleth</Entity>
<Entity>https://shibboleth.highwire.org/entity/secure-sp</Entity>
<Entity>https://auth.osa.org/oa/entity</Entity>
<Entity>https://www.spiedigitallibrary.org/oa/entity</Entity>
<Entity>https://www.degruyter.com/shibboleth</Entity>
<Entity>https://www.degruyter.com/ssp</Entity>
<Entity>https://gins.garr.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</Entity>
<Entity>https://aai.openaire.eu/proxy/module.php/saml/sp/metadata.php/sso</Entity>
<Entity>urn:federation:MicrosoftOnline</Entity>
<Entity>https://ticket.iop.org/shibboleth</Entity>
<Entity>https://bestr.it/shibboleth</Entity>
<Entity>https://iam.atypon.com/shibboleth</Entity>
<Entity>https://shibboleth.cambridge.org/shibboleth-sp</Entity>
<Entity>https://idem.mulino.it/module.php/saml/sp/metadata.php/mulino-sp</Entity>
<Entity>https://bioone.org/oa/entity</Entity>
<Entity>https://journals.aps.org/oa/entity</Entity>
<Entity>https://federation.nih.gov/FederationGateway</Entity>
<Entity>https://fsso.springer.com</Entity>
<Entity>https://kluwerlawonline.com/oa/entity</Entity>
<Entity>https://secure.nature.com/shibboleth</Entity>
<Entity>https://shibboleth2sp.sams.oup.com/shibboleth</Entity>
<Entity>https://clas.cineca.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</Entity>
<Entity>https://zeroshell.irccs-stellamaris.it:12081/shibboleth</Entity>
</MetadataFilter>
</MetadataProvider>