Differenze tra le versioni di "Idp4noGCMsps"

Da WIKI IDEM GARR.
Jump to navigation Jump to search
 
(35 versioni intermedie di 7 utenti non mostrate)
Riga 3: Riga 3:
 
E' possibile utilizzare l'elenco per forzare l'utilizzo del vecchio algoritmo AES128-CBC, vedi sotto.
 
E' possibile utilizzare l'elenco per forzare l'utilizzo del vecchio algoritmo AES128-CBC, vedi sotto.
  
==Elenco SP che non supportano AES128-GCM==
+
==Elenco dei Service Provider che non supportano l'algoritmo AES128-GCM==
'''IMPORTANTE''': La lista nasce grazie ad un IdP Admin che ha condiviso i risultati dei test effettuati sugli SP utilizzati dal suo istituto. Invitiamo gli IdP Admin della Federazione IDEM ad aiutarci a mantenerla.
+
'''IMPORTANTE''': La lista nasce grazie alla segnalazione di alcuni IdP Admin che hanno condiviso i risultati dei test effettuati con il proprio idp Shibboleth v4 verso le risorse elettroniche presenti in IDEM/eduGAIN. Invitiamo tutti gli IdP Admin della Federazione IDEM a segnalarci eventuali ulteriori SP affetti dal problema e non ancora presenti in lista.
 
<br />
 
<br />
  
 
*<nowiki>https://nildeutenti.bo.cnr.it/sp</nowiki>
 
*<nowiki>https://nildeutenti.bo.cnr.it/sp</nowiki>
 
*<nowiki>https://sp.tshhosting.com/shibboleth</nowiki>
 
*<nowiki>https://sp.tshhosting.com/shibboleth</nowiki>
 +
*<nowiki>https://shibboleth.highwire.org/entity/secure-sp</nowiki>
 +
*<nowiki>https://auth.osa.org/oa/entity</nowiki>
 +
*<nowiki>https://www.spiedigitallibrary.org/oa/entity</nowiki>
 +
*<nowiki>https://www.degruyter.com/shibboleth</nowiki>
 +
*<nowiki>https://www.degruyter.com/ssp</nowiki>
 +
*<s><nowiki>https://wiki.idem.garr.it/rp</nowiki></s>
 +
*<nowiki>https://gins.garr.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</nowiki>
 +
*<nowiki>https://aai.openaire.eu/proxy/module.php/saml/sp/metadata.php/sso</nowiki>
 +
*<nowiki>urn:federation:MicrosoftOnline</nowiki>
 
*<nowiki>https://ticket.iop.org/shibboleth</nowiki>
 
*<nowiki>https://ticket.iop.org/shibboleth</nowiki>
 +
*<nowiki>https://bestr.it/shibboleth</nowiki>
 
*<nowiki>https://iam.atypon.com/shibboleth</nowiki>
 
*<nowiki>https://iam.atypon.com/shibboleth</nowiki>
 +
*<nowiki>https://shibboleth.cambridge.org/shibboleth-sp</nowiki>
 +
*<nowiki>https://idem.mulino.it/module.php/saml/sp/metadata.php/mulino-sp</nowiki>
 +
*<nowiki>https://bioone.org/oa/entity</nowiki>
 +
*<nowiki>https://journals.aps.org/oa/entity</nowiki>
 +
*<nowiki>https://federation.nih.gov/FederationGateway</nowiki>
 
*<nowiki>https://fsso.springer.com</nowiki>
 
*<nowiki>https://fsso.springer.com</nowiki>
 +
*<nowiki>https://kluwerlawonline.com/oa/entity</nowiki>
 +
*<nowiki>https://secure.nature.com/shibboleth</nowiki>
 +
*<nowiki>https://shibboleth2sp.sams.oup.com/shibboleth</nowiki>
 +
*<nowiki>https://clas.cineca.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</nowiki>
 +
*<nowiki>https://zeroshell.irccs-stellamaris.it:12081/shibboleth</nowiki>
 
*...
 
*...
  
==Esempio di <MetadataFilter> per SP che supportano solo AES128-CBC==
+
==Esempio di <MetadataFilter> con DynamicHTTPMetadataProvider (MDX), per SP che supportano solo AES128-CBC==
 +
Per forzare l'utilizzo di AES128-CBC con i Service Provider che ancora non supportano AES128-CGM, è possibile utilizzare un <code>MetadataFilter</code> all'interno della definizione del o dei <code>MetadataProvider</code>  configurati per il proprio Identity Provider, come mostrato nell'esempio che segue. <syntaxhighlight lang="xml">
 +
<MetadataProvider id="DynamicEntityMetadata" xsi:type="DynamicHTTPMetadataProvider"
 +
          connectionRequestTimeout="PT2S"
 +
          connectionTimeout="PT2S"
 +
          socketTimeout="PT4S"
 +
          refreshDelayFactor="0.75"
 +
          maxCacheDuration="PT48H">
 +
 
 +
    <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
 +
              certificateFile="%{idp.home}/credentials/idem-mdx-service-crt.pem"/>
 +
 
 +
    <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P3D"/>
 +
 
 +
    <MetadataFilter xsi:type="Algorithm">
 +
   
 +
        <!-- CBC-only SPs. -->
 +
        <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
 +
        <Entity>https://nildeutenti.bo.cnr.it/sp</Entity>
 +
        <Entity>https://sp.tshhosting.com/shibboleth</Entity>
 +
        <Entity>https://shibboleth.highwire.org/entity/secure-sp</Entity>
 +
        <Entity>https://auth.osa.org/oa/entity</Entity>
 +
        <Entity>https://www.spiedigitallibrary.org/oa/entity</Entity>
 +
        <Entity>https://www.degruyter.com/shibboleth</Entity>
 +
        <Entity>https://www.degruyter.com/ssp</Entity>
 +
        <Entity>https://gins.garr.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</Entity>
 +
        <Entity>https://aai.openaire.eu/proxy/module.php/saml/sp/metadata.php/sso</Entity>
 +
        <Entity>urn:federation:MicrosoftOnline</Entity>
 +
        <Entity>https://ticket.iop.org/shibboleth</Entity>
 +
        <Entity>https://bestr.it/shibboleth</Entity>
 +
        <Entity>https://iam.atypon.com/shibboleth</Entity>
 +
        <Entity>https://shibboleth.cambridge.org/shibboleth-sp</Entity>
 +
        <Entity>https://idem.mulino.it/module.php/saml/sp/metadata.php/mulino-sp</Entity>
 +
        <Entity>https://bioone.org/oa/entity</Entity>
 +
        <Entity>https://journals.aps.org/oa/entity</Entity>
 +
        <Entity>https://federation.nih.gov/FederationGateway</Entity>
 +
        <Entity>https://fsso.springer.com</Entity>
 +
        <Entity>https://kluwerlawonline.com/oa/entity</Entity>
 +
        <Entity>https://secure.nature.com/shibboleth</Entity>
 +
        <Entity>https://shibboleth2sp.sams.oup.com/shibboleth</Entity>
 +
        <Entity>https://clas.cineca.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</Entity>
 +
        <Entity>https://zeroshell.irccs-stellamaris.it:12081/shibboleth</Entity>
 +
    </MetadataFilter>
 +
 
 +
    <!-- Base URL for MDQ -->
 +
    <MetadataQueryProtocol>https://mdx.idem.garr.it/edugain/</MetadataQueryProtocol>
 +
 
 +
</MetadataProvider>
 +
</syntaxhighlight>
 +
==Esempio di <MetadataFilter> con FileBackedHTTPMetadataProvider, per SP che supportano solo AES128-CBC==
 
Per forzare l'utilizzo di AES128-CBC con i Service Provider che ancora non supportano AES128-CGM, è possibile utilizzare un <code>MetadataFilter</code> all'interno della definizione del o dei <code>MetadataProvider</code>  configurati per il proprio Identity Provider, come mostrato nell'esempio che segue. <syntaxhighlight lang="xml">
 
Per forzare l'utilizzo di AES128-CBC con i Service Provider che ancora non supportano AES128-CGM, è possibile utilizzare un <code>MetadataFilter</code> all'interno della definizione del o dei <code>MetadataProvider</code>  configurati per il proprio Identity Provider, come mostrato nell'esempio che segue. <syntaxhighlight lang="xml">
 
<MetadataProvider id="URLMD-EDUGAIN2IDEM-Federation"
 
<MetadataProvider id="URLMD-EDUGAIN2IDEM-Federation"
                   xsi:type="FileBackedHTTPMetadataProvider
+
                   xsi:type="FileBackedHTTPMetadataProvider"
                   backingFile="%{idp.home}/metadata/idem-test-metadata-sha256.xml"
+
                   backingFile="%{idp.home}/metadata/edugain2idem-metadata-sha256.xml"
 
                   metadataURL="http://md.idem.garr.it/metadata/edugain2idem-metadata-sha256.xml">
 
                   metadataURL="http://md.idem.garr.it/metadata/edugain2idem-metadata-sha256.xml">
  
Riga 36: Riga 105:
 
         <Entity>https://nildeutenti.bo.cnr.it/sp</Entity>
 
         <Entity>https://nildeutenti.bo.cnr.it/sp</Entity>
 
         <Entity>https://sp.tshhosting.com/shibboleth</Entity>
 
         <Entity>https://sp.tshhosting.com/shibboleth</Entity>
 +
        <Entity>https://shibboleth.highwire.org/entity/secure-sp</Entity>
 +
        <Entity>https://auth.osa.org/oa/entity</Entity>
 +
        <Entity>https://www.spiedigitallibrary.org/oa/entity</Entity>
 +
        <Entity>https://www.degruyter.com/shibboleth</Entity>
 +
        <Entity>https://www.degruyter.com/ssp</Entity>
 +
        <Entity>https://gins.garr.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</Entity>
 +
        <Entity>https://aai.openaire.eu/proxy/module.php/saml/sp/metadata.php/sso</Entity>
 +
        <Entity>urn:federation:MicrosoftOnline</Entity>
 
         <Entity>https://ticket.iop.org/shibboleth</Entity>
 
         <Entity>https://ticket.iop.org/shibboleth</Entity>
 +
        <Entity>https://bestr.it/shibboleth</Entity>
 
         <Entity>https://iam.atypon.com/shibboleth</Entity>
 
         <Entity>https://iam.atypon.com/shibboleth</Entity>
 +
        <Entity>https://shibboleth.cambridge.org/shibboleth-sp</Entity>
 +
        <Entity>https://idem.mulino.it/module.php/saml/sp/metadata.php/mulino-sp</Entity>
 +
        <Entity>https://bioone.org/oa/entity</Entity>
 +
        <Entity>https://journals.aps.org/oa/entity</Entity>
 +
        <Entity>https://federation.nih.gov/FederationGateway</Entity>
 
         <Entity>https://fsso.springer.com</Entity>
 
         <Entity>https://fsso.springer.com</Entity>
+
        <Entity>https://kluwerlawonline.com/oa/entity</Entity>
 +
        <Entity>https://secure.nature.com/shibboleth</Entity>
 +
        <Entity>https://shibboleth2sp.sams.oup.com/shibboleth</Entity>
 +
        <Entity>https://clas.cineca.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</Entity>
 +
        <Entity>https://zeroshell.irccs-stellamaris.it:12081/shibboleth</Entity>
 
     </MetadataFilter>
 
     </MetadataFilter>
  
 
</MetadataProvider>
 
</MetadataProvider>
 
</syntaxhighlight><br />
 
</syntaxhighlight><br />

Versione attuale delle 12:57, 24 nov 2022

In questa pagina vengono raccolti tutti i Service Provider (SP) che non supportano l'algoritmo di criptazione delle asserzioni AES128-GCM usato in modo predefinito dallo Shibboleth Identity Provider versione 4.x.

E' possibile utilizzare l'elenco per forzare l'utilizzo del vecchio algoritmo AES128-CBC, vedi sotto.

Elenco dei Service Provider che non supportano l'algoritmo AES128-GCM

IMPORTANTE: La lista nasce grazie alla segnalazione di alcuni IdP Admin che hanno condiviso i risultati dei test effettuati con il proprio idp Shibboleth v4 verso le risorse elettroniche presenti in IDEM/eduGAIN. Invitiamo tutti gli IdP Admin della Federazione IDEM a segnalarci eventuali ulteriori SP affetti dal problema e non ancora presenti in lista.

  • https://nildeutenti.bo.cnr.it/sp
  • https://sp.tshhosting.com/shibboleth
  • https://shibboleth.highwire.org/entity/secure-sp
  • https://auth.osa.org/oa/entity
  • https://www.spiedigitallibrary.org/oa/entity
  • https://www.degruyter.com/shibboleth
  • https://www.degruyter.com/ssp
  • https://wiki.idem.garr.it/rp
  • https://gins.garr.it/simplesaml/module.php/saml/sp/metadata.php/default-sp
  • https://aai.openaire.eu/proxy/module.php/saml/sp/metadata.php/sso
  • urn:federation:MicrosoftOnline
  • https://ticket.iop.org/shibboleth
  • https://bestr.it/shibboleth
  • https://iam.atypon.com/shibboleth
  • https://shibboleth.cambridge.org/shibboleth-sp
  • https://idem.mulino.it/module.php/saml/sp/metadata.php/mulino-sp
  • https://bioone.org/oa/entity
  • https://journals.aps.org/oa/entity
  • https://federation.nih.gov/FederationGateway
  • https://fsso.springer.com
  • https://kluwerlawonline.com/oa/entity
  • https://secure.nature.com/shibboleth
  • https://shibboleth2sp.sams.oup.com/shibboleth
  • https://clas.cineca.it/simplesaml/module.php/saml/sp/metadata.php/default-sp
  • https://zeroshell.irccs-stellamaris.it:12081/shibboleth
  • ...

Esempio di <MetadataFilter> con DynamicHTTPMetadataProvider (MDX), per SP che supportano solo AES128-CBC

Per forzare l'utilizzo di AES128-CBC con i Service Provider che ancora non supportano AES128-CGM, è possibile utilizzare un MetadataFilter all'interno della definizione del o dei MetadataProvider configurati per il proprio Identity Provider, come mostrato nell'esempio che segue.

<MetadataProvider id="DynamicEntityMetadata" xsi:type="DynamicHTTPMetadataProvider"
          connectionRequestTimeout="PT2S"
          connectionTimeout="PT2S"
          socketTimeout="PT4S"
          refreshDelayFactor="0.75"
          maxCacheDuration="PT48H">

    <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
              certificateFile="%{idp.home}/credentials/idem-mdx-service-crt.pem"/>

    <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P3D"/>

    <MetadataFilter xsi:type="Algorithm">
     
        <!-- CBC-only SPs. -->
        <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
        <Entity>https://nildeutenti.bo.cnr.it/sp</Entity>
        <Entity>https://sp.tshhosting.com/shibboleth</Entity>
        <Entity>https://shibboleth.highwire.org/entity/secure-sp</Entity>
        <Entity>https://auth.osa.org/oa/entity</Entity>
        <Entity>https://www.spiedigitallibrary.org/oa/entity</Entity>
        <Entity>https://www.degruyter.com/shibboleth</Entity>
        <Entity>https://www.degruyter.com/ssp</Entity>
        <Entity>https://gins.garr.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</Entity>
        <Entity>https://aai.openaire.eu/proxy/module.php/saml/sp/metadata.php/sso</Entity>
        <Entity>urn:federation:MicrosoftOnline</Entity>
        <Entity>https://ticket.iop.org/shibboleth</Entity>
        <Entity>https://bestr.it/shibboleth</Entity>
        <Entity>https://iam.atypon.com/shibboleth</Entity>
        <Entity>https://shibboleth.cambridge.org/shibboleth-sp</Entity>
        <Entity>https://idem.mulino.it/module.php/saml/sp/metadata.php/mulino-sp</Entity>
        <Entity>https://bioone.org/oa/entity</Entity>
        <Entity>https://journals.aps.org/oa/entity</Entity>
        <Entity>https://federation.nih.gov/FederationGateway</Entity>
        <Entity>https://fsso.springer.com</Entity>
        <Entity>https://kluwerlawonline.com/oa/entity</Entity>
        <Entity>https://secure.nature.com/shibboleth</Entity>
        <Entity>https://shibboleth2sp.sams.oup.com/shibboleth</Entity>
        <Entity>https://clas.cineca.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</Entity>
        <Entity>https://zeroshell.irccs-stellamaris.it:12081/shibboleth</Entity>
    </MetadataFilter>

    <!-- Base URL for MDQ -->
    <MetadataQueryProtocol>https://mdx.idem.garr.it/edugain/</MetadataQueryProtocol>

</MetadataProvider>

Esempio di <MetadataFilter> con FileBackedHTTPMetadataProvider, per SP che supportano solo AES128-CBC

Per forzare l'utilizzo di AES128-CBC con i Service Provider che ancora non supportano AES128-CGM, è possibile utilizzare un MetadataFilter all'interno della definizione del o dei MetadataProvider configurati per il proprio Identity Provider, come mostrato nell'esempio che segue.

<MetadataProvider id="URLMD-EDUGAIN2IDEM-Federation"
                  xsi:type="FileBackedHTTPMetadataProvider"
                  backingFile="%{idp.home}/metadata/edugain2idem-metadata-sha256.xml"
                  metadataURL="http://md.idem.garr.it/metadata/edugain2idem-metadata-sha256.xml">

    <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
                    certificateFile="${idp.home}/credentials/idem-signer-20220121.pem"/>

    <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P10D"/>

    <MetadataFilter xsi:type="EntityRoleWhiteList">
        <RetainedRole>md:SPSSODescriptor</RetainedRole>
    </MetadataFilter>

    <MetadataFilter xsi:type="Algorithm">
     
        <!-- CBC-only SPs. -->
        <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
        <Entity>https://nildeutenti.bo.cnr.it/sp</Entity>
        <Entity>https://sp.tshhosting.com/shibboleth</Entity>
        <Entity>https://shibboleth.highwire.org/entity/secure-sp</Entity>
        <Entity>https://auth.osa.org/oa/entity</Entity>
        <Entity>https://www.spiedigitallibrary.org/oa/entity</Entity>
        <Entity>https://www.degruyter.com/shibboleth</Entity>
        <Entity>https://www.degruyter.com/ssp</Entity>
        <Entity>https://gins.garr.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</Entity>
        <Entity>https://aai.openaire.eu/proxy/module.php/saml/sp/metadata.php/sso</Entity>
        <Entity>urn:federation:MicrosoftOnline</Entity>
        <Entity>https://ticket.iop.org/shibboleth</Entity>
        <Entity>https://bestr.it/shibboleth</Entity>
        <Entity>https://iam.atypon.com/shibboleth</Entity>
        <Entity>https://shibboleth.cambridge.org/shibboleth-sp</Entity>
        <Entity>https://idem.mulino.it/module.php/saml/sp/metadata.php/mulino-sp</Entity>
        <Entity>https://bioone.org/oa/entity</Entity>
        <Entity>https://journals.aps.org/oa/entity</Entity>
        <Entity>https://federation.nih.gov/FederationGateway</Entity>
        <Entity>https://fsso.springer.com</Entity>
        <Entity>https://kluwerlawonline.com/oa/entity</Entity>
        <Entity>https://secure.nature.com/shibboleth</Entity>
        <Entity>https://shibboleth2sp.sams.oup.com/shibboleth</Entity>
        <Entity>https://clas.cineca.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</Entity>
        <Entity>https://zeroshell.irccs-stellamaris.it:12081/shibboleth</Entity>
    </MetadataFilter>

</MetadataProvider>