Differenze tra le versioni di "Idp4noGCMsps"
Jump to navigation
Jump to search
(Creata pagina con "In questa pagina vengono raccolti tutti gli SP che non supportano il più moderno algoritmo di criptazione delle asserzioni AES128-GCM reso predefinito dalla versione 4 di Shi...") |
|||
| (40 versioni intermedie di 7 utenti non mostrate) | |||
| Riga 1: | Riga 1: | ||
| − | In questa pagina vengono raccolti tutti | + | In questa pagina vengono raccolti tutti i Service Provider (SP) che non supportano l'algoritmo di criptazione delle asserzioni AES128-GCM usato in modo predefinito dallo Shibboleth Identity Provider versione 4.x. |
| − | + | E' possibile utilizzare l'elenco per forzare l'utilizzo del vecchio algoritmo AES128-CBC, vedi sotto. | |
| − | + | ==Elenco dei Service Provider che non supportano l'algoritmo AES128-GCM== | |
| − | + | '''IMPORTANTE''': La lista nasce grazie alla segnalazione di alcuni IdP Admin che hanno condiviso i risultati dei test effettuati con il proprio idp Shibboleth v4 verso le risorse elettroniche presenti in IDEM/eduGAIN. Invitiamo tutti gli IdP Admin della Federazione IDEM a segnalarci eventuali ulteriori SP affetti dal problema e non ancora presenti in lista. | |
| − | + | <br /> | |
| − | |||
| − | |||
| − | == Esempio di <MetadataProvider> per | + | *<nowiki>https://nildeutenti.bo.cnr.it/sp</nowiki> |
| − | <syntaxhighlight lang="xml"> | + | *<nowiki>https://sp.tshhosting.com/shibboleth</nowiki> |
| − | <MetadataProvider id="URLMD- | + | *<nowiki>https://shibboleth.highwire.org/entity/secure-sp</nowiki> |
| − | xsi:type="FileBackedHTTPMetadataProvider | + | *<nowiki>https://auth.osa.org/oa/entity</nowiki> |
| − | backingFile="%{idp.home}/metadata/ | + | *<nowiki>https://www.spiedigitallibrary.org/oa/entity</nowiki> |
| + | *<nowiki>https://www.degruyter.com/shibboleth</nowiki> | ||
| + | *<nowiki>https://www.degruyter.com/ssp</nowiki> | ||
| + | *<s><nowiki>https://wiki.idem.garr.it/rp</nowiki></s> | ||
| + | *<nowiki>https://gins.garr.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</nowiki> | ||
| + | *<nowiki>https://aai.openaire.eu/proxy/module.php/saml/sp/metadata.php/sso</nowiki> | ||
| + | *<nowiki>urn:federation:MicrosoftOnline</nowiki> | ||
| + | *<nowiki>https://ticket.iop.org/shibboleth</nowiki> | ||
| + | *<nowiki>https://bestr.it/shibboleth</nowiki> | ||
| + | *<nowiki>https://iam.atypon.com/shibboleth</nowiki> | ||
| + | *<nowiki>https://shibboleth.cambridge.org/shibboleth-sp</nowiki> | ||
| + | *<nowiki>https://idem.mulino.it/module.php/saml/sp/metadata.php/mulino-sp</nowiki> | ||
| + | *<nowiki>https://bioone.org/oa/entity</nowiki> | ||
| + | *<nowiki>https://journals.aps.org/oa/entity</nowiki> | ||
| + | *<nowiki>https://federation.nih.gov/FederationGateway</nowiki> | ||
| + | *<nowiki>https://fsso.springer.com</nowiki> | ||
| + | *<nowiki>https://kluwerlawonline.com/oa/entity</nowiki> | ||
| + | *<nowiki>https://secure.nature.com/shibboleth</nowiki> | ||
| + | *<nowiki>https://shibboleth2sp.sams.oup.com/shibboleth</nowiki> | ||
| + | *<nowiki>https://clas.cineca.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</nowiki> | ||
| + | *<nowiki>https://zeroshell.irccs-stellamaris.it:12081/shibboleth</nowiki> | ||
| + | *... | ||
| + | |||
| + | ==Esempio di <MetadataFilter> con DynamicHTTPMetadataProvider (MDX), per SP che supportano solo AES128-CBC== | ||
| + | Per forzare l'utilizzo di AES128-CBC con i Service Provider che ancora non supportano AES128-CGM, è possibile utilizzare un <code>MetadataFilter</code> all'interno della definizione del o dei <code>MetadataProvider</code> configurati per il proprio Identity Provider, come mostrato nell'esempio che segue. <syntaxhighlight lang="xml"> | ||
| + | <MetadataProvider id="DynamicEntityMetadata" xsi:type="DynamicHTTPMetadataProvider" | ||
| + | connectionRequestTimeout="PT2S" | ||
| + | connectionTimeout="PT2S" | ||
| + | socketTimeout="PT4S" | ||
| + | refreshDelayFactor="0.75" | ||
| + | maxCacheDuration="PT48H"> | ||
| + | |||
| + | <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" | ||
| + | certificateFile="%{idp.home}/credentials/idem-mdx-service-crt.pem"/> | ||
| + | |||
| + | <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P3D"/> | ||
| + | |||
| + | <MetadataFilter xsi:type="Algorithm"> | ||
| + | |||
| + | <!-- CBC-only SPs. --> | ||
| + | <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" /> | ||
| + | <Entity>https://nildeutenti.bo.cnr.it/sp</Entity> | ||
| + | <Entity>https://sp.tshhosting.com/shibboleth</Entity> | ||
| + | <Entity>https://shibboleth.highwire.org/entity/secure-sp</Entity> | ||
| + | <Entity>https://auth.osa.org/oa/entity</Entity> | ||
| + | <Entity>https://www.spiedigitallibrary.org/oa/entity</Entity> | ||
| + | <Entity>https://www.degruyter.com/shibboleth</Entity> | ||
| + | <Entity>https://www.degruyter.com/ssp</Entity> | ||
| + | <Entity>https://gins.garr.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</Entity> | ||
| + | <Entity>https://aai.openaire.eu/proxy/module.php/saml/sp/metadata.php/sso</Entity> | ||
| + | <Entity>urn:federation:MicrosoftOnline</Entity> | ||
| + | <Entity>https://ticket.iop.org/shibboleth</Entity> | ||
| + | <Entity>https://bestr.it/shibboleth</Entity> | ||
| + | <Entity>https://iam.atypon.com/shibboleth</Entity> | ||
| + | <Entity>https://shibboleth.cambridge.org/shibboleth-sp</Entity> | ||
| + | <Entity>https://idem.mulino.it/module.php/saml/sp/metadata.php/mulino-sp</Entity> | ||
| + | <Entity>https://bioone.org/oa/entity</Entity> | ||
| + | <Entity>https://journals.aps.org/oa/entity</Entity> | ||
| + | <Entity>https://federation.nih.gov/FederationGateway</Entity> | ||
| + | <Entity>https://fsso.springer.com</Entity> | ||
| + | <Entity>https://kluwerlawonline.com/oa/entity</Entity> | ||
| + | <Entity>https://secure.nature.com/shibboleth</Entity> | ||
| + | <Entity>https://shibboleth2sp.sams.oup.com/shibboleth</Entity> | ||
| + | <Entity>https://clas.cineca.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</Entity> | ||
| + | <Entity>https://zeroshell.irccs-stellamaris.it:12081/shibboleth</Entity> | ||
| + | </MetadataFilter> | ||
| + | |||
| + | <!-- Base URL for MDQ --> | ||
| + | <MetadataQueryProtocol>https://mdx.idem.garr.it/edugain/</MetadataQueryProtocol> | ||
| + | |||
| + | </MetadataProvider> | ||
| + | </syntaxhighlight> | ||
| + | ==Esempio di <MetadataFilter> con FileBackedHTTPMetadataProvider, per SP che supportano solo AES128-CBC== | ||
| + | Per forzare l'utilizzo di AES128-CBC con i Service Provider che ancora non supportano AES128-CGM, è possibile utilizzare un <code>MetadataFilter</code> all'interno della definizione del o dei <code>MetadataProvider</code> configurati per il proprio Identity Provider, come mostrato nell'esempio che segue. <syntaxhighlight lang="xml"> | ||
| + | <MetadataProvider id="URLMD-EDUGAIN2IDEM-Federation" | ||
| + | xsi:type="FileBackedHTTPMetadataProvider" | ||
| + | backingFile="%{idp.home}/metadata/edugain2idem-metadata-sha256.xml" | ||
metadataURL="http://md.idem.garr.it/metadata/edugain2idem-metadata-sha256.xml"> | metadataURL="http://md.idem.garr.it/metadata/edugain2idem-metadata-sha256.xml"> | ||
| Riga 31: | Riga 105: | ||
<Entity>https://nildeutenti.bo.cnr.it/sp</Entity> | <Entity>https://nildeutenti.bo.cnr.it/sp</Entity> | ||
<Entity>https://sp.tshhosting.com/shibboleth</Entity> | <Entity>https://sp.tshhosting.com/shibboleth</Entity> | ||
| + | <Entity>https://shibboleth.highwire.org/entity/secure-sp</Entity> | ||
| + | <Entity>https://auth.osa.org/oa/entity</Entity> | ||
| + | <Entity>https://www.spiedigitallibrary.org/oa/entity</Entity> | ||
| + | <Entity>https://www.degruyter.com/shibboleth</Entity> | ||
| + | <Entity>https://www.degruyter.com/ssp</Entity> | ||
| + | <Entity>https://gins.garr.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</Entity> | ||
| + | <Entity>https://aai.openaire.eu/proxy/module.php/saml/sp/metadata.php/sso</Entity> | ||
| + | <Entity>urn:federation:MicrosoftOnline</Entity> | ||
<Entity>https://ticket.iop.org/shibboleth</Entity> | <Entity>https://ticket.iop.org/shibboleth</Entity> | ||
| + | <Entity>https://bestr.it/shibboleth</Entity> | ||
<Entity>https://iam.atypon.com/shibboleth</Entity> | <Entity>https://iam.atypon.com/shibboleth</Entity> | ||
| + | <Entity>https://shibboleth.cambridge.org/shibboleth-sp</Entity> | ||
| + | <Entity>https://idem.mulino.it/module.php/saml/sp/metadata.php/mulino-sp</Entity> | ||
| + | <Entity>https://bioone.org/oa/entity</Entity> | ||
| + | <Entity>https://journals.aps.org/oa/entity</Entity> | ||
| + | <Entity>https://federation.nih.gov/FederationGateway</Entity> | ||
<Entity>https://fsso.springer.com</Entity> | <Entity>https://fsso.springer.com</Entity> | ||
| − | + | <Entity>https://kluwerlawonline.com/oa/entity</Entity> | |
| + | <Entity>https://secure.nature.com/shibboleth</Entity> | ||
| + | <Entity>https://shibboleth2sp.sams.oup.com/shibboleth</Entity> | ||
| + | <Entity>https://clas.cineca.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</Entity> | ||
| + | <Entity>https://zeroshell.irccs-stellamaris.it:12081/shibboleth</Entity> | ||
</MetadataFilter> | </MetadataFilter> | ||
</MetadataProvider> | </MetadataProvider> | ||
</syntaxhighlight><br /> | </syntaxhighlight><br /> | ||
Versione attuale delle 13:57, 24 nov 2022
In questa pagina vengono raccolti tutti i Service Provider (SP) che non supportano l'algoritmo di criptazione delle asserzioni AES128-GCM usato in modo predefinito dallo Shibboleth Identity Provider versione 4.x.
E' possibile utilizzare l'elenco per forzare l'utilizzo del vecchio algoritmo AES128-CBC, vedi sotto.
Elenco dei Service Provider che non supportano l'algoritmo AES128-GCM
IMPORTANTE: La lista nasce grazie alla segnalazione di alcuni IdP Admin che hanno condiviso i risultati dei test effettuati con il proprio idp Shibboleth v4 verso le risorse elettroniche presenti in IDEM/eduGAIN. Invitiamo tutti gli IdP Admin della Federazione IDEM a segnalarci eventuali ulteriori SP affetti dal problema e non ancora presenti in lista.
- https://nildeutenti.bo.cnr.it/sp
- https://sp.tshhosting.com/shibboleth
- https://shibboleth.highwire.org/entity/secure-sp
- https://auth.osa.org/oa/entity
- https://www.spiedigitallibrary.org/oa/entity
- https://www.degruyter.com/shibboleth
- https://www.degruyter.com/ssp
https://wiki.idem.garr.it/rp- https://gins.garr.it/simplesaml/module.php/saml/sp/metadata.php/default-sp
- https://aai.openaire.eu/proxy/module.php/saml/sp/metadata.php/sso
- urn:federation:MicrosoftOnline
- https://ticket.iop.org/shibboleth
- https://bestr.it/shibboleth
- https://iam.atypon.com/shibboleth
- https://shibboleth.cambridge.org/shibboleth-sp
- https://idem.mulino.it/module.php/saml/sp/metadata.php/mulino-sp
- https://bioone.org/oa/entity
- https://journals.aps.org/oa/entity
- https://federation.nih.gov/FederationGateway
- https://fsso.springer.com
- https://kluwerlawonline.com/oa/entity
- https://secure.nature.com/shibboleth
- https://shibboleth2sp.sams.oup.com/shibboleth
- https://clas.cineca.it/simplesaml/module.php/saml/sp/metadata.php/default-sp
- https://zeroshell.irccs-stellamaris.it:12081/shibboleth
- ...
Esempio di <MetadataFilter> con DynamicHTTPMetadataProvider (MDX), per SP che supportano solo AES128-CBC
Per forzare l'utilizzo di AES128-CBC con i Service Provider che ancora non supportano AES128-CGM, è possibile utilizzare un MetadataFilter all'interno della definizione del o dei MetadataProvider configurati per il proprio Identity Provider, come mostrato nell'esempio che segue.
<MetadataProvider id="DynamicEntityMetadata" xsi:type="DynamicHTTPMetadataProvider"
connectionRequestTimeout="PT2S"
connectionTimeout="PT2S"
socketTimeout="PT4S"
refreshDelayFactor="0.75"
maxCacheDuration="PT48H">
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="%{idp.home}/credentials/idem-mdx-service-crt.pem"/>
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P3D"/>
<MetadataFilter xsi:type="Algorithm">
<!-- CBC-only SPs. -->
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<Entity>https://nildeutenti.bo.cnr.it/sp</Entity>
<Entity>https://sp.tshhosting.com/shibboleth</Entity>
<Entity>https://shibboleth.highwire.org/entity/secure-sp</Entity>
<Entity>https://auth.osa.org/oa/entity</Entity>
<Entity>https://www.spiedigitallibrary.org/oa/entity</Entity>
<Entity>https://www.degruyter.com/shibboleth</Entity>
<Entity>https://www.degruyter.com/ssp</Entity>
<Entity>https://gins.garr.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</Entity>
<Entity>https://aai.openaire.eu/proxy/module.php/saml/sp/metadata.php/sso</Entity>
<Entity>urn:federation:MicrosoftOnline</Entity>
<Entity>https://ticket.iop.org/shibboleth</Entity>
<Entity>https://bestr.it/shibboleth</Entity>
<Entity>https://iam.atypon.com/shibboleth</Entity>
<Entity>https://shibboleth.cambridge.org/shibboleth-sp</Entity>
<Entity>https://idem.mulino.it/module.php/saml/sp/metadata.php/mulino-sp</Entity>
<Entity>https://bioone.org/oa/entity</Entity>
<Entity>https://journals.aps.org/oa/entity</Entity>
<Entity>https://federation.nih.gov/FederationGateway</Entity>
<Entity>https://fsso.springer.com</Entity>
<Entity>https://kluwerlawonline.com/oa/entity</Entity>
<Entity>https://secure.nature.com/shibboleth</Entity>
<Entity>https://shibboleth2sp.sams.oup.com/shibboleth</Entity>
<Entity>https://clas.cineca.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</Entity>
<Entity>https://zeroshell.irccs-stellamaris.it:12081/shibboleth</Entity>
</MetadataFilter>
<!-- Base URL for MDQ -->
<MetadataQueryProtocol>https://mdx.idem.garr.it/edugain/</MetadataQueryProtocol>
</MetadataProvider>
Esempio di <MetadataFilter> con FileBackedHTTPMetadataProvider, per SP che supportano solo AES128-CBC
Per forzare l'utilizzo di AES128-CBC con i Service Provider che ancora non supportano AES128-CGM, è possibile utilizzare un MetadataFilter all'interno della definizione del o dei MetadataProvider configurati per il proprio Identity Provider, come mostrato nell'esempio che segue.
<MetadataProvider id="URLMD-EDUGAIN2IDEM-Federation"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/edugain2idem-metadata-sha256.xml"
metadataURL="http://md.idem.garr.it/metadata/edugain2idem-metadata-sha256.xml">
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="${idp.home}/credentials/idem-signer-20220121.pem"/>
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P10D"/>
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
<MetadataFilter xsi:type="Algorithm">
<!-- CBC-only SPs. -->
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<Entity>https://nildeutenti.bo.cnr.it/sp</Entity>
<Entity>https://sp.tshhosting.com/shibboleth</Entity>
<Entity>https://shibboleth.highwire.org/entity/secure-sp</Entity>
<Entity>https://auth.osa.org/oa/entity</Entity>
<Entity>https://www.spiedigitallibrary.org/oa/entity</Entity>
<Entity>https://www.degruyter.com/shibboleth</Entity>
<Entity>https://www.degruyter.com/ssp</Entity>
<Entity>https://gins.garr.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</Entity>
<Entity>https://aai.openaire.eu/proxy/module.php/saml/sp/metadata.php/sso</Entity>
<Entity>urn:federation:MicrosoftOnline</Entity>
<Entity>https://ticket.iop.org/shibboleth</Entity>
<Entity>https://bestr.it/shibboleth</Entity>
<Entity>https://iam.atypon.com/shibboleth</Entity>
<Entity>https://shibboleth.cambridge.org/shibboleth-sp</Entity>
<Entity>https://idem.mulino.it/module.php/saml/sp/metadata.php/mulino-sp</Entity>
<Entity>https://bioone.org/oa/entity</Entity>
<Entity>https://journals.aps.org/oa/entity</Entity>
<Entity>https://federation.nih.gov/FederationGateway</Entity>
<Entity>https://fsso.springer.com</Entity>
<Entity>https://kluwerlawonline.com/oa/entity</Entity>
<Entity>https://secure.nature.com/shibboleth</Entity>
<Entity>https://shibboleth2sp.sams.oup.com/shibboleth</Entity>
<Entity>https://clas.cineca.it/simplesaml/module.php/saml/sp/metadata.php/default-sp</Entity>
<Entity>https://zeroshell.irccs-stellamaris.it:12081/shibboleth</Entity>
</MetadataFilter>
</MetadataProvider>
