Berlin
v3.x added by ~fkooman on ~eduvpn/server
Comment by ~fkooman on ~eduvpn/server
it is set to 10y now for 3.x
REPORTED RESOLVED FIXED
Comment by ~fkooman on ~fkooman/php-saml-sp
just so you know, there still could be a bug in php-saml-sp (or simpleSAMLphp).
At least php-saml-sp does work with Shibboleth IdPs with EncryptedAssertion, but we'll look at that then...
Comment by ~fkooman on ~fkooman/php-saml-sp
Thanks for the trace. Whatever the exact error is, for sure it won't work as the encryption is done using "http://www.w3.org/2001/04/xmlenc#aes128-cbc", which is not supported by php-saml-sp for security reasons (it is very broken). We only support aes-256-gcm, so that would have to be fixed. I am not sure whether simpleSAMLphp now supports aes-256-gcm for EncryptedAssertion, but I saw some work on xmlseclib regarding aes-256-gcm.
If you want to have the legacy encryption working I'd recommend using Shibboleth-SP instead of php-saml-sp... See https://github.com/eduvpn/documentation/blob/v2/SAML.md for Shib instructions on Debian and CentOS.
Comment by ~fkooman on ~fkooman/php-saml-sp
Which IdP (software) is used? Would it be possible to either provide a "SAML Trace" (https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/) or provide access to a test account? You can either wait until the assertion is no longer valid, or provide it by e.g. mail.
We did not test all IdPs, only a subset of them, so it may be we missed some...
Comment by ~fkooman on ~fkooman/php-saml-sp
REPORTED RESOLVED FIXED