Versions Compared

Old Version 45

changes.mady.by.user Arnout Terpstra

Saved on

compared with

New Version Current

changes.mady.by.user Thijs Kinkhorst

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

How can I facilitate guest access for my service?

With eduID.

Does SURFconext support provisioning?

...

How does SURFconext support rich clients and mobile applications?

...

Can I use SURFconext to login with a social ID (Facebook, Google, etc.)?

No. Use eduID for guest access.

Which attributes can SURFconext supply to my service?

...

Test connections must receive minimum 1 login within the first 6 months. Otherwise they will be removed.

What are the rate limits for accessing SURFconext?

In order to protect our servers from being taken down by too many requests we have some rate limits in place:

  1. An  IP address is not allowed to generate more than 1000 requests every 10 seconds in total
  2. An IP address cannot access a specific endoint more than 500 times a minute


SAML

Which attribute should I use to identify SURFconext users in my application?

...

Expand
titleExample

The SP "bookkeeper.example.org" needs the "FinanceRole" attribute, with possible values "user", "manager" and "administrator". In SURFconext, this can be passed on in an eduPersonEntitlement:

urn:mace:dir:attribute-def:eduPersonEntitlement = urn:x-surf.nl:example.org:FinanceRole:manager


Microsoft .NET rejects the metadata signature, help?

This is a bug introduced by Microsoft in an attempt to fix a security issue. The security issue (CVE-2019-1006) is described here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1006 In particular, the problem arises when using the following method for reading metadata: https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.metadata.metadataserializer.readmetadata?view=netframework-4.8

The patch that has been rolled out changes the way XML digital signatures are verified. It seems to “fix” things by ignoring all KeyInfo elements other than the first child of a Signature element, and expecting it to contain an X509Data element. We have spoken with the responsible Microsoft developers and they acknowledge that the implementation is faulty. However, until now they have not prioritized fixing this issue in .NET. It may be helpful to report that you are affected by this problem to Microsoft to give it more priority.

A workaround is to apply an XSLT transform to remove the first KeyValue element from the signed metadata file, for example like this: strip.xslt