MyAcademicID integration

Levels of estimated error severity

Critical

This severity level implies that the process has completely shut down and no further action is possible.

MAJOR

This is a significant flaw that causes the system to fail. However, certain parts of the system remain functional.

MEDIUM

This flaw results in unfavorable behavior but the system remains functioning.

LOW

This type of flaw won’t cause any major breakdown in the system.


List of identified issues in this category (click on the title to show details)

Description

MyAcademicID requires several attributes to be released. If your identity provider doesn't release them, you won't be able to log in. You can perform a test on MyAcademicID Attribute Release Check to see which attributes are missing. You can also use a browser extension, like SAML-tracer, to debug and see what exactly your identity provider is sending to MyAcademicID.

Estimated severity

Critical

Examples

 

Suggested action

Your identity provider should release all required attributes.

How communicated

Shared in email correspondence with providers.

Description

This issue might be relevant to you if you use CAS (https://github.com/apereo/cas). Version 6.6.8 introduced a bug where the Address in the SubjectConfirmationData started to contain hostname instead of IP address, which violates SAML2 specification and breaks the integration with MyAcademicID. Up to version 6.6.7, this attribute wasn't sent at all, which was OK because it is optional.

Estimated severity

Critical

Examples

 <saml2:SubjectConfirmationData Address="proxy.prod.erasmus.eduteams.org"
InResponseTo="id-YvP0PC2XE8gCoC3uH"
NotOnOrAfter="2023-09-19T14:34:16.985Z"
Recipient="https://proxy.prod.erasmus.eduteams.org/saml2sp/acs/post"
/>

Suggested action

If you use CAS and the issue is still not fixed, downgrade to version 6.6.7. There is also going to be a configuration option named skipGeneratingSubjectConfirmationAddress (https://apereo.github.io/cas/6.6.x/services/SAML2-Service-Management.html), which could be used as a workaround, but at the time of writing it is still not officialy released.

How communicated

Shared in email correspondence with providers