edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
- From: Dick Visser <dick.visser AT geant.org>
- To: Peter Schober <peter.schober AT univie.ac.at>
- Cc: edugain-discuss AT lists.geant.org
- Subject: Re: [eduGAIN-discuss] IdP without DNS records
- Date: Tue, 8 May 2018 16:50:21 +0200
- Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass (2048-bit key) header.d=geant-org.20150623.gappssmtp.com
This is similar to the case of institutions filtering network access
to their IdP so it's not publicly available.
I came across this lately and while I think it's an ill conceived
idea, I'm not the one that needs to use it.
If a local security policy mandates it, and users are able to use the
IdP - then great.
IIRC it was some hospital that did things this way.
Any sort of IdP sanity checks (certificate/crypto health, software
version probing, protocol support etc) will of course be impossible
with this approach.
Dcik
On 8 May 2018 at 16:40, Peter Schober <peter.schober AT univie.ac.at> wrote:
> * Niels van Dijk <niels.vandijk AT surfnet.nl> [2018-05-08 16:23]:
>> While testing with the eduGAIN metadata, I note the entity
>> https://idp.vle.ase.md/saml/saml2/idp/metadata.php has no DNS records,
>> hence is totally not functional.
>
> Also note that your conclusion above is incorrect: An entityID is a
> name (of xsd:type anyURI), not a location. (Counter example:
> "urn:mace:incommon:osu.edu" has no DNS record, so it must be totally
> unfunctional, too?)
>
> Such an entity could function perfectly fine if the protocol endpoints
> were reachable.
>
> Of course in this specific case it's obvious to humans that have
> experience with SAML federations that the entityID here clearly is
> using the auto-generated value from the deployed SAML implementation
> (SimpleSAMLphp) and as such /will/ be based on its actual host name,
> meaning it will /share/ that host name portion with its own protocol
> endpoints, meaning those protocol endpoints will be just as
> unreachable, resulting in the actual problem: Unreachable protocol
> endpoints.
>
> -peter
--
Dick Visser
Trust & Identity Service Operations Manager
GÉANT
GÉANT Vereniging (Association) is registered with the Chamber of
Commerce in Amsterdam with registration number 40535155 and operates
in the UK as a branch of GÉANT Vereniging. Registered office:
Hoekenrode 3, 1102BR Amsterdam, The Netherlands. UK branch address:
City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK.
Want to join us? We're hiring: https://www.geant.org/jobs
- Re: [eduGAIN-discuss] IdP without DNS records, (continued)
- Re: [eduGAIN-discuss] IdP without DNS records, Peter Schober, 08-May-2018
- Re: [eduGAIN-discuss] IdP without DNS records, Scott Koranda, 08-May-2018
- Re: [eduGAIN-discuss] IdP without DNS records, Peter Schober, 08-May-2018
- Re: [eduGAIN-discuss] IdP without DNS records, Scott Koranda, 08-May-2018
- Re: [eduGAIN-discuss] IdP without DNS records, Peter Schober, 08-May-2018
- Re: [eduGAIN-discuss] IdP without DNS records, Scott Koranda, 08-May-2018
- Re: [eduGAIN-discuss] IdP without DNS records, Peter Schober, 08-May-2018
- Re: [eduGAIN-discuss] IdP without DNS records, Scott Koranda, 08-May-2018
- Re: [eduGAIN-discuss] IdP without DNS records, Peter Schober, 08-May-2018
- Re: [eduGAIN-discuss] IdP without DNS records, Scott Koranda, 08-May-2018
- Re: [eduGAIN-discuss] IdP without DNS records, Peter Schober, 08-May-2018
- Re: [eduGAIN-discuss] IdP without DNS records, Scott Koranda, 08-May-2018
- Re: [eduGAIN-discuss] IdP without DNS records, Peter Schober, 08-May-2018
- Re: [eduGAIN-discuss] IdP without DNS records, Dick Visser, 05/08/2018
Archive powered by MHonArc 2.6.19.