An open discussion list for topics related to the eduGAIN interfederation service.

[Thijs Kinkhorst <thijs.kinkhorst AT surfnet.nl>]

Op 20-11-19 om 00:02 schreef Nick Roy:
> Perhaps counterproductively adding to my rant below: ADFS is terrible, but
> works just well enough to lull people into the belief that it won’t screw
> everything up, as it invariably does, down the road. I spend at least 80%
> of my direct-end-user-contact time coaching people with ADFS problems.
> ADFS /should not be used/ in the context of R&E federations, nor should
> other similar software. This is a real problem that I don’t know how to
> address in our context, but the problem is getting worse every day.

Just to provide some counter viewpoint. In our federation 66% of IdPs use
ADFS and this hardly gives rise to problems. These institutions have in
many cases standardised on Microsoft internally and they are very happy
that they can interface with us by using their vendor of choice and are
not forced to use a different product.

So I'd like to avoid blanket statements of the form "should not be used in
the context of R&E federations" as this rather disqualifies many of our
institutions which are using it competently and with much success
precisely in an R&E federation.

There are indeed some bugs in ADFS and ideally they would be fixed. For
IdP usage rejecting the scoping element springs to mind. But our 'biggest'
problem with ADFS is the SP side which (in our view) erroneously puts a
UNIQUE constraint on IdP certificates. This makes e.g. the CERN SP broken
for us and from time to time we get a user that complains about it. But
given that this specific SP itself is not so interested in promoting
federated authn (they put edugain only as the very bottom most option on
their login screen after four(!) other options) we have not prioritized this.


Cheers,
Thijs

Attachment: signature.asc
Description: OpenPGP digital signature