Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] reference for expired certificate warning

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] reference for expired certificate warning


Chronological Thread 
  • From: Nick Roy <nroy AT internet2.edu>
  • To: Peter Schober <peter.schober AT univie.ac.at>
  • Cc: "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
  • Subject: Re: [eduGAIN-discuss] reference for expired certificate warning
  • Date: Wed, 20 Nov 2019 17:38:59 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=internet2.edu; dmarc=pass action=none header.from=internet2.edu; dkim=pass header.d=internet2.edu; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sKu5ZP+eSqAX2yqvQ30eFovS/Y4p9zhX127Iemi+INI=; b=DSd9j6o1rb0jFTH+hFD7BpJ+D2mJCW/nFweVdxSTWzOU8h2Jt47jEwWejzJDUNtmzWyO232haP/46aZVAJ6ITaLV2EQ6ZrGJ70IMDkQZGPsWtbWLuDPyJFqlSLn7ckAQNzblkwGjq2fGJBKcpsYelObKIxCdP3IylYNpXKKir4I+npqQ7TPNUDoy0am9kb2v+nWtpNJ/SXuxdVauXcej/+BG5cdJzIgax+59GCfjqpj0Bt5YyjC5UpokzmmZeVKrWfI8CYqoW5BvdGrPGZXSu2nH9pYoad3X3/wtftIIqCs3Vwo66hLkRDhzspY2mUbNKCL8xkrNtxVr6tvEIOAzDQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BSR0ZDtBnZexryqPmVPndZPsmyLfjTGX3qjipQk4PMr4aHIpsPNJyVoOyla2rnJpB+nVQCgpnd1O9RldLv5TkV9LyDD9mhBDBdkp/KWm8OatOZpBdnlMaRjQdSAAMVbuOpemuSWEmV5eB61qB+plMJQ2Kz6HjYiyzIWW4lq8aDd5+VFaS7U9fLiEMIpRQ948c4I0NX1c1bRX/ISb0JF62T2TLNtENYU2uLg98OoHtGl9b2KhEnEHSTWDc4gQ5B+pUXo162jbv3psk881wVHa3N0JW79fyWi3JsOfXHI5Eb1HDc8ByI1koi99N2T4axCZ5FEKS0+KYGpUfpU1vCWNTw==
  • Authentication-results: spf=none (sender IP is ) smtp.mailfrom=nroy AT internet2.edu;

Thanks Peter - please don't quote me by name, but feel free to use my words,
or modify them as needed. A REFEDS blog post on this topic would be
excellent, and it might be best to come from a nameless "editorial board" or
something, to avoid blowback. I'd volunteer to contribute to the anonymous
authorship of such a post.

It is not just ADFS that has these problems, it's stuff like Oracle/IBM FIM,
even Ping to some extent. Don't get me started on the IDaaS stuff...

Nick

On 20 Nov 2019, at 1:50, Peter Schober wrote:

> * Nick Roy <nroy AT internet2.edu> [2019-11-20 00:03]:
>> Perhaps counterproductively adding to my rant below: ADFS is
>> terrible, but works just well enough to lull people into the belief
>> that it won’t screw everything up, as it invariably does, down the
>> road. I spend at least 80% of my direct-end-user-contact time
>> coaching people with ADFS problems. ADFS *should not be used* in the
>> context of R&E federations, nor should other similar software. This
>> is a real problem that I don’t know how to address in our context,
>> but the problem is getting worse every day.
>
> Thank you for your very clear words in this regard.
>
> Maybe this should be made known more widely? Open to ideas how that
> would work. A REFEDS blog post? A disclaimer message to be relayed by
> (Full Mesh) federations?
> I'll start by quoting your post above in our documentation.
>
> At this time we only have a single MS-ADFS entity registered, so my
> communication has been pretty clear and seemingly was effective so
> far. That one entity could end up being used a lot more, though,
> through services proxied behind its SP-side...
>
> -peter

Attachment: signature.asc
Description: OpenPGP digital signature




Archive powered by MHonArc 2.6.19.

Top of Page