An open discussion list for topics related to the eduGAIN interfederation service.

[Nick Roy <nroy AT internet2.edu>]

Pamela Dingle was always receptive to the needs of this community when she 
worked at Ping. In fact, she was instrumental, along with Hans Zandbelt, in 
getting Ping Identity to a much better place than it was w/r/t our mode of 
operation.

The problem with ADFS is that it's not a problem that is limited to those who 
choose to sniff that sock. If you can't support key rollover, you cause 
problems for all of your federating partners. If you don't know what you're 
doing, you end up causing outages, wasting the time of your peers in the 
federation, and of federation operators.

Nick

On 20 Nov 2019, at 3:34, Leif Johansson wrote:

> On 2019-11-20 09:50, Peter Schober wrote:
>> * Nick Roy <nroy AT internet2.edu> [2019-11-20 00:03]:
>>> Perhaps counterproductively adding to my rant below: ADFS is
>>> terrible, but works just well enough to lull people into the belief
>>> that it won’t screw everything up, as it invariably does, down the
>>> road. I spend at least 80% of my direct-end-user-contact time
>>> coaching people with ADFS problems. ADFS *should not be used* in the
>>> context of R&E federations, nor should other similar software. This
>>> is a real problem that I don’t know how to address in our context,
>>> but the problem is getting worse every day.
>>
>> Thank you for your very clear words in this regard.
>>
>> Maybe this should be made known more widely? Open to ideas how that
>> would work. A REFEDS blog post? A disclaimer message to be relayed by
>> (Full Mesh) federations?
>> I'll start by quoting your post above in our documentation.
>>
>> At this time we only have a single MS-ADFS entity registered, so my
>> communication has been pretty clear and seemingly was effective so
>> far. That one entity could end up being used a lot more, though,
>> through services proxied behind its SP-side...
>>
>> -peter
>>
>
> While I tend to agree the pain is mostly localized to those that
> choose to sniff this particular sock. The organizations who run
> ADFS do that for reasons that will not be influenced by what
> REFEDS say.
>
> We may be able to get MSFT to improve things... I have had some
> chats with their new head of identity (or whatever the title is)
> Pamela Dingle who at least make the right noices. I know this is
> not the first time somebody said this too.
>
> Possibly a statement from REFEDS if wielded in a smart way may
> serve to make things a bit more concrete.
>
>       Cheers Leif

Attachment: signature.asc
Description: OpenPGP digital signature