An open discussion list for topics related to the eduGAIN interfederation service.

[Peter Schober <peter.schober AT univie.ac.at>]

* Guy Halse <guy AT tenet.ac.za> [2019-11-21 09:26]:
> Thus from my perspective, ADFS is something I have to learn to live
> with if I want R&E federation to succeed here. Given the choice
> between living with ADFS's quirks and abandoning the idea of getting
> R&E federation working, I'll choose the former.

At least in our community they'd rather follow our documentation to
get a system integrating with the global community, that's
significantly more powerful while also being lower in maintenance
(because it's maintenance of the software/system only, not of each and
every trust relationship), even if that means having to deal with
software they haven't used before. YMMV.

> What that probably boils down to is that Microsoft are good at
> marketing; we are not.

Make that "vendor lock-in", not (merely) marketing: From the PC OS
(which they still own[1]) with its broken clients ever expanding to
your data center to hosted servers and services.

But that's not even the point. This is: If our offerings
(multi-lateral federation) are not simpler and more secure and better
scaling than the alternatives (manual, bilateral trust relationships)
we have nothing to offer, really.

(Not that I've personally ever met anyone who preferred establishing
and managing trust relationships manually even if that meant keeping
their pseudo-familar GUI software, but again YMMV.)

As is the case so often the problem is that there's no rationality
within large organisations -- ultimately down to the establishment of
trust via mutual automatic importing plain text files ("metadata")
over the Internet and blindly trusting the content (endpoints,
cryptographic keys) the same way as you'd be trusting your OS
vendor-supplied CA trust store. And the admins doing those
integrations usually have no idea what makes one integration secure
and another insecure. Broken and/or misleading vendor documentation
doesn't make this better either.
I.e., in a general state of confusion, security theatre and bad
implementations having actually secure infrastructures with non-broken
software is outside the norm. And "No one ever got fired for buying
from [big vendor]." aka doing what the rest is doing.

-peter

[1] https://en.wikipedia.org/wiki/Usage_share_of_operating_systems