An open discussion list for topics related to the eduGAIN interfederation service.

[Nick Roy <nroy AT internet2.edu>]

Let me tell you a couple stories that will explain my reaction to ADFS, at 
least in part.

I received an escalated helpdesk ticket from someone who said they were 
contractually obligated to join InCommon and publish an IdP in metadata 
within the next several days. They wanted someone to help them submit 
metadata. After an initial call, I determined that they needed to install 
ADFSToolkit. I told them I’d walk them through it, even though I had never 
done it before. We got on another screen sharing session, and after a few 
fits and starts, we had it configured to load InCommon’s main metadata 
aggregate. When the security officer for that organization, who was on the 
call, saw the powershell messages about configuring trust for every SP in the 
metadata, that person said something to the effect of, "wait, what’s it 
doing?!?"

Turns out, they had not talked internally about what it meant join InCommon 
and participate in federation. So, they killed the load half way through 
processing metadata and told me they would talk internally and figure out how 
to get rid of all the trusts that ADFSToolkit had added, and then just add 
the one SP they cared about. Between responding to emails, reading 
documentation and doing video conferences, I probably spent 8 hours helping 
this organization, which will likely only ever federate with a single SP (so 
should it even be in a federation?). This is a typical and all too frequent 
engagement with ADFS.

Story two: An ADFS deployer called our security emergency hotline at 4:30 
p.m. on a Friday afternoon, left a voicemail saying their IdP stopped working 
and asking for an emergency metadata resigning. I tried to call them back, 
but got no answer to repeated calls. I sent them email. After getting no 
response, I started looking at their recent metadata history. From what I 
could tell, they had tried to do an emergency key rollover themselves, 
without reading our documentation, because ADFS had helpfully auto-rolled 
their SAML keys. I never got a response to my call-backs or email. This type 
of emergency engagement effectively never happens with Shibboleth or 
SimpleSAMLphp. Our community produces software that works for our use cases, 
that we know how to support, and that we offer training on.

Nick

On 20 Nov 2019, at 23:36, Leif Johansson wrote:

> Skickat från min iPhone
>
>> 21 nov. 2019 kl. 12:12 skrev Warda Al Habsi <warda AT omren.om>:
>>
>> Hi Nick,
>>
>> Yes they are using ADFS-Toolkit for the metadata aggregation and attribute 
>> release.
>> With great efforts and support from Chris Philips from CANARIE, we are 
>> able to use it and contribute in the improvement of the Tool.
>> I believe this is the power of the community.
>>
>
> Well said.
>
> We definitely want to push MSFT to do better than to throw up our hands in 
> despair.
>
> There is no harm in flexing the muscles we do have. Just because some of us 
> have been able to successfully integrate ADFS doesn’t mean we shouldn’t 
> stand in solidarity with those who face more pain.
>
> Cheers Leif
>
>> Best regards,
>>
>> Warda Al Habsi,
>> Applications Manager
>> Oman Research and Education Network - OMREN,
>> The Research Council
>> P.O.Box 92, Innovation Park Muscat - Al Khoud 123,
>> Sultanate of Oman
>> M: +968 90991133
>> F: +968 22305820
>> E:  warda AT omren.om
>> W: www.omren.om
>> ORCID ID: https://orcid.org/0000-0003-1769-4670
>>
>> OMREN is an initiative by the research council Oman (TRC) to contribute to 
>> the rise of an effective national innovation ecosystem, and provide the 
>> research and education community in the sultanate of Oman with a common 
>> network and collaboration infrastructure dedicated and adapted to their 
>> needs.
>>
>>
>>
>> -----Original Message-----
>> From: Nick Roy <nroy AT internet2.edu>
>> Sent: Wednesday, November 20, 2019 9:43 PM
>> To: Warda Al Habsi <warda AT omren.om>
>> Cc: Leif Johansson <leifj AT sunet.se>; edugain-discuss AT lists.geant.org
>> Subject: Re: [eduGAIN-discuss] reference for expired certificate warning
>>
>> Hi Warda,
>>
>> Are they using ADFStoolkit or something similar in order to load metadata 
>> on a regular basis?
>>
>> Best,
>>
>> Nick
>>
>>> On 20 Nov 2019, at 9:41, Warda Al Habsi wrote:
>>>
>>> Hi all,
>>>
>>> I would like to share the OMREN experience, 100% of our members are on 
>>> ADFS and support is normal compared to Shibboleth. I'm a team member who 
>>> worked on two different federations on both Shibboleth and ADFS.
>>> I can see a  big difference between the two options at least in Oman. Our 
>>> members are more interested and responsive with ADFS and they can do the 
>>> initial troubleshooting. Our users are not forced to use ADFS, they can 
>>> select other options as well. We were able to form a task force team from 
>>> the members, so they collaborate and help each other.
>>>
>>> Regards,
>>>
>>> Warda Al Habsi,
>>> Applications Manager
>>> Oman Research and Education Network - OMREN, The Research Council
>>> P.O.Box 92, Innovation Park Muscat - Al Khoud 123, Sultanate of Oman
>>> M: +968 90991133
>>> F: +968 22305820
>>> E:  warda AT omren.om
>>> W: www.omren.om
>>> ORCID ID: https://orcid.org/0000-0003-1769-4670
>>>
>>> OMREN is an initiative by the research council Oman (TRC) to contribute 
>>> to the rise of an effective national innovation ecosystem, and provide 
>>> the research and education community in the sultanate of Oman with a 
>>> common network and collaboration infrastructure dedicated and adapted to 
>>> their needs.
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: edugain-discuss-request AT lists.geant.org
>>> <edugain-discuss-request AT lists.geant.org> On Behalf Of Leif Johansson
>>> Sent: Wednesday, November 20, 2019 2:34 PM
>>> To: edugain-discuss AT lists.geant.org
>>> Subject: Re: [eduGAIN-discuss] reference for expired certificate
>>> warning
>>>
>>>> On 2019-11-20 09:50, Peter Schober wrote:
>>>> * Nick Roy <nroy AT internet2.edu> [2019-11-20 00:03]:
>>>>> Perhaps counterproductively adding to my rant below: ADFS is
>>>>> terrible, but works just well enough to lull people into the belief
>>>>> that it won’t screw everything up, as it invariably does, down the
>>>>> road. I spend at least 80% of my direct-end-user-contact time
>>>>> coaching people with ADFS problems. ADFS *should not be used* in the
>>>>> context of R&E federations, nor should other similar software. This
>>>>> is a real problem that I don’t know how to address in our context,
>>>>> but the problem is getting worse every day.
>>>>
>>>> Thank you for your very clear words in this regard.
>>>>
>>>> Maybe this should be made known more widely? Open to ideas how that
>>>> would work. A REFEDS blog post? A disclaimer message to be relayed by
>>>> (Full Mesh) federations?
>>>> I'll start by quoting your post above in our documentation.
>>>>
>>>> At this time we only have a single MS-ADFS entity registered, so my
>>>> communication has been pretty clear and seemingly was effective so
>>>> far. That one entity could end up being used a lot more, though,
>>>> through services proxied behind its SP-side...
>>>>
>>>> -peter
>>>>
>>>
>>> While I tend to agree the pain is mostly localized to those that choose 
>>> to sniff this particular sock. The organizations who run ADFS do that for 
>>> reasons that will not be influenced by what REFEDS say.
>>>
>>> We may be able to get MSFT to improve things... I have had some chats 
>>> with their new head of identity (or whatever the title is) Pamela Dingle 
>>> who at least make the right noices. I know this is not the first time 
>>> somebody said this too.
>>>
>>> Possibly a statement from REFEDS if wielded in a smart way may serve to 
>>> make things a bit more concrete.
>>>
>>>    Cheers Leif

Attachment: signature.asc
Description: OpenPGP digital signature