Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] reference for expired certificate warning

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] reference for expired certificate warning


Chronological Thread 
  • From: Nick Roy <nroy AT internet2.edu>
  • To: Pål Axelsson <pax AT sunet.se>
  • Cc: Guy Halse <guy AT tenet.ac.za>, "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
  • Subject: Re: [eduGAIN-discuss] reference for expired certificate warning
  • Date: Thu, 21 Nov 2019 16:30:07 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=internet2.edu; dmarc=pass action=none header.from=internet2.edu; dkim=pass header.d=internet2.edu; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=c5KZwTdwcwtcL4ATMxX1K7Sf9kLkat1Ght9wGb+sF3o=; b=ZyCdWUct35u+PPUvk18Pr5TH8hoERhsF9nnprGjueV2OmJhFHbpfeBwdRwkpC1ibSdsR+zpxgbIkYWPQ5pwksqECiQfbvbUqDS8Rqwl9f3d6uY/6vK2QjpJcN7eYOPVw5DY8P/A/1H92resRzkkUjU8B+I1tBo7ceoFxJFyDUHw7YXHLa9LQbghpPvW4AY0eI6ztK4pHQNnNU/ATaEW05fx8Oh8YKttSk0EYd9qsslZPPXYQWMbwBW0XNgHQ3rbEwid2LA6QZ0SmzJRQcy1rYhYon8Osw2uTHcPIaGyO6y5enxlVyBPze63ERIXgy2W+yXUyQ8eKtQJGBI1kvvDvnw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bQrEbg1CyauCyPg3DhUgQ0yGGEZE4NCwymoFsNShu4Xu8uqhw6Y0baRlcCAN9NkxQgN8Zsg7LU6RJ5GYvEwoWiIlGw8I2O9zCTLj2S4o1w28ZpaMiNE89m79zG6Vx8NzpCgCzOGAd4cmODo9wUczm9bbI37OnCBL/FX2T6gpgxndMqvh+LEF8TxvZYhCeA90a1hm/mtKQDQhEGCQl7HA8DRvI7PzsvkcsxdWZpcPV3exz56C2bmi3bXigBtiZQDFW9w+aYs4Az5uGlpOgByzFBBe2qPzcg1mcbis2BDYrt9YJZYxReil5TeNNfWYHVI0pm48v4POyxn0FpFVLDlE/w==
  • Authentication-results: spf=none (sender IP is ) smtp.mailfrom=nroy AT internet2.edu;

Pål, I agree fully with what you said in the first paragraph. I think it is going to take a combination of marketing and communications to IT leadership at schools, training programs for IT staff, and end-user support.

I have seen a Windows systems administrator with zero IAM experience configure and run the InCommon Shibboleth IdP Docker container in less than an hour. Operating systems are increasingly irrelevant. It’s all about running this decade’s equivalent of 'a.out' in $pickYourContainerService.

Nick

On 21 Nov 2019, at 6:40, Pål Axelsson wrote:

Hi,

 

SWAMID is one of those that federations that has ADFS as identity providers and for us is this a question of getting skilled administrators working with the identity providers. It’s very hard to get hold of an administrator for an odd duck. The identity provider software is today a very odd duck in the IT environment at our member institutions. To leverage this many CIO has decided from a qualified personnel supply perspective. It much easier for them to get skilled Microsoft server administrators with good knowledge of ADFS then skilled java administrators with good knowledge of Shibboleth. To have a well working infrastructure you need more than one person that understand how the different parts of it works and makes it even harder.

 

With that said we as an identity federation must help them to run what they are able to handle in ordinary system operational good fashion. Even though we know there are problems with ADFS we decided to heavily invest in support for ADFS. We started the work on ADFStoolkit some years ago and Chris came in and helped us make it a finished package. ADFStoolkit handle most of the problems that ADFS has regarding multilateral identity federations but some things are still problematic.

 

We have understood that SWAMID must meet our member organizations some where in the middle to still be relevant. For us the policy side is relative straight forward but the technology always throws a curve ball due to non technical constraints.

 

Pål

 

 

Från: edugain-discuss-request AT lists.geant.org <edugain-discuss-request AT lists.geant.org> För Guy Halse
Skickat: den 21 november 2019 09:26
Till: Nick Roy <nroy AT internet2.edu>
Kopia: edugain-discuss AT lists.geant.org
Ämne: Re: [eduGAIN-discuss] reference for expired certificate warning

 

Hi

On 2019/11/20 01:02, Nick Roy wrote:

Perhaps counterproductively adding to my rant below: ADFS is terrible, but works just well enough to lull people into the belief that it won’t screw everything up, as it invariably does, down the road. I spend at least 80% of my direct-end-user-contact time coaching people with ADFS problems. ADFS should not be used in the context of R&E federations, nor should other similar software. This is a real problem that I don’t know how to address in our context, but the problem is getting worse every day.


With respect, I think this rant come from a privileged position of being an established player in a wealthy economy.

I'll agree with you that it's terrible. However, in the context of developing R&E federations, it is the establishment we are effectively competing against.

Whether we like it or not, many of our institutions are well entrenched within the Microsoft ecosystem, and already make use of ADFS for integration with O365 and a bunch of other things. They have staff who know enough about ADFS to make it work for those use cases. On the contrary, Shibboleth/SimpleSAMLphp/etc are things they have likely never encountered before. What that probably boils down to is that Microsoft are good at marketing; we are not.

Our reality is also that universities are under funded, under resourced and under staffed. That has two implications: the status quo has a very long tail, and so anything that takes them out of their comfort zone gets put on a back burner for a really long time.

When a researcher arrives with a use case for R&E federation, their natural answer is to set up a point-to-point relationship in ADFS in the Microsoft way. This is understandable, because it is entirely within their comfort zone, and reuses infrastructure they've already built. Even if they're not already ADFS users, installing ADFS - a product they've effectively already paid for and can get local support for through their existing partners - is far more attractive than building new infrastructure, even if that software is "free". The result is that when we come to them with the idea of R&E federation, our starting position is on the back foot. Persuading them to federate is hard enough, without having to argue against a product they're already using and that's meeting most of their other requirements.

I'm very aware that even I have a privileged position. Our economy is such that I can turn round to institutions and say "we can get it to work, but only if you upgrade to the latest version", thus limiting my exposure to the broken. However that's not reality in other countries I've worked with, because in addition to the problems above, upgrading involves more money. And that doesn't happen until products go out-of-support and there's no alternative.

Thus from my perspective, ADFS is something I have to learn to live with if I want R&E federation to succeed here. Given the choice between living with ADFS's quirks and abandoning the idea of getting R&E federation working, I'll choose the former. Because I have researchers who need me to maak 'n plan. [1]

</metarant>

- Guy

[1] https://www.quora.com/What-does-a-boer-maak-n-plan-mean

--

Guy Halse
Director Trust & Identity

Tertiary Education & Research Network of South Africa NPC

Fault Reporting: +27(21)763-7147 or support AT tenet.ac.za
Office: +27(21)763-7102
http://www.tenet.ac.za/contact
https://orcid.org/0000-0002-9388-8592

 

Attachment: signature.asc
Description: OpenPGP digital signature




Archive powered by MHonArc 2.6.19.

Top of Page