edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
- From: Jon Agland <Jon.Agland AT jisc.ac.uk>
- To: "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
- Subject: Re: [eduGAIN-discuss] AD FS (was: reference for expired certificate warning)
- Date: Tue, 26 Nov 2019 14:10:54 +0000
- Accept-language: en-GB, en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jisc.ac.uk; dmarc=pass action=none header.from=jisc.ac.uk; dkim=pass header.d=jisc.ac.uk; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EN8rttUBkVmPyO9LqjxqVWbnkikwUzFrsxfNFLidvYk=; b=X9V/H6CHw1taNqKbym9z5eMrqzCEdsR0kkvw7dLbWQatJ9rVN0bj6FRI0BlIssumGMcvIYmY5XcI+8Vx6GPUTBpdxnd6zSHNasquUmDx5l45xDXvnLVuDy0D/4RcjHEVNq8jmYqOd0Hz6SzRG9kj7tl1ASBqafTKUKZFstkzixLGgs0Z3F0QEWYqejePZ5rhzh5Cf/uBBBXfpc28f6LwzLtFZYeH2On71ZNl9wNYEudr9meJ8RbMbeMXTriRn++Ve+skPEHNJfG9KCr7I6SHV+eOq84DMxgJh658BtqZhehZQdeVLxymkgLNK9jQnzNeebdiH8L+WBziW+Dkr+u6ig==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Lmj2dNilawJXyQE5CI3UkBGqqqVtwdd3SDGUfi6YteY4tjEZqTLOVyNfNADVA+wZzIz9BmW9iMMSC9OzCt/uVBCEAETdmW+t+XDELQmCX7FJE/U+vzrW6vBWNSXQhVhl9BLA7P+alVdoR8XcWaEI3my2rFFODtTV9nOBWVFJQgh7DIbfcV+rFf2Tg7ipwuXy+xxa6YBLclFbBDUSkcnRs6f+XkJL5YIDMN+G1T62wj6iDw5vX4XXGtULEOqiUSlWgfbUN75V63KyTdAdLR+9p91HzCOCFWdts6LOGheUKxJwENUcZfaQ19VFPDyfIEklKcO6jnqs7M+IC48L1cmqag==
- Authentication-results: spf=none (sender IP is ) smtp.mailfrom=Jon.Agland AT jisc.ac.uk;
Just to add the AD FS aspect of this thread..
Within the UK federation we've managed to avoid many AD FS instances being registered directly, mostly we see this from IdPs. This for the many of the reasons already highlighted about interoperating within a full-mesh federation. We've also documented this on our website and linked from our entity registration pages [1] (page is due a review/update as was done under AD FS 4.0/2016)
We are advising our members to continue to provide an IdP that can fully interoperate comfortably within a full-mesh federation e.g. Shibboleth IdP, but to back off the authentication to other IdP solutions where required, that provides a "single sign on experience" to end-users. Some of the solutions we know currently being used for this are;
* third party products such as
* Overt Software's ADFS bridge [2]
* the OpenAthens service [3] (also part of Jisc as of the start of the year), where many may already have a hosted IdP from them, and which supports this backing off of the authentication
* Shibboleth IdP with the RemoteUser handler enabled and protected with the Shibboleth SP to authenticate with the other IdP
With respect to the last option then we are close to having this documented for all three of those other IdP solutions(Microsoft AD FS,Azure, NetIQ AM), both for our own purposes and for the community in general. We are also be offering it to our members as part of our T&I consultancy service [4]. One of the drives for some organisations will be to get MFA in place, and so in theory those using Azure MFA can utilise this. It is a sticking plaster, as you won't have any of the signalling that the IdP supports MFA/for SPs to request an MFA profile.
Happy to contribute to any shared documentation on the matter, so please put me down for that :)
We've had at least one call with Microsoft and of our members, but Microsoft's willingness to resolve the issues we identified wasn't there AND also their time-scales seemed to be very far away, too far for our member. I'll also suggest here that AD FS could be a dead duck, many organisations are preferring to use the cloud based services e.g. Azure IdP for access to Office 365/Azure etc, so maybe focusing effort there would be better?
Cheers,
Jon
Jon Agland Principal UK federation technical support specialist Jisc T 02038198207 M 07443984222 Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk ukfederation.org.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- Re: [eduGAIN-discuss] reference for expired certificate warning, (continued)
- Re: [eduGAIN-discuss] reference for expired certificate warning, Tomasz Wolniewicz, 19-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Peter Schober, 19-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Zenon Mousmoulas, 19-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Peter Schober, 19-Nov-2019
- Sv: [eduGAIN-discuss] reference for expired certificate warning, Pål Axelsson, 19-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Nick Roy, 19-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Nick Roy, 19-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Peter Schober, 20-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Leif Johansson, 20-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Nicole Harris, 20-Nov-2019
- Re: [eduGAIN-discuss] AD FS (was: reference for expired certificate warning), Jon Agland, 11/26/2019
- RE: [eduGAIN-discuss] reference for expired certificate warning, Warda Al Habsi, 20-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Nick Roy, 20-Nov-2019
- RE: [eduGAIN-discuss] reference for expired certificate warning, Warda Al Habsi, 21-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Leif Johansson, 21-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Nick Roy, 21-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Leif Johansson, 22-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Nick Roy, 19-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Nick Roy, 19-Nov-2019
- Sv: [eduGAIN-discuss] reference for expired certificate warning, Pål Axelsson, 19-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Peter Schober, 19-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Tomasz Wolniewicz, 19-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Nick Roy, 20-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Nick Roy, 20-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Thijs Kinkhorst, 20-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Peter Schober, 20-Nov-2019
Archive powered by MHonArc 2.6.19.