Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] AD FS (was: reference for expired certificate warning)

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] AD FS (was: reference for expired certificate warning)


Chronological Thread 
  • From: Jon Agland <Jon.Agland AT jisc.ac.uk>
  • To: "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
  • Subject: Re: [eduGAIN-discuss] AD FS (was: reference for expired certificate warning)
  • Date: Tue, 26 Nov 2019 14:10:54 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jisc.ac.uk; dmarc=pass action=none header.from=jisc.ac.uk; dkim=pass header.d=jisc.ac.uk; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EN8rttUBkVmPyO9LqjxqVWbnkikwUzFrsxfNFLidvYk=; b=X9V/H6CHw1taNqKbym9z5eMrqzCEdsR0kkvw7dLbWQatJ9rVN0bj6FRI0BlIssumGMcvIYmY5XcI+8Vx6GPUTBpdxnd6zSHNasquUmDx5l45xDXvnLVuDy0D/4RcjHEVNq8jmYqOd0Hz6SzRG9kj7tl1ASBqafTKUKZFstkzixLGgs0Z3F0QEWYqejePZ5rhzh5Cf/uBBBXfpc28f6LwzLtFZYeH2On71ZNl9wNYEudr9meJ8RbMbeMXTriRn++Ve+skPEHNJfG9KCr7I6SHV+eOq84DMxgJh658BtqZhehZQdeVLxymkgLNK9jQnzNeebdiH8L+WBziW+Dkr+u6ig==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Lmj2dNilawJXyQE5CI3UkBGqqqVtwdd3SDGUfi6YteY4tjEZqTLOVyNfNADVA+wZzIz9BmW9iMMSC9OzCt/uVBCEAETdmW+t+XDELQmCX7FJE/U+vzrW6vBWNSXQhVhl9BLA7P+alVdoR8XcWaEI3my2rFFODtTV9nOBWVFJQgh7DIbfcV+rFf2Tg7ipwuXy+xxa6YBLclFbBDUSkcnRs6f+XkJL5YIDMN+G1T62wj6iDw5vX4XXGtULEOqiUSlWgfbUN75V63KyTdAdLR+9p91HzCOCFWdts6LOGheUKxJwENUcZfaQ19VFPDyfIEklKcO6jnqs7M+IC48L1cmqag==
  • Authentication-results: spf=none (sender IP is ) smtp.mailfrom=Jon.Agland AT jisc.ac.uk;

Just to add the AD FS aspect of this thread..

Within the UK federation we've managed to avoid many AD FS instances being registered directly, mostly we see this from IdPs.  This for the many of the reasons already highlighted about interoperating within a full-mesh federation.   We've also documented this on our website and linked from our entity registration pages [1] (page is due a review/update as was done under AD FS 4.0/2016)

We are advising our members to continue to provide an IdP that can fully interoperate comfortably within a full-mesh federation e.g. Shibboleth IdP, but to back off the authentication to other IdP solutions where required, that provides a "single sign on experience" to end-users.  Some of the solutions we know currently being used for this are;

* third party products such as 
  * Overt Software's ADFS bridge [2]
  * the OpenAthens service [3] (also part of Jisc as of the start of the year), where many may already have a hosted IdP from them, and which supports this backing off of the authentication
* Shibboleth IdP with the RemoteUser handler enabled and protected with the Shibboleth SP to authenticate with the other IdP

With respect to the last option then we are close to having this documented for all three of those other IdP solutions(Microsoft AD FS,Azure, NetIQ AM), both for our own purposes and for the community in general.  We are also be offering it to our members as part of our T&I consultancy service [4].  One of the drives for some organisations will be to get MFA in place, and so in theory those using Azure MFA can utilise this.  It is a sticking plaster, as you won't have any of the signalling that the IdP supports MFA/for SPs to request an MFA profile.

Happy to contribute to any shared documentation on the matter, so please put me down for that :)

We've had at least one call with Microsoft and of our members, but Microsoft's willingness to resolve the issues we identified wasn't there AND also their time-scales seemed to be very far away, too far for our member.   I'll also suggest here that AD FS could be a dead duck, many organisations are preferring to use the cloud based services e.g. Azure IdP for access to Office 365/Azure etc, so maybe focusing effort there would be better?

Cheers,

Jon

[1] https://www.ukfederation.org.uk/content/Documents/ADFS
[2] https://www.overtsoftware.com/adfs-shibboleth-bridge/
[3] https://docs.openathens.net/display/public/MD/ADFS+connector
[4] https://www.jisc.ac.uk/consultancy/trust-and-identity
 
Jon Agland
Principal UK federation technical support specialist
Jisc
T 02038198207
M 07443984222
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG

jisc.ac.uk
ukfederation.org.uk
 
Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT
No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower
Hill, Bristol, BS2 0JA. T 0203 697 5800.
 
Jisc Services Limited is a wholly owned Jisc subsidiary and a company
limited by guarantee which is registered in England under company
number 2881024, VAT number GB 197 0632 86. The registered office is:
One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
 

Attachment: smime.p7s
Description: S/MIME cryptographic signature




Archive powered by MHonArc 2.6.19.

Top of Page