An open discussion list for topics related to the eduGAIN interfederation service.

[Peter Schober <peter.schober AT univie.ac.at>]

Daniel et al.,

* Daniel Muscat <daniel.muscat AT um.edu.mt> [2021-04-06 15:32]:
> We have a prospective member that will probably need to integrate a
> SAML IDP based on the Azure Active Directory. I am wondering if
> anybody can share any experience on the Azure Active Directory as an
> IDP used to authenticate for SPs on eduGain, in particular inAcademia.

Azure AD does not support SAML in a way that would allow for
federation and eduGAIN parcipation, it only supports bilateral
federation.

For MS-ADFS this community has contributed the
https://adfstoolkit.org/ to work around its limitations.
But nothing comparable exists for Azure AD. (It's not clear to me
whether that will change in the future.)

For Hub&Spoke federations (of which RiċerkaNET Identity Federation is
not an example) the situation is different since in that model the
Azure AD SAML IDP only needs to know and interoperate with a single
entity (the SP-side of the Hub), which is managable but of no help to
you or your members.

In addition to the severe technical limitations of the MS
implementation there's also the policy issue of the entityID values of
Azure AD "tenant" IDPs:
There is no know established/documented process that would allow an
Azure AD "tenant" to demonstrate ownership (or the right to use) of an
entityID of the form "https://sts.windows.net/<UUID>/", leading to the
problem of potential IDP impersonation within eduGAIN.
Some federations filter our such entities and therefore interoperation
across eduGAIN is not at all ensured for these entities.

Best regards,
-peter