Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain


Chronological Thread 
  • From: Chris Phillips <Chris.Phillips AT canarie.ca>
  • To: Daniel Muscat <daniel.muscat AT um.edu.mt>, "edugain-sg AT lists.geant.org" <edugain-sg AT lists.geant.org>, "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
  • Subject: Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain
  • Date: Tue, 6 Apr 2021 16:08:34 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=canarie.ca; dmarc=pass action=none header.from=canarie.ca; dkim=pass header.d=canarie.ca; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Agj6BswGoNGzqGauLVxc3rE1XSalHEFimmvtHT+i8qA=; b=lUbqN8EVvrtEhYUqW05b7oMG1csx+p4yK+umm16i5nzvnJR7GyzhV0OOdy5KW2N3gIyvfYNmGCiHYoj70b2v8krVJNoZrMbEqcu4gucLNcygKVCCrXqusnZpDTJ4PQ40SytX9xcBUqE2jRd3AqxPcVrXN/qJbIHCVIGA3sPUjxsmnz4QPAmZp2AJrdHRijOGV4R/PJ4FVoqrHHlbn2UR+AsS8yIo07Oj2v22CVGzf1R5qi72B6wKMVr4iXq0Q+gNEndvK8I/00oAQMx+NWxGqdjGYRT7sYnXcmrPjAsWveZ5mQubXZofsPxducKV7DHfFS6mteJtpSDaeXgOHUcXsg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CnGXdb0AjUjN6YMwRg8Uf4LBHHnCyEcHb/ITwP6teM8gk+8S747Ka75bVIkz4ngrkF0EgrTnS1XeB0MIyR7JGR4e1ufv/L1k5H+A8PssSVX8HL2j0VmpaSQ2NqwxfiyxU8GyLhGViMOwZV/BoAZeJld4vMtMcb+kt9NqFD0/T4pFIHLgU4+FKDA7DIzNnQjE9Ji0Gyjbe+tkQhfm9z2+MQlssGZpwWe3i7RWX34DPXRnnK2iRwanBQJ7SWEosnLbAfWnmoTMaIuh3orGHrp+vxfIlC3nuS5hX72RSDeGvC8zoD9fw6vqf1bQlO8ThKe8DV6UCqQ8JuDYozibb9tTsA==
  • Authentication-results: um.edu.mt; dkim=none (message not signed) header.d=none;um.edu.mt; dmarc=none action=none header.from=canarie.ca;

Hi Daniel and others..

We have a number of sites using Azure AD as their backend authenticator only
proxied using the Shibboleth IdP v4 as their IdP. Other sites in other
federations have reached out on the topic as well as we documented it on the
Shibboleth Knowledge Base here [1] for all to use.

Proxying offers us a clear demarcation point and place to exert control for
the features we want in an R&E federation IdP at the pace we want which is
much faster in most cases.

Other proxy stories can be done with R&E tech like SATOSA and SimpleSAMLPHP.
We ourselves use Shib, SATOSA, and SSPHP in our own solutions for different
reasons with the Shibboleth Proxy story being the one recommend first
followed by SATOSA and SSPHP. The biggest challenge of anything is knowledge
in the field at the institutions and understanding the real problem they are
trying to solve.

We also support ADFS with ADFSToolkit on prem connected to Azure AD which is
a common pathway for sites to co-habitate with Azure AD. The biggest draw for
that: existing knowledge, infrastructure already deployed, and access to
Azure MFA. This is why we've invested in the ADFSToolkit (now at version
2)[2] so we can get sites to REFEDS MFA capable levels on this technology as
well.

Included below is the laundry list of Azure AD challenges to help describe
why a proxy is needed.

Questions and comments welcome as always and happy to share our experiences
so far..

Chris.


Azure AD challenges to being an R&E IdP on its own:
- cannot validate an aggregate with a federation's Signing Key
- cannot handle an aggregate -- it can only do bi-lateral SAML and not
Multi-lateral SAML
- has a limit of 1000 RPs per tenant
- cannot support MDQ
- cannot do entity categories management
- cannot properly support and respond to REFEDS MFA and SFA profiles as
triggered by SAML RPs
- cannot properly contain eduPerson or ShacPerson schema elements in Azure AD
without significant schema manipulation to extendedAttributes##[1-13]
- cannot handle custom multi-valued attributes in azure AD consistently (or
sometimes at all!)[3][4]
- cannot generate eduPersonTargetedID
- cannot generate scripted attributes with same level of fidelity as other
solutions






[1]
https://wiki.shibboleth.net/confluence/display/KB/Using+SAML+Proxying+in+the+Shibboleth+IdP+to+connect+with+Azure+AD
[2] https://github.com/fedtools/adfstoolkit
[3]
https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes

(Custom attributes can't be referential attributes, multi-value or
complex-typed attributes. Custom multi-value and complex-typed extension
attributes are currently supported only for applications in the gallery. )
[4]
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-directory-extensions



On 2021-04-06, 9:32 AM, "edugain-discuss-request AT lists.geant.org on behalf
of Daniel Muscat" <edugain-discuss-request AT lists.geant.org on behalf of
daniel.muscat AT um.edu.mt> wrote:

Dear all,
We have a prospective member that will probably need to integrate a
SAML IDP based on the Azure Active Directory. I am wondering if
anybody can share any experience on the Azure Active Directory as an
IDP used to authenticate for SPs on eduGain, in particular inAcademia.

--
Regards
Daniel

Attachment: smime.p7s
Description: S/MIME cryptographic signature




Archive powered by MHonArc 2.6.19.

Top of Page