An open discussion list for topics related to the eduGAIN interfederation service.

[Chris Phillips <Chris.Phillips AT canarie.ca>]

Hi Daniel and others..

We have a number of sites using Azure AD as their backend authenticator only 
proxied using the Shibboleth IdP v4 as their IdP. Other sites in other 
federations have reached out on the topic as well as we documented it on the 
Shibboleth Knowledge Base here [1] for all to use. 

Proxying offers us a clear demarcation point and place to exert control for 
the features we want in an R&E federation IdP at the pace we want which is 
much faster in most cases.

Other proxy stories can be done with R&E tech like SATOSA and SimpleSAMLPHP. 
We ourselves use Shib, SATOSA, and SSPHP  in our own solutions for different 
reasons with the Shibboleth Proxy story being the one recommend first 
followed by SATOSA and SSPHP. The biggest challenge of anything is knowledge 
in the field at the institutions and understanding the real problem they are 
trying to solve.  

We also support ADFS with ADFSToolkit on prem connected to Azure AD which is 
a common pathway for sites to co-habitate with Azure AD. The biggest draw for 
that: existing knowledge, infrastructure already deployed, and access to 
Azure MFA. This is why we've invested in the ADFSToolkit (now at version 
2)[2] so we can get sites to REFEDS MFA capable levels on this technology as 
well.

Included below is the laundry list of Azure AD challenges to help describe 
why a proxy is needed.

Questions and comments welcome as always and happy to share our experiences 
so far..

Chris.


Azure AD challenges to being an R&E IdP on its own:
- cannot validate an aggregate with a federation's Signing Key
- cannot handle an aggregate  -- it can only do bi-lateral SAML and not 
Multi-lateral SAML
- has a limit of 1000 RPs per tenant
- cannot support MDQ
- cannot do entity categories management
- cannot properly support and respond to REFEDS MFA and SFA profiles as 
triggered by SAML  RPs
- cannot properly contain eduPerson or ShacPerson schema elements in Azure AD 
without significant schema manipulation to extendedAttributes##[1-13]
- cannot handle custom multi-valued attributes in azure AD consistently (or 
sometimes at all!)[3][4] 
- cannot generate eduPersonTargetedID
- cannot generate scripted attributes with same level of fidelity as other 
solutions






[1] 
https://wiki.shibboleth.net/confluence/display/KB/Using+SAML+Proxying+in+the+Shibboleth+IdP+to+connect+with+Azure+AD
[2] https://github.com/fedtools/adfstoolkit 
[3] 
https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes
 
(Custom attributes can't be referential attributes, multi-value or 
complex-typed attributes. Custom multi-value and complex-typed extension 
attributes are currently supported only for applications in the gallery. )
[4] 
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-directory-extensions



On 2021-04-06, 9:32 AM, "edugain-discuss-request AT lists.geant.org on behalf 
of Daniel Muscat" <edugain-discuss-request AT lists.geant.org on behalf of 
daniel.muscat AT um.edu.mt> wrote:

    Dear all,
      We have a prospective member that will probably need to integrate a
    SAML IDP based on the Azure Active Directory. I am wondering if
    anybody can share any experience on the Azure Active Directory as an
    IDP used to authenticate for SPs on eduGain, in particular inAcademia.

    -- 
    Regards
    Daniel

Attachment: smime.p7s
Description: S/MIME cryptographic signature