Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain


Chronological Thread 
  • From: Thijs Kinkhorst <thijs.kinkhorst AT surf.nl>
  • To: edugain-discuss AT lists.geant.org
  • Subject: Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain
  • Date: Tue, 6 Apr 2021 20:28:30 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=surf.nl; dmarc=pass action=none header.from=surf.nl; dkim=pass header.d=surf.nl; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=l6blvvdDhACEBRr01QGkHE1QHaPspkjog/B6P2i6t4A=; b=O7RbULjqnOw57ba2i06r8bdF50ODBAtXP+01PqL2zWRBK552AIMEqqKGNrgWmb4N+Hw5miJyrtpcC/2T9RfrsTjTyJAla7MXLgprQgyprOWserskK1R3fLHUIo/ZKUt21hR1oGp7dyiPbbiQtY9ggjthyixl9hYxxlTL31rFJoE25dV/VPn/IRLg/qPS7qQgWgr/0RgVvKz1LCCLozmsdMXXcbN3EM4g70FKekln61hYi32XuMYRB76dAkkqAzIkSMkeS5AxUOJI4/4gikYjzB6UWY+gfS/XHuCXmAkC0Hksn1KlYEkBK0ZBksOBItdqgreKqwOLVP2Byi/6tJiihQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EQUVMmDYHw7QIBAKeNWzgCsEnBVtDsZh2SE0teqE05As0WLu5ilQkuST2sj6vtp5kL3fpt+5245XI+WmTG0vXmToAyzIpSzea9+HyOF2mJ8KD0Ta49W1LksJ0SYlHNIfNMewBpBdMk0yIrVnOly/8GR4WNisITpnOM3RH1rS0ZqBuWskUf+A95epGlk8tfhcLPv42y2NJ3UbrfZ08+78D1AGuQeFuKUR2T6gnCapaduQ8OuO4fnzcvXtMFrvJW5NkavZsEGc0uU1wHuKxW/5EIbj682dpVmKJ/VoSgo6i7mJ1vc5oi1qVkWJJsJ2IzRORpFFYCgaLO2/ctj6xs+qNw==
  • Authentication-results: lists.geant.org; dkim=none (message not signed) header.d=none;lists.geant.org; dmarc=none action=none header.from=surf.nl;
  • Organization: SURF

Hoi Peter,

Op 06-04-2021 om 16:23 schreef Peter Schober:
In addition to the severe technical limitations of the MS
implementation there's also the policy issue of the entityID values of
Azure AD "tenant" IDPs:
There is no know established/documented process that would allow an
Azure AD "tenant" to demonstrate ownership (or the right to use) of an
entityID of the form "https://sts.windows.net/<UUID>/", leading to the
problem of potential IDP impersonation within eduGAIN.

Of course we have a policy to establish that an IdP we register is legitimate. I do not agree that this must and can only be established by in some way technically analysing the entityID itself.

Our procedures stipulate that any change to a production IdP can only be done when authorized by the registered SURFconext contact person at the instiution. They will have to confirm a whan new IdP is to be registered. Therefore you cannot register an Azure AD tenant for an institution you are not authoritative for.

Who is/are these authorized persons is in turn determined by the primary contact person (decision maker) of the institution to SURF, which utimately follows from the SURF membership contract. There are procedures in place within SURF to ensure these delegations of power are authorized.

Our approach is technlogy agnostic. eduGAIN does for example allow URN entityID's. They cannot be verified in DNS either.
In fact, I will argue that the approach of just looking at the DNS domain name is far from satisfactory for me. It would mean that the only power you need is to be able to create a DNS entry somewhere under the institution's domain. In big institutions, which also often have delegated subzones, this can usually be done by orders of magnitude more people than are authoritative about the Identity Provider.

But even then, we do also always require scopes to be set, which _are_ validated via whois to be owned by the registring institution.

I will admit that our MDRPS (which stems from 2012) is currently quite a high level documnet and a next revision could elaborate more on different aspects of our procedures.

Some federations filter our such entities and therefore interoperation
across eduGAIN is not at all ensured for these entities.

I have doubts that this is reasonable to do wholesale. The registering federation can be asked to clarify if there are doubts about its registration policy, or held accountable if there are concerns about a specific entity.

Kind regards,
Thijs



Archive powered by MHonArc 2.6.19.

Top of Page