edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
- From: Thijs Kinkhorst <thijs.kinkhorst AT surf.nl>
- To: edugain-discuss AT lists.geant.org
- Subject: Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain
- Date: Tue, 6 Apr 2021 20:28:30 +0200
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=surf.nl; dmarc=pass action=none header.from=surf.nl; dkim=pass header.d=surf.nl; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=l6blvvdDhACEBRr01QGkHE1QHaPspkjog/B6P2i6t4A=; b=O7RbULjqnOw57ba2i06r8bdF50ODBAtXP+01PqL2zWRBK552AIMEqqKGNrgWmb4N+Hw5miJyrtpcC/2T9RfrsTjTyJAla7MXLgprQgyprOWserskK1R3fLHUIo/ZKUt21hR1oGp7dyiPbbiQtY9ggjthyixl9hYxxlTL31rFJoE25dV/VPn/IRLg/qPS7qQgWgr/0RgVvKz1LCCLozmsdMXXcbN3EM4g70FKekln61hYi32XuMYRB76dAkkqAzIkSMkeS5AxUOJI4/4gikYjzB6UWY+gfS/XHuCXmAkC0Hksn1KlYEkBK0ZBksOBItdqgreKqwOLVP2Byi/6tJiihQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EQUVMmDYHw7QIBAKeNWzgCsEnBVtDsZh2SE0teqE05As0WLu5ilQkuST2sj6vtp5kL3fpt+5245XI+WmTG0vXmToAyzIpSzea9+HyOF2mJ8KD0Ta49W1LksJ0SYlHNIfNMewBpBdMk0yIrVnOly/8GR4WNisITpnOM3RH1rS0ZqBuWskUf+A95epGlk8tfhcLPv42y2NJ3UbrfZ08+78D1AGuQeFuKUR2T6gnCapaduQ8OuO4fnzcvXtMFrvJW5NkavZsEGc0uU1wHuKxW/5EIbj682dpVmKJ/VoSgo6i7mJ1vc5oi1qVkWJJsJ2IzRORpFFYCgaLO2/ctj6xs+qNw==
- Authentication-results: lists.geant.org; dkim=none (message not signed) header.d=none;lists.geant.org; dmarc=none action=none header.from=surf.nl;
- Organization: SURF
Hoi Peter,
Op 06-04-2021 om 16:23 schreef Peter Schober:
In addition to the severe technical limitations of the MS
implementation there's also the policy issue of the entityID values of
Azure AD "tenant" IDPs:
There is no know established/documented process that would allow an
Azure AD "tenant" to demonstrate ownership (or the right to use) of an
entityID of the form "https://sts.windows.net/<UUID>/", leading to the
problem of potential IDP impersonation within eduGAIN.
Of course we have a policy to establish that an IdP we register is legitimate. I do not agree that this must and can only be established by in some way technically analysing the entityID itself.
Our procedures stipulate that any change to a production IdP can only be done when authorized by the registered SURFconext contact person at the instiution. They will have to confirm a whan new IdP is to be registered. Therefore you cannot register an Azure AD tenant for an institution you are not authoritative for.
Who is/are these authorized persons is in turn determined by the primary contact person (decision maker) of the institution to SURF, which utimately follows from the SURF membership contract. There are procedures in place within SURF to ensure these delegations of power are authorized.
Our approach is technlogy agnostic. eduGAIN does for example allow URN entityID's. They cannot be verified in DNS either.
In fact, I will argue that the approach of just looking at the DNS domain name is far from satisfactory for me. It would mean that the only power you need is to be able to create a DNS entry somewhere under the institution's domain. In big institutions, which also often have delegated subzones, this can usually be done by orders of magnitude more people than are authoritative about the Identity Provider.
But even then, we do also always require scopes to be set, which _are_ validated via whois to be owned by the registring institution.
I will admit that our MDRPS (which stems from 2012) is currently quite a high level documnet and a next revision could elaborate more on different aspects of our procedures.
Some federations filter our such entities and therefore interoperation
across eduGAIN is not at all ensured for these entities.
I have doubts that this is reasonable to do wholesale. The registering federation can be asked to clarify if there are doubts about its registration policy, or held accountable if there are concerns about a specific entity.
Kind regards,
Thijs
- [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Daniel Muscat, 06-Apr-2021
- RE: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Aristos Anastasiou, 06-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Thijs Kinkhorst, 06-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Peter Schober, 06-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Thijs Kinkhorst, 04/06/2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Guy Halse, 07-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Peter Schober, 14-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Thijs Kinkhorst, 14-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Thijs Kinkhorst, 14-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Peter Schober, 14-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Guy Halse, 14-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Peter Schober, 14-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Chris Phillips, 06-Apr-2021
- <Possible follow-up(s)>
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Chan, Toby [ITS], 07-Apr-2021
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Terry Smith, 07-Apr-2021
Archive powered by MHonArc 2.6.19.