Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain


Chronological Thread 
  • From: Thijs Kinkhorst <thijs.kinkhorst AT surf.nl>
  • To: edugain-discuss AT lists.geant.org
  • Subject: Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain
  • Date: Wed, 14 Apr 2021 12:35:05 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=surf.nl; dmarc=pass action=none header.from=surf.nl; dkim=pass header.d=surf.nl; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lDFJm+9dHuxe6HesowAUFBP4/0dRkprX77vx1VETTuw=; b=IftQ/s5NGmp6gTFFhbDoJ9GhTUNMtkONS5PWQDDGG85hRbn3EFG8l+czgmxBaySzX68zlToH1FGHdFbh7WZkCSqoLi6TlsSfLaKIovCDy8k0zlBFXcknD4LA4yR+nukjyXeQ2CsSxKeXKoJ/k9VrGR5ER+7r9SfxY6UD5L1lpcmwtRvzYEPgSnatk9Dex2pYoT0VvopHf/H0HNJtgHzpW1gksthuJRKuzIsHwYQVcwCNCs8RNrz071xMGReglVhTSfHmri96aWC+tLP33ejd7bS1zYr9IBIIeLk3YQZniBpIf/HsdtIhQCQz+Ev1X64xpFuuwA0Bk4MbffBzPQ8QeA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=L1/5w876sTukF2a9CTJWahEk5ofoivl6t8i8rKHRIPUTSyP+fs+xDne1T5oqLiUWnKd3sn44kaslQMsGBI3bP/EPZ76V+AC5Be5kj6iZ8jC+PBqM1ibUPNOcGm1NHZB/Iu8ENjylwrFW+YarQpZ/t3XNbL3kMQu4Y03tU9oLHdkIMyyEk876qHdBS8joDOkyW8TLm466XSEJUK6I8Kf5fl9t++2f3jjA7tHE4YIgH/A1ueMKxEK32375EgaJquns99fgL3l30BlHPpTjHJ1JkU/SEFC907sz2PdNL3t5TMgzcr0M5zSy3v6vwYErzbYGCd2L144AY/mgfFG13dJ84w==
  • Authentication-results: lists.geant.org; dkim=none (message not signed) header.d=none;lists.geant.org; dmarc=none action=none header.from=surf.nl;
  • Organization: SURF

Op 14-04-2021 om 12:14 schreef Peter Schober:
* Guy Halse<guy AT tenet.ac.za> [2021-04-07 09:44]:
What I don't have yet is a good model for demonstrating operational
control of an AzureAD entityID. However, like Thijs, I'm not
actually convinced it is completely necessary if our mechanisms for
validating organisational contacts are robust enough.
So some registered contact person simply saying that this is "their"
domain (for use in scopes, attribute values, entityIDs, etc.) is
sufficient for you?
I guess you may trust your own community with such claims (and might
have easy legal recourse with local entities) but is that good enough
for a global trust fabric, allowing for anyone to claim anyone else's
"tenant" simply by saying so?

In short, yes, I believe our procedures, contracts. technolical measures AND community are individually already provide good guarantees and and that all four combined give me a very high confidence in the process.

Even if you think that impersonation is an actual and acute risk in eduGAIN (I'm not sure it is), I'm skeptical that DNS would be a better defense against it. Speaking for our selves, not re-check the DNS of entityIDs registered by other federations (also not sure how we would be able to do so for all entities), so even using DNS as a measure does not protect against a scenario where eduID.at would roguely register an IdP giving out uva.nl credentials.


Kind regards,
Thijs



Archive powered by MHonArc 2.6.19.

Top of Page