Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain


Chronological Thread 
  • From: Daniel Muscat <daniel.muscat AT um.edu.mt>
  • To: edugain-discuss AT lists.geant.org
  • Subject: Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain
  • Date: Fri, 4 Aug 2023 10:29:29 +0200

Dear all,
   In relation to this thread, Microsoft is now encouraging using Cirrus Bridge ( https://learn.microsoft.com/en-us/azure/active-directory/architecture/multilateral-federation-solution-one ) to integrate Azure Ad with eduGAIN. Does anybody use this product and can give feedback on how worthy it is?

Regards
Daniel


On Wed, 14 Apr 2021 at 13:24, Guy Halse <guy AT tenet.ac.za> wrote:
Hi

On 2021/04/14 12:14, Peter Schober wrote:
Whether the WebPKI's use of domain control validation is a good
example for the kind of trust we're trying to establish within
Identity Federations is questionable.
And WHOIS as a means of proving domain "ownership" for scopes and entitiyIDs is somehow better?

Even pre-GDPR, the information contained in WHOIS is/was largely self-asserted. I am whomever I tell my Registrar that I am, and they don't care provided my credit card works. I have *never* been asked to prove identity by a DNS Registrar for anything other than a moderated domain (such as our .ac.za).

Now what is WHOIS is both self-asserted and largely redacted and inaccessible. Here's what I have to work with when I try to use WHOIS to validate the edugain.org domain:
Domain Name: edugain.org
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: REDACTED FOR PRIVACY

Registrant Email: info AT domain-contact.org
Admin Name: REDACTED FOR PRIVACY
Admin Organization: REDACTED FOR PRIVACY
Admin Email: info AT domain-contact.org

Tech Name: REDACTED FOR PRIVACY
Tech Organization: REDACTED FOR PRIVACY
Tech Email: info AT domain-contact.org
Billing Name: REDACTED FOR PRIVACY 
Billing Organization: REDACTED FOR PRIVACY
Billing Email: info AT domain-contact.org
At least with the DCV approach, I know that the person I am talking to has some level of administrative control over the domain; with WHOIS I now have nothing...

Ask yourself this: Is anything able to get any DCV TLS certificate
trustworthy to do business with? Is that enough to know what
real-world entity is behind this certificate?
To be clear, I don't believe that either DCV or WHOIS are sufficient on their own. I'm suggesting that, coupled with other mechanisms we already have, DCV provides analogous levels of trust to WHOIS.

In this regard, I'm with Thijs:

On 2021/04/14 12:35, Thijs Kinkhorst wrote:
In short, yes, I believe our procedures, contracts. technolical measures AND community are individually already provide good guarantees and and that all four combined give me a very high confidence in the process.

I'm talking about DCV performed by an individual who has been formally designated as a contact for the the organisation responsible for the entity. And that organisation being one with whom there is a direct contractual relationship, and whose identity is verifiable (OV in the PKI analogy). And in a lot of cases, certainly for smaller federations, a person with whom there is an established interpersonal relationship (Thijs's "community" point).

And to extend this to the Azure case, I'm talking about finding an equivalent of DCV to verify the tenant ID used in that entityID that can be coupled with the above to provide a fairly high confidence that the Azure entityID belongs to the organisation claiming it.

Thus far the best I've managed there is to have that individual demonstrate operational control of the tenant over Zoom. Not ideal. Doesn't scale. But doable (and funnily enough, akin to how AATL vendors are doing validation for document signing certs).

Kind regards,

- Guy
--
Guy Halse
Executive Officer: Trust & Identity

Tertiary Education & Research Network of South Africa NPC

Fault Reporting: +27(21)763-7147 or support AT tenet.ac.za
Office: +27(21)763-7102
http://www.tenet.ac.za/contact
https://orcid.org/0000-0002-9388-8592


--
Regards
Daniel

PNG image



  • Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Daniel Muscat, 08/04/2023

Archive powered by MHonArc 2.6.24.

Top of Page