edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
- From: Daniel Muscat <daniel.muscat AT um.edu.mt>
- To: Albert Wu <awu AT internet2.edu>
- Cc: "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
- Subject: Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain
- Date: Mon, 2 Oct 2023 20:02:12 +0200
Hello Daniel,
If this helps, several schools in the US recently replied to a similar question on the InCommon Participants list. All of them spoke very positively of Cirrus Bridge.
Albert
Albert Wu
InCommon Federation Manager
On 9/29/23, 11:35 AM, "edugain-discuss-request AT lists.geant.org" <edugain-discuss-request AT lists.geant.org> wrote:
HI all,
Is there anyone who can give me feedback on Cirrus Bridge?
Regards
Daniel
On Fri, 4 Aug 2023 at 10:29, Daniel Muscat <daniel.muscat AT um.edu.mt> wrote:
Dear all,
In relation to this thread, Microsoft is now encouraging using Cirrus Bridge ( https://learn.microsoft.com/en-us/azure/active-directory/architecture/multilateral-federation-solution-one ) to integrate Azure Ad with eduGAIN. Does anybody use this product and can give feedback on how worthy it is?
Regards
Daniel
On Wed, 14 Apr 2021 at 13:24, Guy Halse <guy AT tenet.ac.za> wrote:
Hi
On 2021/04/14 12:14, Peter Schober wrote:
Whether the WebPKI's use of domain control validation is a goodexample for the kind of trust we're trying to establish withinIdentity Federations is questionable.And WHOIS as a means of proving domain "ownership" for scopes and entitiyIDs is somehow better?
Even pre-GDPR, the information contained in WHOIS is/was largely self-asserted. I am whomever I tell my Registrar that I am, and they don't care provided my credit card works. I have *never* been asked to prove identity by a DNS Registrar for anything other than a moderated domain (such as our .ac.za).
Now what is WHOIS is both self-asserted and largely redacted and inaccessible. Here's what I have to work with when I try to use WHOIS to validate the edugain.org domain:Domain Name: edugain.org
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: REDACTED FOR PRIVACY
Registrant Email: info AT domain-contact.org
Admin Name: REDACTED FOR PRIVACY
Admin Organization: REDACTED FOR PRIVACY
Admin Email: info AT domain-contact.org
Tech Name: REDACTED FOR PRIVACY
Tech Organization: REDACTED FOR PRIVACY
Tech Email: info AT domain-contact.org
Billing Name: REDACTED FOR PRIVACY
Billing Organization: REDACTED FOR PRIVACY
Billing Email: info AT domain-contact.orgAt least with the DCV approach, I know that the person I am talking to has some level of administrative control over the domain; with WHOIS I now have nothing...
Ask yourself this: Is anything able to get any DCV TLS certificatetrustworthy to do business with? Is that enough to know whatreal-world entity is behind this certificate?To be clear, I don't believe that either DCV or WHOIS are sufficient on their own. I'm suggesting that, coupled with other mechanisms we already have, DCV provides analogous levels of trust to WHOIS.
In this regard, I'm with Thijs:On 2021/04/14 12:35, Thijs Kinkhorst wrote:
In short, yes, I believe our procedures, contracts. technolical measures AND community are individually already provide good guarantees and and that all four combined give me a very high confidence in the process.
I'm talking about DCV performed by an individual who has been formally designated as a contact for the the organisation responsible for the entity. And that organisation being one with whom there is a direct contractual relationship, and whose identity is verifiable (OV in the PKI analogy). And in a lot of cases, certainly for smaller federations, a person with whom there is an established interpersonal relationship (Thijs's "community" point).
And to extend this to the Azure case, I'm talking about finding an equivalent of DCV to verify the tenant ID used in that entityID that can be coupled with the above to provide a fairly high confidence that the Azure entityID belongs to the organisation claiming it.
Thus far the best I've managed there is to have that individual demonstrate operational control of the tenant over Zoom. Not ideal. Doesn't scale. But doable (and funnily enough, akin to how AATL vendors are doing validation for document signing certs).
Kind regards,
- Guy--
Guy Halse
Executive Officer: Trust & IdentityTertiary Education & Research Network of South Africa NPC
Fault Reporting: +27(21)763-7147 or support AT tenet.ac.za
Office: +27(21)763-7102
http://www.tenet.ac.za/contact
https://orcid.org/0000-0002-9388-8592
--
Regards
Daniel
--
Regards
Daniel
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Albert Wu, 02-Oct-2023
- Re: [eduGAIN-discuss] Use of Azure Active Directory in eduGain, Daniel Muscat, 10/02/2023
Archive powered by MHonArc 2.6.24.