Meeting the InCommon Assurance profile criteria using Active Directory

[Brian Arkills <>]

Yesterday, Microsoft released a new version of their DirSync tool. This new version supports password synchronization from your on-premise AD. This allows enterprises that don't want to use federated authentication nor manage two sets of passwords to have a single password for their users.

 

I think we've talked briefly about this possibility in the past, but my recollection is foggy. In any event, there's some detail at http://technet.microsoft.com/en-us/library/dn246918.aspx, where a key phrase is:

 

"When synchronizing passwords using the password sync feature, the plain text version of a user’s password is neither exposed to the password sync tool nor to Azure AD or any of the associated services. Additionally, there is no requirement on the on-premises Active Directory to store the password in a reversibly encrypted format. A digest of the Windows Active Directory password hash is used for the transmission between the on-premises AD and Azure Active Directory. The digest of the password hash cannot be used to access resources in the customer's on-premises environment."

 

I don't think we should include this scenario in the core portion of the revised cookbook document, but I do think we should mention it and note that those who choose to use this option should consider the implications.

 

-B