Meeting the InCommon Assurance profile criteria using Active Directory

["Capehart,Jeffrey D" <>]

During the reading of Bronze, I was reminded to finish my graphic depiction of what I consider to be the proposed “split-personality” view of Active Directory Domain Services when it is used as a verifier for the IdP, the IdMS, and the non-IdP apps at the “IdP Operator”.

 

So here goes:

 

I placed “AD DS” as a special-case of a verifier on the “Identity Management Functional Model” chart from page 4 of the IAAF (section 2, adobe page #7).  The placement straddles the dashed line between “IdMS Operations” and “Idp Operator”.  This placement is based on the specific criteria that if the type of credential secret-passing is different than that used with the IdP, then it is not possible/practical to intercept, replay, or use that particular authentication with the IdP.  Therefore, “half” of AD DS sits outside of the scope of IdMS operations.  ß This might be the part for disagreement.

 

Here’s the revised chart showing the proposed exception in a graphical manner.  If you think this does not fairly represent the proposed out-of-scope interpretation, let me know what changes would do a better job.  Or if you disagree that AD DS does not straddle the line, then original chart in the IAAF is sufficient.  Some of the callout tags might need different text depending on authentication method (i.e. SSL instead of HTTPS; LDAPS has many methods too), but these are just to get the conversation started with the diagram.  The thinking here is that the part outside the dashed line is outside the scope for the IdMS requirements (which would be the NTLMv2/Kerberos, etc.)

 

 

 

Jeff Capehart, CISA
IT Audit Manager
University of Florida - Office of Internal Audit
(352) 273-1882

http://oia.ufl.edu