ad-assurance - [AD-Assurance] AD:DS "Split-personality" verifier Diagram
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
- From: "Capehart,Jeffrey D" <>
- To: "" <>
- Subject: [AD-Assurance] AD:DS "Split-personality" verifier Diagram
- Date: Fri, 6 Dec 2013 14:55:56 +0000
- Accept-language: en-US
During the reading of Bronze, I was reminded to finish my graphic depiction of what I consider to be the proposed “split-personality” view of Active Directory Domain Services when it is used as a verifier for the IdP, the IdMS, and the
non-IdP apps at the “IdP Operator”. So here goes: I placed “AD DS” as a special-case of a verifier on the “Identity Management Functional Model” chart from page 4 of the IAAF (section 2, adobe page #7). The placement straddles the dashed line between “IdMS Operations” and “Idp Operator”.
This placement is based on the specific criteria that if the type of credential secret-passing is different than that used with the IdP, then it is not possible/practical to intercept, replay, or use that particular authentication with the IdP. Therefore,
“half” of AD DS sits outside of the scope of IdMS operations.
ß This might be the part for disagreement. Here’s the revised chart showing the proposed exception in a graphical manner. If you think this does not fairly represent the proposed out-of-scope interpretation, let me know what changes would do a better job. Or if you disagree that
AD DS does not straddle the line, then original chart in the IAAF is sufficient. Some of the callout tags might need different text depending on authentication method (i.e. SSL instead of HTTPS; LDAPS has many methods too), but these are just to get the conversation
started with the diagram. The thinking here is that the part outside the dashed line is outside the scope for the IdMS requirements (which would be the NTLMv2/Kerberos, etc.) Jeff Capehart, CISA |
- [AD-Assurance] AD:DS "Split-personality" verifier Diagram, Capehart,Jeffrey D, 12/06/2013
- Re: [AD-Assurance] AD:DS "Split-personality" verifier Diagram, Ann West, 12/06/2013
- RE: [AD-Assurance] AD:DS "Split-personality" verifier Diagram, Capehart,Jeffrey D, 12/06/2013
- RE: [AD-Assurance] AD:DS "Split-personality" verifier Diagram, Eric Goodman, 12/06/2013
- RE: [AD-Assurance] AD:DS "Split-personality" verifier Diagram, Capehart,Jeffrey D, 12/06/2013
- Re: [AD-Assurance] AD:DS "Split-personality" verifier Diagram, Ann West, 12/06/2013
Archive powered by MHonArc 2.6.16.