Skip to Content.
Sympa Menu

ad-assurance - RE: [AD-Assurance] AD:DS "Split-personality" verifier Diagram

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

RE: [AD-Assurance] AD:DS "Split-personality" verifier Diagram


Chronological Thread 
  • From: "Capehart,Jeffrey D" <>
  • To: "" <>
  • Subject: RE: [AD-Assurance] AD:DS "Split-personality" verifier Diagram
  • Date: Fri, 6 Dec 2013 16:23:04 +0000
  • Accept-language: en-US

Sure.  I had thought about that, but the color didn’t change the first time I tried, so I used a different technique.  I gave a spray-painted graffiti look to the split-off part, and put a dotted line down the middle.

 

 

From: [mailto:] On Behalf Of Ann West
Sent: Friday, December 06, 2013 10:51 AM
To:
Subject: Re: [AD-Assurance] AD:DS "Split-personality" verifier Diagram

 

 

Hi Jeff,

 

A minor suggestion but might be helpful for clarity: can you change the new lines to use a different color?

 

Thanks,

Ann

 

 

 

On 12/6/13 9:55 AM, "Capehart,Jeffrey D" <> wrote:

 

During the reading of Bronze, I was reminded to finish my graphic depiction of what I consider to be the proposed “split-personality” view of Active Directory Domain Services when it is used as a verifier for the IdP, the IdMS, and the non-IdP apps at the “IdP Operator”.

 

So here goes:

 

I placed “AD DS” as a special-case of a verifier on the “Identity Management Functional Model” chart from page 4 of the IAAF (section 2, adobe page #7).  The placement straddles the dashed line between “IdMS Operations” and “Idp Operator”.  This placement is based on the specific criteria that if the type of credential secret-passing is different than that used with the IdP, then it is not possible/practical to intercept, replay, or use that particular authentication with the IdP.  Therefore, “half” of AD DS sits outside of the scope of IdMS operations.  ß This might be the part for disagreement.

 

Here’s the revised chart showing the proposed exception in a graphical manner.  If you think this does not fairly represent the proposed out-of-scope interpretation, let me know what changes would do a better job.  Or if you disagree that AD DS does not straddle the line, then original chart in the IAAF is sufficient.  Some of the callout tags might need different text depending on authentication method (i.e. SSL instead of HTTPS; LDAPS has many methods too), but these are just to get the conversation started with the diagram.  The thinking here is that the part outside the dashed line is outside the scope for the IdMS requirements (which would be the NTLMv2/Kerberos, etc.)

 

 

 

Jeff Capehart, CISA
IT Audit Manager
University of Florida - Office of Internal Audit
(352) 273-1882

http://oia.ufl.edu

 




Archive powered by MHonArc 2.6.16.

Top of Page