Meeting the InCommon Assurance profile criteria using Active Directory

[Eric Goodman <>]

Hi Jeff,

 

I like the general approach, but have content comments.

 

I don’t think any of the AD-DS verifier sits “outside” of the IdMS Operations, and certainly not outside of the IdP Operator boundaries (don’t know if that was intended, but it does go beyond the IdPO blue area). I think the point is that some of the “arrows” coming OUT of the AD-DS might not be covered by all requirements of the IAP, but am concerned about implying that parts of the authN infrastructure are “not part of the IdMS operations”.

 

I imagine the non-IdP Apps (well and the the IdP apps) broken into groups based on how they relate to the IAP (i.e., Kerberos/NTLMv2 vs. Plaintext over HTTPS vs LDAPS/Signed LDAP, etc), and the arrows to each of those being categorized (probably about three categories, depending on which groups of requirements we think apply).

 

So a similar approach but (a) some changes to the interpretation of what is “inside” vs “outside” and (b) labeled as much with the relevant IAP sections as with the raw protocol callouts.

 

I’m willing to do a simple scrawl markup example, but I doubt I’d have anything done before the call in three minutes. J

 

(Are we meeting in 3 minutes?)

 

--- Eric

 

From: [mailto:] On Behalf Of Capehart,Jeffrey D
Sent: Friday, December 06, 2013 8:23 AM
To:
Subject: RE: [AD-Assurance] AD:DS "Split-personality" verifier Diagram

 

Sure.  I had thought about that, but the color didn’t change the first time I tried, so I used a different technique.  I gave a spray-painted graffiti look to the split-off part, and put a dotted line down the middle.

 

 

From: [] On Behalf Of Ann West
Sent: Friday, December 06, 2013 10:51 AM
To:
Subject: Re: [AD-Assurance] AD:DS "Split-personality" verifier Diagram

 

 

Hi Jeff,

 

A minor suggestion but might be helpful for clarity: can you change the new lines to use a different color?

 

Thanks,

Ann

 

 

 

On 12/6/13 9:55 AM, "Capehart,Jeffrey D" <> wrote:

 

During the reading of Bronze, I was reminded to finish my graphic depiction of what I consider to be the proposed “split-personality” view of Active Directory Domain Services when it is used as a verifier for the IdP, the IdMS, and the non-IdP apps at the “IdP Operator”.

 

So here goes:

 

I placed “AD DS” as a special-case of a verifier on the “Identity Management Functional Model” chart from page 4 of the IAAF (section 2, adobe page #7).  The placement straddles the dashed line between “IdMS Operations” and “Idp Operator”.  This placement is based on the specific criteria that if the type of credential secret-passing is different than that used with the IdP, then it is not possible/practical to intercept, replay, or use that particular authentication with the IdP.  Therefore, “half” of AD DS sits outside of the scope of IdMS operations.  ß This might be the part for disagreement.

 

Here’s the revised chart showing the proposed exception in a graphical manner.  If you think this does not fairly represent the proposed out-of-scope interpretation, let me know what changes would do a better job.  Or if you disagree that AD DS does not straddle the line, then original chart in the IAAF is sufficient.  Some of the callout tags might need different text depending on authentication method (i.e. SSL instead of HTTPS; LDAPS has many methods too), but these are just to get the conversation started with the diagram.  The thinking here is that the part outside the dashed line is outside the scope for the IdMS requirements (which would be the NTLMv2/Kerberos, etc.)

 

 

 

Jeff Capehart, CISA
IT Audit Manager
University of Florida - Office of Internal Audit
(352) 273-1882

http://oia.ufl.edu