InCommon Technical Discussions

[Eric C Kool-Brown <>]

Hi Folks, I just joined this list so I don’t have Scott’s email but rather am pasting his response, for continuity, from the archives. He said:

 

> It does not consume it in a manner that is appropriate for the trust model

> used by the federation, nor does it apply the metadata in a way that is

> known, documented, and clearly consistent with the rules of the profile the

> metadata follows.

> 

> It is therefore more problematic than if it simply didn't consume it at all.

> Known behavior is better than unknown. That's from the point of view of an

> IdP operator who has to predict the behavior of the systems using it in

> conjunction with my own use of the metadata for describing my system.

> 

> -- Scott

 

I agree with his assessment but I thought I’d expand on the context. ADFS 4.0 requires metadata to be served on a TLS endpoint. OTOH, it isn’t clear if ADFS verifies the signature on the metadata. This is something I’ve been meaning to test but haven’t had the chance. Scott’s valid assertion is that the trust model is based on signature validation and not on encryption. There is this industry bandwagon that everyone use TLS but silence (or rather lame answers) when one asks “why?” Do our cat videos really need to be encrypted?

 

I wrote a letter to Microsoft about 3 years ago at Keith’s request pointing out the places where ADFS failed to follow the SAML suite of specifications. There has been silence rather than engagement. MS claims to abide by open standards but the reality is that they pick and choose what they want in furtherance of the corporate strategic goals. I know, I used to work there and understand the inbred logic.

 

So, yeah, I was able to have my test ADFS 4.0 server ingest the metadata aggregate but it required extra steps as noted by Allen and I remain unsure as to whether it did any signature validation. Those extra steps can be one of two things. You could set up a proxy to re-serve the aggregate through TLS. What I did was save the aggregate as a file and then use PowerShell to load it. The former method would facilitate automatic metadata refresh although I could run the PowerShell script as a scheduled task to accomplish the same thing.

 

Cheers,

 

    Eric Kool-Brown

    Software Engineer

    University of Washington - IT Infrastructure

 

 

-------- Forwarded Message --------

Subject:	[InC-Technical] InCommon Federation with ADFS
Date:	Tue, 31 Oct 2017 19:21:10 +0000
From:	Allen Hudson
To:

 

Hello,

I am fully aware that InCommon Metadata was unable to be consumed by previous versions of ADFS without the aid of third-party applications/scripts.  However, I was wondering if anyone has had any experiences they can share with ADFS 4.0?  Does it still require third-party support, or does it natively consume the metadata?  How reliable has it been?  Any information would be much appreciated.

Thanks,

Allen Hudson

Assistant Network & Systems Administrator

University of Rio Grande

Campus Computing & Networking

Phone:  740.245.7481