Skip to Content.
Sympa Menu

technical-discuss - Re: [InC-Technical] InCommon Federation with ADFS

Subject: InCommon Technical Discussions

List archive

Re: [InC-Technical] InCommon Federation with ADFS


Chronological Thread 
  • From: "Cantor, Scott" <>
  • To: Eric C Kool-Brown <>, "" <>
  • Subject: Re: [InC-Technical] InCommon Federation with ADFS
  • Date: Fri, 3 Nov 2017 17:25:21 +0000
  • Accept-language: en-US
  • Authentication-results: spf=pass (sender IP is 128.146.138.10) smtp.mailfrom=osu.edu; incommon.org; dkim=none (message not signed) header.d=none;incommon.org; dmarc=pass action=none header.from=osu.edu;
  • Ironport-phdr: 9a23:VBp6xBLRjy8bQW2J8NmcpTZWNBhigK39O0sv0rFitYgXKv/9rarrMEGX3/hxlliBBdydsKMUzbKO+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZPebgFLiTanfb9+MAi9oBnMuMURnYZsMLs6xAHTontPdeRWxGdoKkyWkh3h+Mq+/4Nt/jpJtf45+MFOTav1f6IjTbxFFzsmKHw65NfqtRbYUwSC4GYXX3gMnRpJBwjF6wz6Xov0vyDnuOdxxDWWMMvrRr0vRz+s87lkRwPpiCcfNj427mfXitBrjKlGpB6tvgFzz5LIbI2QMvd1Y6HTcs4ARWdZXshfSTFPAp+yYYUMAeoOP+dYoJXyqVQBtha+GRKjBObzxjNUmnP736s32PkhHwHc2wwgGsoDvHrKodrvMqcSTee1zLPQwT7ecv1ZxTD96JTUchwvvPqBWq5/ftDXyUkzEAPFlE+cpZL+MjOSzeQNrnKX4PR9WuKykmMqrRx6rDaoxscpkIbJh4QVx0jD9Spj24Y1JMa4RFd8Yd68DpRQsTuWN4xsQsMtRWxjpSU0yqUetJKmYCQHx44ryhHdZvCdfYWE/AjvWPuPLTp3nH5pZayzihWo/US9xeDxV9O43VJFoyZfjNXAqm0B2wTd6seZSfZx4kKs1DOB2g3X6+xIPUU5mrfGJJMiw7M9k4Ecvl7dEiLzgkr5kbGae0Qi9+O18eroeK/mqYWZN4JsigHxLKAumsunDOogLgUAWHSX9fml2LP+5UP1XaxGjvotnabHqpzaItkbprKiDA9Sz4Yj7QuwAy2+0NQCmnkHMExKdw6bj4joPFHOJur0DfCig1SwlDdrwPfGPr77DprRKXjDla/tfbd760FC1Ao+1c1T645bB70bL//+WFX9udLGAhMjLgC43enqBM141owEWGKPBqGZMLnVsV+N/u8gP/ODZIkJuDb6Mfgp/eDigGQ+mV8GYKmlx4UYZ22lHvh+OUWWfWLsgssdEWcNpgc+Terqh0GFUT5WYnayWKQ86is8CIK8AofPX5ytj6Kd0ye7GJ1WZ3xJBUqIEXvxaoqEWuwMZz6PIs96iTwJTryhS4461RGyrw/21aBrLuvS+i0Eq53jzt516PPPlR0s7zB7EdmS03zeB11zy04SRjR+9+hcpkt5j32Z1rd+y6hbEttXz+5WFAo2KMiYh6ZmBtvyXAPKd9PMRFe9Sci9GhkwSNk2xtoJZQB6AdroxkTf0iGqBb4enrjOCJ0v+b/HxFDwIc16znPB0u8mlVZwEeVVMmjzzIV28RTUHcqBqE6ei7rgPfAX1SjR833Fl0KJp1weXQJtB/aWFUsDb1fb+IyqrnjJSKWjXPF+alNM
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99
On 11/3/17, 12:48 PM,
"
on behalf of Eric C Kool-Brown"
<
on behalf of
>
wrote:

> I agree with his assessment but I thought I’d expand on the context. ADFS
> 4.0 requires metadata to be served on a TLS endpoint.
> OTOH, it isn’t clear if ADFS verifies the signature on the metadata.

If it did, it would simply be blindly trusting the key used, so it wouldn't
be meaningful. That part is clear from the (lack of) configuration.

> Scott’s valid assertion is that the trust model is based on signature
> validation and not on encryption. There is this industry
> bandwagon that everyone use TLS but silence (or rather lame answers) when
> one asks “why?” Do our cat videos really need to
> be encrypted?

When I spoke of its actual application of the metadata not being compliant,
what I was specifically talking about was lack of support for [1], which
means that the fundamental meaning of the metadata itself is not consistent
between Shibboleth and ADFS. That extends to things like it breaking if the
certificates expire, and more critically, we don't know how much it actually
changes its behavior when it fetches a new copy of the metadata that's
changed. In fact, I've had people tell me that it doesn't even ever refetch
it at all, though I found that hard to believe.

So it's not even so much about the lack of of verification, but about the
black box of what it's actually doing with it, making it difficult for me to
know what my changes to the metadata will result in it doing differently.

-- Scott

[1] https://wiki.oasis-open.org/security/SAML2MetadataIOP


Archive powered by MHonArc 2.6.19.

Top of Page