Date: Fri, 29 Mar 2024 05:19:30 +0000 (UTC)
Message-ID: <1595016748.7483.1711689570512@ip-10-10-7-29.ec2.internal>
Subject: Exported From Confluence
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_Part_7482_1709643667.1711689570511"
------=_Part_7482_1709643667.1711689570511
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Location: file:///C:/exported.html
18 May 2011
18 May 2011
Building Identity Trust Federations Conference Call
May 18, 2011
1) In Attendance
- Suresh Balakrishnan (University System of Maryland)
- David Bantz (University of Alaska)
- Mark Beadles (OARnet)
- Paul Caskey (University of Texas System)
- Paul Erickson (University of Nebraska-Lincoln)
- Larry Gilreath (Microsoft)
- Michael Hodges (University of Hawaii)
- Keith Hazelton (University of Wisconsin-Madison)
- Dave Jaskie (University of Wisconsin -Milwaukee)
- George Laskaris (NJEDge.Net)
- Eric Olson (University of Florida)
- Rodney Petersen (EDUCAUSE)
- Tom Piket (Minnesota State Colleges & Universities)
- Mark Rank (University of Wisconsin -Milwaukee)
- Keith Runkle
- Mark Scheible (MCNC)
- Steve Scholz
- Craig Stephenson (University of Wisconsin-Madison)
- Jack Suess (UMBC)
- Steve Thorpe (MCNC)
- Valerie Vogel (EDUCAUSE)
- Ann West (Internet2/InCommon)
- Jason White (Iowa State University)
- Mike Wiseman (University of Toronto)
- Dean Woodbeck (InCommon/Internet2)
2) Integrating Active Directory Federation Serv=
ices (ADFS) with Federation Trust Services (Paul Caskey, University of Texa=
s System)
- Today's slides: USFeds-Ca=
ll_5-18-2011.pptx
- Speakers: Paul Caskey is CTO at the University of Texas System and Larr=
y Gilreath is a Technology Specialist at Microsoft.
- ADFS can be an identity provider and service provider at the same time.=
SharePoint sees ADFS as an IDP. But Shibboleth sees ADFS as an SP.
- ADFS does have a robust scripting environment.
- Note: Security Token Service (STS) =3D IDP
- UT System is currently using ADFS strictly as a service provider. They =
haven=E2=80=99t tried using it as an IDP (they currently use Shib, which th=
ey=E2=80=99re happy with and it integrates well with Active Directory). The=
y=E2=80=99ve been in the testing phase for 6-9 months.
- First application for this will be SharePoint 2010, followed by Office3=
65.
- In the future, ADFS support will be built in, so they=E2=80=99ll consid=
er this for any future applications that come with ADFS SSO support.
- Background =E2=80=93 SharePoint 2007=20
- They operate a large SharePoint 2007 installation =E2=80=93 widely used=
by every member of the UT System Federation. It=E2=80=99s also used extern=
ally by a variety of entities (most of whom use ProtectNetwork to log in). =
They even sell SP sites to other campuses within the UT System.
- Paul noted that CIC shared their code when they started this project.=
li>
- Based on a custom form-based authentication with Shibboleth integration=
.
- Authorization is a multi-step process for users (validation by site own=
er). Still easier than the first install with separate user name and passwo=
rd. (The first install was not used as much as this one because people forg=
ot their user names/passwords.) No =E2=80=9Cautomatic=E2=80=9D authorizatio=
n (no attribute-based groups).
- Despite some issues, overall it=E2=80=99s a great collaborative tool an=
d the users are very happy.
- SharePoint 2010 =E2=80=93 ADFS=20
- Everything will be =E2=80=9Cclaims-based=E2=80=9D through ADFS (hopeful=
ly). No more dual sites for same content.
- Better onboarding for IdP=20
- Anonymous page to describe process and required/desired attributes
- =E2=80=9CAll authenticated users=E2=80=9D page to verify asserted attri=
butes
- Automatic authZ (group membership) based on attributes/claims=20
- eduPersonAffiliation, eduPersonEntitlement
- The only custom code is an HttpModule which hooks the =E2=80=98OnSigned=
In=E2=80=99 event in the ADFS module=20
- Pushes asserted personal info attributes into the SP User Profile
- They also customized the ADFS =E2=80=9CHome Realm Discovery=E2=80=9D to=
mimic the Shibboleth Discovery Service (for user familiarity)
- Current Issues/Concerns (SharePoint 2010 =E2=80=93 ADFS)=20
- People picker mode=20
- Claims mode resolves anything, even typos
- Site collection mode resolves only existing users
- Might need a custom claims provider
- Configuring claims-based groups=20
- People Picker must be in Claims mode (but it remembers what you set)
- Possibility for =E2=80=9Cinternal things=E2=80=9D maybe still relying o=
n NTLM=20
- Useful URLS=20
- UT System Federation Policy Background=20
- UT Federation has been in production operations since 9/2006 (17 entiti=
es). All members are contractually bound. Some external participants are in=
ter-federated from InCommon
- Policy documents =E2=80=93 Federation Operational Practices (FOP) and M=
ember Operational Practices (MOP) =E2=80=93 are available at: https://idm.utsystem.=
edu/utfed
- UT System established a quasi-LOA2=20
- Never validated by an external authority, but suitable for our needs
- Currently re-writing for Silver/FICAM2
- Current effort with system-wide research cyberinfrastructure likely to =
drive need for LOA3
- Working to institutionalize (across the UT System) formal IdM auditing =
(so far, federation LOA assessments have been self-asserted)
- Are you asserting who is LOA2 in an attribute? Yes, eduPersonAssurance.=
Next Call: June 15
------=_Part_7482_1709643667.1711689570511--