Versions Compared

Old Version 3

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

compared with

New Version Current

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • One of ways InCommon measures current and trustworthy encryptions is to run a Qualys SSL tes  against connection endpoints in metadata
  • Endpoints must be accessible from public Internet in order to be scanned,
  • If behind firewalls, we can’t scan
  • We scan in batches and it takes time
  • Your server could be down for maintenance
  • if you can scan and get good score, you are OK
  • In fall 2021, CTAB hopes to  have an improved process around how to handle a situation where InCommon shows wrong or “out of date” SSL score 

David:DavidB

  • One community member reported that  if you go to Qualys SSL Labs website to scan, you can only scan a 443 port.
  • There are other services that will give report back on what TLS encryption you have
  • Though it is a less comprehensive report

...

  • We have a Windows Server running Shibboleth connecting to InCommon and have turned it off because of non-use. 
  • Since the BEv2 deadline, we have not seen any issues. 
  • We wanted to get this running on ADFS, but cannot seem to get any help in doing so. 
  • We really only use InCommon for Certificates.


Albert:

  • If you are only using InCommon for Certificate Service, Baseline Expectations does not apply to you.
  • So you don’t need to register ADFS server in InCommon
  • Additional info on ADFS:
    • ADFS out of box does not support some capabilities that federation depends on
    • Does not consume the metadata aggregate in the format we produce.
    • That can be an effort in operations and becomes unsustainable over time.
    • Want to be able to automatically download and consume the metadata.
    • Change endpoints and signing keys.

Comment

  • Trouble getting IDP updated. Had old Shib service.
  • Now in published state and meeting baseline.
  • I guess we are OK. 
  • Want to use Azure identity services in future as SSO system , thru enterprise applications, not sure if anyone has gone thru that path, of using enterprise applications with InCommon.
  • Using a tool called PortalGuard from BIO ID, was Distal Serve https://www.bio-key.com/portalguard/
  • Can be set up as a SAML identity provider
  • Integrated easily
  • To extend integration, would be better to get systems to using the Azure Identity services for single sign on

...

  • ADFS , with Azure SSO, won’t talk directly to InCommon federation.
  • Look at a proxy service such as Shibboleth.
  • Hoping for more seamless integration

Albert:

  • When you use SAML, and there is a neutral integration 
  •  If you are using Azure, when they work with Microsoft, go with the Microsoft integration
  • When you plug Azure into federation, like ADFS , there will be shortcomings
  • Not able to process metadata automatically , won’t be able to send certain signals, such as around MFA
  • With Azure, you cannot change entity ID
  • Microsoft Azure automatically issues an entity ID and you can’t change it

...