#idcon mini に参加してきた

Identity Conference Mini に参加しました。
 - http://atnd.org/events/36953

今日は、@hdknr さんによる OneID と Self-Issued OP の話と私が SCIM 関係の話をさせてもらいました。

@hdknr さんの OneID、Self Issued OP の話では、 OneID のサービスの話が聴けました。
ざっくりいうと、OP で認証するときに ID / Password の代わりに、スマートフォンを使って認証する、という仕組みのようです。
1.ブラウザで RP へアクセス
2.OneID によりブラウザ上に QR コードが表示される
3.携帯電話で QR コードを読み、OP へ=認証
4.ブラウザへトークンが渡され、RP へアクセス可能

PC と 携帯の間で KeyPair を共有しており、認証済みの携帯で QR コードを使って OneID へアクセスすることで認証とみなす、という形です。

・OP へ渡る属性は暗号化されており、OP の運営者でも内容を参照できない

次に、私が SCIM の話をしました。
若干無理やりではありますが、Windows Azure Active Directory がプロビジョニング API として Graph API を採用しているのは何故か?今後サービスプロバイダは SCIM を使うのが良いのか?Graph を使うのが良いのか?という話をしました。結果的に答えはないのですが、私の個人的な考えとしては、SCIM が目指したのはあくまでスキーマやプロトコルの標準化によるコスト削減や複雑性の低減で、Graph の目指すオブジェクト(ノード)とオブジェクト間の関係性(Edge)の表現とは別お世界であり、今後は現行の SCIM の様に同一レポジトリ内のオブジェクト間の関係(memberとmemberofなど)だけではなく、Federation などによる外部レポジトリ上のオブジェクトとの関係性についても表現することが大切になるのではないか?という話をさせていただきました。



[ADFS2.0] Rollup 3 がリリース


AD FS2.0 Rollup 3 がリリースされています。

これまでの Rollup では機能拡張があったのですが、今回はバグフィックスのみです。
- Rollup 1 / Office365 対応の強化
- Rollup 2 / SAML 仕様対応の強化

  • Issue 1
    • AD FS 2.0 does not issue an ActAs token for a relying party who is using a Security Assertion Markup Language (SAML) 2.0 bootstrap token. When this issue occurs, the following error is generated:
    • System.IdentityModel.Tokens.SecurityTokenException: ID4154: A Saml2SecurityToken cannot be created from the Saml2Assertion because it contains a SubjectConfirmationData which specifies an InResponseTo value. Enforcement of this value is not supported by default. To customize SubjectConfirmationData processing, extend Saml2SecurityTokenHandler and override ValidateConfirmationData.
    • After you apply AD FS 2.0 update rollup 3, AD FS 2.0 successfully issues the token in this situation.
  • Issue 2
    • AD FS 2.0 acts as a federation provider and receives an invalid SAML 2.0 signed request (for example, the signature is not valid or the requestor is unknown). In this situation, AD FS 2.0 rejects the request only after it forwards the request to the downstream identity provider and receives a valid SAML response.
    • In order to make sure the validity of the requests that are sent to the downstream identity provider, the expected behavior is that AD FS 2.0 validates SAML requests and rejects any requests that have invalid signatures.
  • Issue 3
    • AD FS 2.0 update rollup 2 introduced strict Uniform Resource Identifier (URI) checking. When AD FS 2.0 acts as a federation provider and trusts an identity provider whose identifier is not an URI, the response that is returned from the identity provider is rejected by AD FS 2.0. The validation fails because AD FS 2.0 tries to validate the value of the identity provider’s identifier. This behavior breaks previously functioning AD FS 2.0 deployments in which identity providers use non-URI identifiers. AD FS 2.0 update rollup 3 removes this URI checking.
  • Issue 4
    • Some relying parties require that signature certificates are applied to the relying party for SAML requests, as signature certificates provide a critical security validation function and are defined in the SAML 2.0 specification. AD FS 2.0 is capable of allowing unique signature certificates to be applied to a relying party trust, but it only allows the same certificate to be applied to one relying party trust per AD FS 2.0 farm. This restriction may allow multiple relying parties to use the same signing certificate for SAML requests. AD FS 2.0 update rollup 3 removes this restriction and allows multiple relying parties to use the same signing certificate for SAML request.
  • Issue 5
    • Consider the following scenario:
    • You use a third-party hardware security module (HSM) to speed up the signing processes.
    • You use the third-party HSM and to generate and store the private keys.
    • The private keys are for AD FS 2.0 signing and for AD FS 2.0 encryption certificates.
    • In this situation, the performance of AD FS 2.0 is not as good as when you use Microsoft CSP. AD FS 2.0 update rollup 3 significantly improves the performance of AD FS 2.0 when HSM is used.
  • Issue 6
    • AD FS 2.0 update rollup 1 introduces the Congestion Avoidance Algorithm. If you accidentally disable the Congestion Avoidance Algorithm by changing the configuration, a handle leak occurs on an AD FS 2.0 federation server proxy every time that the federation server proxy processes a request. AD FS 2.0 update rollup 3 removes the setting that enables you to disable Congestion Avoidance Algorithm by changing the configuration. You can fine tune the Congestion Avoidance Algorithm by adjusting the latencyThresholdInMsec and minCongestionWindowSize settings.

[FIM2010] R2 SP1 リリース後、初の HotFix

早くも HotFix(4.1.3419.0)が出てます。


FIM Synchronization service
  • Issue 1
    • In some cases, the Exchange configuration options on the Active Directory Management Agent do not appear. These options will now always be visible even if Exchange is not detected in the source directory.
  • Issue 2
    • When Exchange post-processing PowerShell cmdlets are run during export on the Active Directory Management Agent, the host process can stop for many reasons. In this case, the Active Directory Management Agent continues the export but does not try to run the Exchange cmdlets. With the changed behavior in this fix, the export run is now stopped so that the process can be restarted from where it ended.
  • Issue 3
    • The Synchronization service crashes in certain scenarios when references to newly created objects are exported into ECMA2 Connector (also known as "reference retry").
  • Issue 4
    • An ECMA1/XMA with call-based export crashes the Synchronization service. This problem occurs in some scenarios in which the following conditions are true:
    • Reference attributes are constantly rejected by the target directory.
    • The Synchronization service is trying to determine which value is causing the problem. It does this by trying to export a multivalued reference attribute as several individual changes (known as "fourth pass reference retry").
  • Issue 5
    • A full import might be stuck at the "Completing-Obsoletions" stage if the obsoletion of an object cascades into the obsoletion of related objects.

FIM service and portal

  • Issue 1
    • If a user who has access to advanced pages for a group (typically, an administrator) made a change to the object in this view, the group would contain invalid members. If the user was trying to delete the group, the system would be in a state in which no additional requests could be processed.

尚、HotFix を適用した後、Syncronization Service で拡張エージェント(ECMA1/ECMA2)を使っている場合に「stopped-extension-dll-load」エラーが出る場合があるので、その場合はちゃんと MIISServer.exe.config ファイルの dependentAssembly セクションを編集して正しいアセンブリのバージョンを参照するように設定してあげる必要があります。

しかし、機械翻訳の「Forefront ユーザー マネージャー 2010 R2」ってやめてほしいですねl。