Yeah, the real step by step guide isn't so bad per say. What it tries to do
is give you a simple path to having an easy demo set up of ADFS going so you
can kick the tires. For that, it is ok. Where it doesn't cross the gap
very well is in providing guidance on how to apply the lessons learned to
real scenarios.
Because ADFS relies on certificates for both SSL/HTTP and the signing of
security tokens, you need certificates to use it. In order to get through
the step by step guide successfully, they chose to use the self-issued
model, as it is really the only simple way to get SSL certs without spending
money or setting up a CA. However, it does leave you with self-signed
certs, which is not where you want to end up.
I think that either the step by step guide needs to provide more guidance
and explanation of the steps and how to apply them, or the other
documentation for ADFS needs to fill this gap. As it stands now, there is
still no good guidance on how to procure your certificates and what the
various trade-offs are for the possible ways to go about this. People who
already know PKI will be able to fill in the details, but many people will
be left scratching their heads.
Perhaps Tomasz and I should blog about this more for now. :)
Joe K.
----- Original Message -----
From: "Tomasz Onyszko" <[EMAIL PROTECTED]>
To: <ActiveDir@mail.activedir.org>
Sent: Sunday, September 24, 2006 3:16 PM
Subject: Re: [ActiveDir] ADFS and certs
Rick Kingslan wrote:
Joe, Tomasz -
Yep, you're right that it may tend to show a bad precedent for people to
follow. I haven't taken a look at these particular labs (and having just
come back from a long hiatus, I didn't see the referenced lab) but is the
guidance there as to what Best or Preferred Practices SHOULD BE?
You can check this lab here:
http://www.microsoft.com/downloads/details.aspx?familyid=062F7382-A82F-4428-9BBD-A103B9F27654&displaylang=en
No You will not find there any guidance on best practices there and maybe
this is not the best place, but I'm not aware of any other ADFS related
doc which deals in details with best practices and description of usage
for certificates in ADFS deployment.
If not - I find that the bigger problem than the fact that self-certs are
being used at all.
--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx