Ping Federate, Microsoft Online Signin Assistant, Kerberos bindings

Between the Guardian and Mr Snowden, folks now realize that ALL passwords are currently in NSAs data bank – available for “use”. And so is your windows update description of your PC (down to the last driver). A back channel in the OS (windows and android alike) allows a hidden trust key to be introduced that spoofs certs (for introducing false drivers, false firmware, false microcode updates of the Intel CPU) particularly when talking to https sites The ability to falsify the code such as https channel binding tokens is crucial (so one can cannot easily detects the https MITM) – that’s makes SSL useless.

One sees the dilemma in the following slide (from Microsoft): all the devices still user username/password to logon!


NOw, the same slide deck complains about Ping Federate NOT support windows integrated authentication (that which allows kerberos or NTLM tickets to authenticate you). While it may be true about NTLM, I made Ping Federate do the kerberos trick (at least when working with my own wstrust client that had the right kerberosWSTrust bindings set).

So why are Ping not making a point of all this? since it makes the username/password issue go away in the office365 world, since the microsoft online assistant can now be converting the kerberos ticket issued by the local AD into a security token issued by the local ADFS (in its kerberos endpoint)

ready for presentation to the Microsoft Online proxy for Exchange ONline.

Ill assume that this is because it too close to the solutions provided to Ping military/police customers – and there are lots of secrets at stake (that they get closed what the password crap forces to stay open and vulnerable…for the rest of us)



About home_pw

Computer Programmer who often does network administration with focus on security servers. Sometimes plays at slot machine programming.
This entry was posted in office365, pingfederate, spying. Bookmark the permalink.