CTAB of Wed. Feb. 20, 2019
Attending
Mary Catherine Martinez, InnoSoft (chair)
David Bantz, University of Alaska
Rachana Ananthakrishnan, Globus, University of Chicago
Tom Barton, University Chicago and Internet2
Brad Christ, Eastern Washington University
Eric Goodman, UCOP - TAC Representative to CTAB
Adam Lewenberg, Stanford
Jon Miner, University of Wisc - Madison
John Pfeifer, University of Maryland
Ann West, Internet2
Albert Wu, Internet2
Emily Eisbruch, Internet2
Regrets:
Brett Bieber, University of Nebraska
Chris Hable, University of Michigan
John Hover, Brookhaven National Lab
Chris Whalen, Research Data and Communication Technologies
DISCUSSION
Steering Representative
- Brad Christ, Eastern Washington University, is that Steering Liaison to CTAB
- Brad chaired the Attributes for Collaboration and Federation Working Group last year
- Welcome Brad
TAC and CTAB Representatives
- InCommon TAC would like a representative from CTAB to join their calls
- TAC are bi-weekly on Thursdays (2/28 onwards) at 1:00 PM EST.
- Please let MC know if you are interested.
- Eric Goodman, UCOP, is the InCommon TAC Liaison to CTAB
- Eric served on the MFA Profile working group and other InCommon working groups
- Welcome Eric
Baseline Expectations - Dockets
- Albert will be making additional assignments to CTAB members for outreach to organizations who have not responded around Baseline Expectations
- Albert has added the sponsor information to the wiki for SPs that are non responsive
- The CTAB member doing outreach should look at the sponsor info
- March 14, 2019 is the final cutoff before final stage of preparing list of orgs not meeting Baseline Expectations and submitting list to Steering for final decision.
- For completely unresponsive entities, there will notification of intent to remove org from metadata.
- There are only 1 or 2 CTAB meetings before March 14, 2019
- Best way to prepare the list for Steering?
- Suggestion that CTAB should recommend what should be done for each case.
- prepare comprehensive recommendations, with information on the risks
- BradC: CTAB should provide maximum guidance on what we are asking Steering to do
Updates from 2019 TIIME Conference in Vienna https://tiimeworkshop.eu/
Baseline Expectations Discussion at TIIME https://tiimeworkshop.eu/proceedings/2019/sessions/session26/
FIM4R session https://indico.cern.ch/event/775478/
At TIIME conference, TomB presented to the FIM4R group. They were impressed with the progress InCommon has made.
Tom presented some of the CTAB roadmap plans
Heard some concerns on the MFA issue.
concerns that implementation of MFA in Shib IDP (prior to version 3.4) is not trivial. Must do javascript things and must be familiar with inner workings.
version 3.4 of Shib has native DUO inside, this concern about MFA applies to Shib 3.3 and before.
IdP <3.4 with Duo implemented; asserting the REFEDS MFA context if requested did turn out trivial - db, University of Alaska
Other concern, when a research SP wants to express an MFA requirement, some IDPs they will say Yes or No but some IDPs will not know what this is about and this could lead to a poor user experience
TomB emphasized "collaboration ready" in his presentation to FIM4R group at TIIME.
Research IT people do find appeal in “collab ready”. This might not appeal as much to enterprise IDP people.
There is interest in security issues and also ease of setup
SIRTFI addresses security concerns
comment: if this phase of the CTAB roadmap is to make organizations "collab ready, " everyone has a role to help make that happen.
Analysis TomB did for Attributes WG showed that most campus IDPs do work with Science Gateway SPs
There is widespread use of the Science Gateways, central IT may not always be aware
Next steps for CTAB roadmap
- More fine grained definition of proposed MFA “ask”,
- assign priority to each item, from each stakeholder group perspective
- Need to define the vision clearly. Is “collaboration ready” the ultimate goal?
- Perhaps add “Trusted Collaboration ready,” so adding security protection measures, so SIRTFI also key
- It was noted “Collaboration ready” may need more definition. To be ready to support academic collaboration, this means R&S and SIRTFI
- Rachana noted that Globus could live without MFA, but R&S is required
- DavidB: regarding requirement for Error URL, need greater specificity.
- IDP as a service working group is being spun up by InCommon TAC
- Need easier onboarding to the federation. Would be helpful to have a conversion tool. Though this might be out of scope.
- InCommon TAC has discussed SP Front ending as a service. (A SATOSA or simpleSAML type proxy.) TAC decided that is out of scope for now.
- Comment: may need a connector for those using OKTA or ADFS to assert R&S?
Feedback on proposed CTAB Roadmap from InCommon staff
Albert asked InCommon staff for feedback on CTAB proposed roadmap
Nick Roy responded with concern that in the proposed CTAB Roadmap there are a lot of major requirements in a relatively short timeline.
For example, changes to Federation Manager may require InCommon Staff resources and this will need to be planned for.
Also concerns around MFA and need for clarity around what we would be requiring.
Remainder of Agenda to be discussed on Next CTAB Call:
Connection between Baseline next steps with working group activities
Deployment Profile
OIDC/OAuth Deployment WG
others
Next step?
Logistics
Do we have a call week of Global Summit (March 7)?
CTAB wiki - does anyone have concerns if we move CTAB wiki into its own space?
Next CTAB call : Wed. Feb 27, 2019