CTAB Call August 8, 2023
Attending
- David Bantz, University of Alaska (chair)
- Warren Anderson, LIGO
- Tom Barton, Internet2, ex-officio
- Matt Eisenberg, NIAID
- Richard Frovarp, North Dakota State
- Eric Goodman, UCOP - InCommon TAC Representative to CTAB
- Kyle Lewis, Research Data and Communication Technologies
- Jon Miner, University of Wisc - Madison (co-chair)
- Andy Morgan, Oregon State University
- Kevin Morooney, Internet2
- Rick Wagner, UCSD HERE
- Albert Wu, Internet2
- Harsh P Biscuitwala from Alfa Jango, in place of Johnny Lasker, Internet2
- Emily Eisbruch, Independent, scribe
Regrets
- Pål Axelsson, SUNET
- Ercan Elibol, Florida Polytechnic University
- Mike Grady, Unicon
- Scott Green, Eastern Washington U
- Meshna Koren, Elsevier
- Johnny Lasker, Internet2
- Andrew Scott, Internet2
- Ann West, Internet2
Discussion
- Internet2 Intellectual Property reminder
- Agenda Bash
Working Group Updates
- InCommon TAC
- Reviewed and approved a proposed technical change to the signing process for metadata (made to address breaking changes in how CAs are handling certain certificate types)
- Discussed NIST/CACTI meeting and thoughts (update and discussion, but no call to action)
- Reviewed TechEx proposed sessions and content
- Reviewed and approved a proposed technical change to the signing process for metadata (made to address breaking changes in how CAs are handling certain certificate types)
- SEWPG - SIRTFI Exercise Working Group
- Conducted practice exercise with SEPWG members
- Call for Participation documents being drafted – plan to submit blog post to Apryl Motley by next week, target release for email announcements for CFP with link to signup form - next week
- Conducted IAM online on ‘how to Sirtfi’ on 19 July, over 50 attendees
- Conducted practice exercise with SEPWG members
- InCommon TAC
Updates from the quarterly cross-chairs meeting
- John Krienke and Albert have been working on proposed adjustments on how the InCommon Federation operates, to adjust to current trends
- creating a proposal document, called "this old house," that will go to InCommon Steering for review
- One area for improvement:
- We currently assume campus IAM office will be single point of contact for InCommon
- Exec and two site admins are responsible for all changes to IDPs and SPs
- But some site admins don’t know about all the SPs that are registered
- Hope to engage with application teams (the SP operators)
- Proposal to change model slightly so that SP operators can become metadata admins
- There are some regional support organizations joining InCommon
- They want to orchestrate on behalf of member organizations
- Same as single campus model versus a department model.
- Proposal takes us closer to how EDUROAM operates
- We currently assume campus IAM office will be single point of contact for InCommon
- Also the proposal addresses sponsored partners
- Sponsored partners currently need a letter from an existing Higher Ed member
- But is this still a needed practice?
- There will be impacts to the InCommon Participation Agreement if the proposals are adopted
- Question: how does the “middle thing” paper relate to this?
- Answer: likely “this old house” and “middle things” will converge
- MIddle things is an InCommon TAC group, being led by Ken Klingenstein, David Walker, Tom Barton, Mark Rank, and Albert Wu
- Question: Is CTAB endorsement going to be needed for This Old House ?
- Kevin: Hoping groups like CTAB have visibility and will weigh in on the proposed document and help shape it
- David: let’s schedule a CTAB meeting a run-through of the This Old House document
- John Krienke and Albert have been working on proposed adjustments on how the InCommon Federation operates, to adjust to current trends
Next Steps for Federation maturity
- Need to define better the work for each of the top priorities identified in the Mural Collaboration and discussions
- Entitlements - success stories, more
Federation Support / purpose|value for smaller (non-R1) schools
SaaS providers’ conflicting models
- Context and background:
- Baseline Expectations has been successful
- At this point, moving forward in increasing trust in federation, the bar probably should not be all or nothing anymore
- We should give guidance on how to do things (such as MFA, for example)
- Baseline Expectations has been successful
- Noted that REFEDS Assurance Framework (RAF) v2 will be finalized in 2023
- When the RAF assurance guidance doc finishes consultation stage and is final, updating the assurance guidance will be a priority
- Important questions to decide work items:
- What do we want to accomplish? What does success look like?
- When do we want to conclude the work?
- Who should be involved? / How do we want to do this work?
Note: the remainder of the call focused on discussing/defining potential CTAB work around Entitlements
- Entitlements - success stories, more?
- We all have some SPs who need info about which users have which abilities and roles
- There are a variety of ways of managing roles, through group management or eduperson entitlement.
- There is a lack of consistent standards
- Providing examples will be valuable
- Would be helpful to share good, extensible procedures
- REFEDS best practices: https://wiki.refeds.org/display/FBP/Federated+Authorization+Best+Practices
- Eric: Seems like there are three aspects/questions being discussed
- vs advice about how to convey this information within an organization
- I.e., what kind of information would CTAB want to recommend/establish standards for signaling between organizations outside?
- Managing who has what permissions (e.g., grouper, etc.). An internal infrastructure point
- How is it expressed? Using SAML or other mechanisms.
- How frequently does it occur that an SP out of the IDP scope of influence is interested in consuming entitlements from the IDP?
- vs advice about how to convey this information within an organization
- Tom:
- Some people think federation is mostly about authentication
- Access management could be a next service for federation
- Could an SP operator add an entitlement?
- Best addressed with new ability to delegate access management?
- Some people think federation is mostly about authentication
- Andy: OSU performs access control at IDP level for some applications, versus passing along an entitlement value.
There is overlap with provisioning of accounts - Albert: similarities to proxies, which is being discussed by middle things group
- Tom: have a proxy service offered by federations? Verifiable credentials. Many more sources of authority in federated context
- David: concern about expanding the issue to include entitlements and authorizations more generally , could be an unmanageable task
- Andy: entitlements versus attribute release
- There are many bilateral use cases
- What is the federation-wide role for entitlements?
- David: best practices to make your IDP and SP work better together are needed for campus IAM practices
- This is more a matter of providing advice on internal practices around bilateral relationships
- Warren: entitlements are particular to the SP involved.
- SAML is a way to transmit info. LIGO uses a proxy or Attribute Authority, but I don't see how that scales outside of a single organization very well.
- Everybody in the federation cares about this, but is this something CTAB should tackle?
- Albert: should we have an exploratory group to define this topic?
- Use next CTAB call to continue the discussion or spin up a subgroup
- Look for an email from Albert on this
- Also, this could be an ACAMP discussion topic
- Eric: Seems like there are three aspects/questions being discussed
- Discuss on a future CTAB call:
- Federation Support / purpose|value for smaller (non-R1) schools
- SaaS providers’ conflicting models
- Federation Support / purpose|value for smaller (non-R1) schools
Next CTAB Call: Tuesday, August 22, 2023