Minutes: COmanage-TAC call 16-Sept-2011
Attending:
Heather Flanagan, Internet2 (Chair)
Ken Klingenstein, Internet2
Benn Oshrin, Internet2
Scott Koranda, U. Wisc-Milwaukee
Steven Carmody, Brown
Steve Olshansky, Internet2
Emily Eisbruch, Internet2 (scribe)
Carry Over Action Items
[AI] (Heather) will check that everything in simple glossary is also in MACE glossary. https://spaces.at.internet2.edu/display/macepaccman/Another+Glossary+Page
[AI] (Steven) will send Ken details on the Commerce Dept. safe harbor issue.
[AI] (Keith) will check whether the Project Bamboo IAM infrastructure work plan is available on the wiki, and if yes, he will send the group a link.
[AI] (Ken) will send out a link to the Eve Maler presentation from the July 2011 Cloud Identity Summit.
[AI] (Keith) will start a problem statement on the need for a "virtual Switzerland."
[AI] (Keith) will send a pointer to OpenSearch information
[A] (Ken) will provide a link to the French listing regarding applications and sets/bundles of attributes.
[AI] (Steven) will develop a one-page write-up on attribute aggregation.
DISCUSSION
2011 Fall Member Meeting Planning
http://events.internet2.edu/2011/fall-mm/agenda.cfm
COmanage Working Group:
- Monday, Oct 3 @ 12:00 PM - 1:00 PM, room 306B
Goal of WG session:
- Review current roadmap and discuss any major changes in landscape that could impact COmanage development)
- Would like to reinvigorate the collaboration with international partners.
Track Session on Wednesday
- Wednesday, Oct 5 @ 4:30 PM - 5:30 PM: Unravelling the Pain of Collaboration: a look at common
challenges and new solutions to the issue of trust, service, and support of collaborative organizations.
Speakers:
Heather Flanagan , Internet2
Scott Koranda , University of Wisconsin-Milwaukee
Remco Poortinga-van Wijnen , SURFnet
Capturing the use cases around account linking
Heather has started to capture use cases for account linking at:https://spaces.at.internet2.edu/display/fedapp/Account+Linking
- Scott noted that LIGO is interested in account linking use cases related to linking between institutional identities using social identity
- An example is with people making transitions between two institutions and there occurs a gap, during which time the person needs access to LIGO resources.
- The current nervousness about trusting social identity could be reduced in the future with Google two- factor identities
- Eventually account linking of multiple federated identities will be important for LIGO
- Over time people will want to use their campus identities to access LIGO resources, and those campus identities will have to be linked to the LIGO identity
- An issue is that some actions in LIGO -- related to command line tools -- can only be accessed w a Kerberos ticket (SAML can be used when the command line is not involved)
- It will not be possible to use the campus identity for the Kerberos ticket, LIGO credentials will be required
- The closer you get to affecting the instrument , the more likely you will need 2 factor authentication
- Steven reported that account linking has been discussed on the Social Identity calls.
- One issue is recognizing that a social account and an enterprise account belong to the same person
- Keith is looking at those use cases as part of Project Bamboo
Ken's Report
- Some shift is being seen internationally with federation being branded within the collaboration umbrella
- This could be an indicator of how federations will be seen in the future, more as enablers.
- It is hoped that when a permanent Internet2 VP for Net+ is in place, it will be possible to engage in discussions about Internet2 offering a service instance of COmanage
- Some discussions have taken place with folks at NSF who are interested in virtual panels.
- There is alignment between virtual panels and COmanage work
- We may want to create a COmanage service instance that could incorporate the virtual panel concept.
- For this, it would be important to have a video modality into the COmanage platform
- There is continuing interest within Internet2 regarding non web apps
- The UK is pushing the Radius approach
- Chris Phillips' blog compares Shib with ECP to Moonshot approach:http://digitalinnovators.wordpress.com/2011/09/13/browserless-fed-signon-tech-contrasted/
- OpenID Connect is another approach getting much attention
- Ken noted that some rebelled against the complexity of SAML, but now OpenIUD Connect involves much of the same complexity concerning handling attributes and trust issues.
- OpenId Connect announced a Discovery 1.0 : http://openid.net/specs/openid-connect-discovery-1_0.html
- OpenID Connect also announced an operational attribute authority -- you pass it info on an identity and it returns a trusted value for the address of the identity ; LOA not certain
- There is some concern about the Net+ services being rolled out -- those services may be using the word "federated" on their websites but actually have a proprietary approach.
- Hope to capture lessons learned from rollout of the Net+ services
- Net+ offerings as currently envisioned will not be directly offered to VOs, however, VO's may be able to obtain access to the Net+ services via a sponsoring institution
- In the current REFEDs workplan, domestication of apps is a big piece
- Inside REFEDs, the conversation is moving from AUTHN to all of the other values
- At the recent REFEDS mtg in Helsinki, there was consensus that group management is inside the REFEDs space
- This gives us ability to approach vendors with a common approach around domestication
- COmanage may be the architectural paradigm that applications will need to fit into
LIGO and InCommon
There is a desire to move forward with InCommon membership for LIGO , after some delays related to contractual liability issues
Emily will set up a call for JohnK and ScottK and Ken to discuss. (DONE)
Next COmanage Meeting: Monday, Oct. 3 at 2011 FMM in Raleigh at noon ET
Next COmanage TAC Call: Friday, Oct. 14 at 2pm ET