Date, Time, and Location

Thursday, October 22, 2020
1:00pm ET | 12:00pm CT | 11:00am MT | 10:00am PT

Minutes

October 22, 2020

Attending: Janemarie Duh, Keith Wessel, Mary McKee, Matthew Brookover, Heather Flanagan, Eric Kool-Brown, Matthew Economou, Eric Goodman, Mark Rank

With: Nic Roy, Albert Wu, Ann West, Jessica Fink, Johnny Lasker, Shannon Roddy, David Walker, IJ Kim, Les LaCroix (CACTI rep to TAC), Kevin Morooney

Intellectual Property Reminder - All Internet2 activities are governed by the Internet2 Intellectual Property Framework.

Public Content Notice - TAC minutes are public documents. Please let the TAC and note taker know if you plan to discuss something of a sensitive nature.

Announcement

Ian Young is stepping down as a standing TAC subject-matter expert, but is open to being invited to calls as needed.

T&I and Ops Updates 

SP Encryption Signaling - Ops is working on the initial release based on the TAC recommendation for allowing SPs to signal support for CBC/GCM ciphers in metadata. The plan is for a phased roll-out, then release it more widely along with communications and documentation for site admins.

Mailto change metadata issue - Some hard-coded carriage returns caused metadata issues with the mailto: change. Nic Roy drafted an after-action report describing the problem and solution. 

CAMP/ACAMP - To date, 79 have registered for CAMP/ACAMP (including 13 staff). The program should be published next week.

International Update

APAN saw a successful transition to a virtual format where the Identity and Access Management Task Force (TF-IAM) had several days of presentations and updates. Internet2’s upcoming TechEXtra will be another opportunity to explore a virtual format where we can gather and catch up on the latest trends and efforts in the identity federation universe. 

TNC will happen in some form in 2021, and the call for papers is open now. See the recent article in GÉANT’s Connect magazine for more information. As far as a REFEDS meeting at TNC21, stay tuned! Just like everyone else, we’re waiting for the information in February as to whether TNC21 will include an in-person event or instead be purely virtual. We will be in a better position to determine when and how to have the next REFEDS meeting after we know what TNC21 will do.

General REFEDS topics that impact the R&E federation community and don’t otherwise have a home in an active working group are posted on this mailing list (https://lists.refeds.org/sympa/info/refeds). For items that are more along the lines of a quick question, people generally use the REFEDS Slack channel within the eduGAIN workspace (https://edugain.org/slack). Several of the working groups have Slack channels as well; post to the working group list for more information.

In addition to general topics relating to identity federation in R&E, REFEDS currently has seven active working groups:

• Assurance Working Group (open).
• Baseline Expectations (open).
• Entity Category Development (open).
• Federation 2.0 (open).
• SIRTFI -Security Incident Response Trust Framework for Federated Identity (open).
• FOG - Federation Operators Group (by nomination only; see group page for membership requirements).
• SPOG - SP Operator Group (see group page for membership requirements)

In case you missed the announcement back in July, the Best Practices in Error Handling working group concluded its work with the publication of “SAML V2.0 Metadata Deployment Profile for errorURL Version 1.0”.  The mailing list will remain open in case anyone has questions or discussion topics to raise about the specification, but for now, all is quiet on that front.

An informal poll last month indicated that the community is interested in a full-scale review of the R&S entity category that includes coming to resolution on the identifier issues as well as cleaning up any other remaining areas of concern. 

SeamlessAccess update

SeamlessAccess is seeing an increase in the larger publishers using the service. Elsevier’s ScienceDirect is just the tip of the iceberg for that organization; they have hundreds of other journals and services that will be implementing SeamlessAccess in the next year. Taylor and Francis is expected to roll out a SeamlessAccess integration later this year, as is IOP Publishing via OpenAthens.

As a result of the increased usage of SeamlessAccess, we are seeing an increase in complaints of what appear to be duplicate entries (from the user’s perspective) of institutions in the metadata. In every case so far, this is a result of the institution as a whole having joined a national federation, and their library having joined OpenAthens. The OpenAthens service offers a very powerful feature that make them extremely compelling to libraries: they essentially act as a proxy server such that librarians can add publishers and other SPs that are not part of a larger federation (or that only use IP address authorization) to their own WAYF. SeamlessAccess is in discussion with OpenAthens to see if there is a way to encourage OpenAthens and its members to offer a visually distinct entityID for library services so we can avoid this unfortunate user experience.

TAC Nominations update 

There was discussion about the nominations process and the nominations received thus far. Another reminder will be sent to various lists, including encouragement for self nomination.

IdP as a Service Working Group

The working group is not recommending a one-size-fits-all solution, but instead looked at specific use-cases meant to solve a primary problem other than federation. While the goal is to make federation participation more successful, the WG discovered this is often a byproduct and not the main goal.

The WG has documented these use cases:

1. Lightest-touch
1. Federation adapter approach - my on-campus SSO solution doesn’t support multilateral federation, adapt that to fed.
2. Full SAML SSO
1. Both intra-campus SSO and federated SSO
2. Replacing legacy SSO for example
3. Would like it managed, in the cloud, but take advantage of InCommon federation
4. Don’t outsource the directory/credential management, just the IdP
3. Full SSO solution that also hosts credentials and attributes
1. Synchronization with on-campus directory or
2. Everything is in the cloud
3. Kitchen sink - I want everything in the cloud. We aren’t targeting this. This isn’t a complete IAM solution. It’s putting authentication in the cloud. People want their entire IAM stack in the cloud.

Looking to suggest that InCommon develop a federation-ready IdP solution set. Which products exist in the market today that InCommon would bless as federation-ready?

1. InCommon should be able to position things so that deployers don’t need to run everything themselves. InCommon participation should be very approachable.
2. Recommend vetted products to these deployers based on their use cases.
3. Will be helpful to both deployers and solution providers.
4. Provide solution providers a target they have to hit.

Phased approach:

• Push federation connector use-case first - can cover a lot of ground as an easy win with starting here. Examples: Azure AD proxy, Okta proxy, etc.
• The report also calls out that a “federation-ready IdP” isn’t necessarily “the best product you could use by any metric for any use case.”
• Exploring synergies with other projects/programs should be explored (including NET+)
• Also adjacent to NET+ activity: Cloud Scorecard Working Group. That tool (the scorecard) in and of itself could become a new NET+ service. 

Recommendations for future work

1. Publish/promote an article on advantages of multilateral federation.
2. Formally adopt, support and promote interoperability best-practices. Shouldn’t be a baseline expectation. It should be front-of-the-pack in terms of adoption of things like the subject identifier profile, deployment profile, etc. in order to bootstrap and lead needed change.
3. Needs to be clear/transparent/accessible for the potential providers of this. Can’t be perceived as an exclusive club. Needs to be easy to understand what makes a service federation-ready. Potential customers need the same thing. People should not be intimidated or feel like they’re sticking their neck out on federation. If we make that very transparent, it becomes much more risky to go off-script and use a non-compatible provider.
4. People need to feel like they’re getting good support from vendors and the community. Community participation is required of providers. The program itself is part of this connective tissue. 

Other comments:

• It will be important to get the word out to non-federation participants.
• There will also be a good amount of attraction for non-academic institutions such as research labs and independent research libraries.
• This fits well with the new InCommon Catalyst partnership program. 
• The goal is to create a marketplace with competition on price and features, and also to highlight those companies that have worked with the community and have the community at the heart of their business model.

Moved (Janemarie Duh) and seconded (Heather Flanagan) that the TAC adopt the final report of the IdP as a Service working group. Unanimous approval (abstentions by Mark Rank and Mary McKee)

The next step is to take this to InCommon Steering for acceptance. Janemarie will coordinate with the WG chairs and Steering 

Next Meeting -  Thursday, Nov 5, 2020