Minutes

Attending: Keith Wessel, Mark Rank, Judith Bush, Heather Flanagan, Matt Brookover, Mary McKee, Steven Premeau, Eric Goodman, Matthew Economou

With (Also Starring): David Walker, Nicole Roy, Steve Zoppi, Shannon Roddy, Albert Wu, David Shafer, Johnny Lasker, Ann West, Les LaCroix (CACTI), IJ Kim

Status Updates / Q&A

  1. T&I and Ops Updates (Ann/Nic/Albert/Shannon/Dave/Johnny)
    1. Emergency metadata publishing yesterday, due to the University of Colorado - Denver’s IdP being deleted from metadata without a replacement in place. 
  2. (email) International Update & SeamlessAccess Update
    1. International and SeamlessAccess Update
  3. (email) Working and liaison group updates
    1. CTAB Update
    2. Federation 2.0 Update

Administrivia

  1. Adding profile info for TAC member on website - possibly link to member’s profile page at campus/linkedin/educause/etc? (Heather)
    1. It would be optional what the target of the link is, LinkedIn, home organization, wiki “self” page, etc.
      1. An alternate approach was discussed to list people’s skills. The decision was to go with profile page links.
    2. We'll also indicate chairs and vice chairs (past and present), as well as past members
    3. Instructions for submitting your information will be forthcoming.
  2. Verifying liaisons from TAC to other groups for 2021 (CACTI, CTAB) (Albert)
    1. We haven’t established a rotation for these people.
    2. Current liaisons
      1. Eric Goodman - CTAB
      2. Matthew Economou - CACTI
      3. Keith Wessel - InCommon Steering
  3. FYI - SP onboarding guide and related wiki content - public preview; need reviewers (Albert)
    1. ACTION: Everyone please review a limited-access preview of the InCommon Federation Library wiki space. A summary of what's changed is in Introducing the Service Provider Onboarding Guide (and more).
    2. The preview will be made public in a couple of weeks (end of February).
    3. New/modified pages have feedback links at the bottom.
  4. FYI - Extension of community consultation for IdPaaS (Albert)
    1. The consultation has been extended to February 19.  See https://spaces.at.internet2.edu/display/inctac/Consultation+on+IdP+as+a+Service+Working+Group+Report

Leveraging Educause SP experience/data to improve federation interoperability (Mark R)

  1. EDUCAUSE has “somewhere north” of 200 IdPs registered. Cirrus has been observing interesting operationally disruptive patterns of behavior, such as rotating IdP entityIDs. Mark will share these observations with the TAC. They’re anecdotal right now, but could be quantified.
  2. Mark will add this to the draft work plan for this year.
  3. Discussion of domain name checks for scopes, entityIDs, and endpoints
    1. Scopes are essential to check.
    2. Endpoints are not so important.
    3. What about entityIDs? How critical are they?
    4. Subsequent discussion in chat:
      1. Matthew Economou: “NIST SP 80-63-3 federation assurance level 2 (basically, any federal SAML entity) requires binding identifiers to issuers (IdP), so an entity ID change could screw up UX by making it look like this is a new user.”
      2. Eric Goodman: “Good Point. And that's a good reference to push at vendors.”
      3. David Walker: “I was thinking the same thing. There's probably more risk to trust in changing an entityID than what domain it's in.”

2021 TAC Work Plan 

  1. The current draft is at https://docs.google.com/document/d/16KT4An74VP0RybWzm1WHeDBWQ__7BExXIJUEL0UuAvE/edit#.
  2. CTAB has started an Assured Access Working Group (https://spaces.at.internet2.edu/display/aawg)
    1. Focus will be on identity assurance (as opposed to, e.g., MFA)
    2. REFEDS also has an assurance work group. Albert can liaison.
    3. Eric will provide a link with the CTAB group, although he may need to be replaced in the future.
  3. Deployment Profile
    1. Keith, Albert, Judith, and Mark are working on a proposal.
  4. We now have 7 potential activities. Not all require working groups. Everyone please add +1’s to items you feel are important to address in 2021. Also indicate if you’re willing to be a sponsor (not necessarily to be the chair) for any of the working groups.
  5. Chat
    1. Mary McKee: “This seems tangential so we don’t need to talk about it, but one thing that I’ve been thinking about a lot is not just making federation *easier* but making it *more visible*. I am currently dealing with an issue where a school with an IdP in InCommon is moving toward Okta and our likelihood of convincing them as a peer institution to adopt and support R&S long-term doesn’t seem promising. I wish we had a better framework for incentivizing institutions to help lift each other up, but that may be out of the scope of the 2021 focus”
    2. Mark Rank: “Mary - I believe it is related to the educause observations”

Next Meeting -  Thursday, February 25, 2021 

Email Updates

CTAB Update


Subject:Re: [TAC-InC] TAC call reminder and agenda - February 11
Date:Wed, 10 Feb 2021 01:27:23 +0000
From:IAM David Bantz

...

A brief written report of CTAB activity:


  • We (well InCommon staff really!) are closing in on being able targeted notices to InCommon entity administrators indicating specific aspects of their SP or IdP metadata that does not conform to Baseline Expectations 2 - that is, 
    • an IdP error URL,
    • SIRFI self asserted compliance, and/or
    • published endpoints with TLS encryption “below the bar” 

      That ability will also enable us to track and chart overall progress toward achieving BE 2, as we charted progress on BE 1.


  • We have formed an “Assured Access” Working Group to provide greater clarity on how IdPs can meet new NIH requirements; this group will meet weekly in hopes of providing concrete recommendations as soon as feasible that tie together
    • institutional identity business processes (such as employee vetting)
    • standards defining assurance levels such as NIST 800-63 and Kantara
    • IdP signaling of identity and authentication assurance
    • NIH requirements for access to services requiring additional assurance levels


David St. Pierre Bantz

Chair, CTAB

Federation 2.0 Update


Subject:[TAC-InC] Fed 2.0 Update
Date:Thu, 11 Feb 2021 15:23:06 +0000
From:Bush,Judith


We had really delightful progress. We’ve come to step of clarity that the recommendations in the report will be for a broad audience and specific REFEDS recommendations will go in a cover letter for REFEDS. This addresses some circling around specific vs general, narrow vs broad. The general sense of needing to advocate outside of R&E for the value of multilateral federation to ensure interoperability with vendor products leads us to want to report to be for a broad audience, but the urgency is for REFEDS to move forward with next steps. This clarity in how we will address the two helps identify which recommendations go where.

Judith

International and SeamlessAccess Update


Subject:[TAC-InC] International and SeamlessAccess update
Date:Wed, 10 Feb 2021 15:09:31 -0800
From:Heather Flanagan


Here are the International and SeamlessAccess updates in prep for the TAC meeting tomorrow

International Update

REFEDS
The R&S 2.0 working group continues to make significant progress on the next revision of the R&S Entity Category. On the call this week, the participants started to review the newly drafted proposed text (https://docs.google.com/document/d/1kZMdQ_T2vJJY25HZonoxIXk8Y7TCmgFyRoJ2wu4SCi8/edit). The group agreed that text on a migration path between the current version of R&S and R&S 2.0 does not belong in the specification itself; anything that sets timelines immediately puts an expiration date on the new spec. Organizations will be able to signal support for both R&S 1.3 and R&S 2.0 in their metadata, and that signal will provide indication as to where they are in their migration efforts. An institution should be able to support both versions simultaneously, though some technical hoops will be involved (specifically, the necessary re-mapping of identifiers).

Our next call will focus on the OIDC mapping described in the spec. The current text maps to what will be released in Shibboleth v4..

As a reminder, the specification will go through the full community consultation process once the working group has achieved consensus on a draft.

SeamlessAccess Update
SeamlessAccess is starting to move forward with the creation of a new working group, the WAYF Entry Disambiguation Working Group. The following was shared with the SeamlessAccess Advisory Committee:

---
As you know, SeamlessAccess focuses on the Where-Are-You-From (WAYF) aspect of the Federated Identity Management (FIM) workflow. The metadata that sources the list of Identity Providers to users is often aggregated from several sources in order to get the broadest list possible. While providing the user as much choice in IdPs as possible is usually a good thing, we are seeing significant confusion when an institution has two IdPs with the same Display Name. Most commonly to date, this is found when an institution has a campus IdP and a library-specific IdP service (although this issue could arise with any organization where multiple IdPs might be implemented).

For example:



From the user's perspective, these are the same. From a technical perspective, however, these are different. One point to https://login.bc.edu/idp/shibboleth and the other points to https://idp.bc.edu/openathens. The (perhaps) most obvious solution is to change the Display Name so that each Display Name is unique, but that is not easy to do for a variety of reasons (e.g., different federations may have different rules that would have to be normalized, the display name may end up too long for mobile screens, WAYF services that sort names alphabetically could be shifted to a poorer user experience). We are beginning to see this area of potential confusion more frequently, and the above example is just one that we have identified. 
---

SeamlessAccess has one other active working group right now that is focused on offering a template for contract language between libraries and publishers that captures the requirements around the use of FIM.

Heather Flanagan — Translator of Geek to Human
https://sphericalcowconsulting.com

  • No labels