Minutes

Attending: Heather Flanagan, Matthew Economou, Mark Rank, Matthew Brookover, Steve Premeau, Mary McKee, Judith Bush, Eric Goodman, Janemarie Duh

With (Also Starring): David Walker, Albert Wu, Ann West, David Bantz, Johnny Lasker, Shannon Roddy, IJ Kim, Nicole Roy, Kevin Morooney, Steve Zoppi

Regrets: Les LaCroix, Keith Wessel

Status Updates / Q&A

• CACTI 
  • Considering working group around key compromise, inspired by SolarWinds incident. Would like input from TAC on good practice.
  • There have been comments about SAML being insecure, since SolarWinds used SAML. We need to get an accurate/authoritative story out there.
• T&I and Ops Updates (Ann/Nic/Albert/Shannon/Dave/Johnny)
  • IdP V3 EOL - do we need to do anything there? 
    • Albert: What should InCommon’s role be for this kind of thing?
• International Update & SeamlessAccess Update
  • To add: most recent set of articles in the IDPro Body of Knowledge have been published, including an article on PBAC by Mary McKee. Also, articles on Federation in the Enterprise, Account Recovery, and Identity in Operations.
• Working and liaison group updates - including 2021 plan items
  • CTAB
  • Federation Testing Environment
  • CACTI

Deployment Profile Next Steps

• Albert and Judith guided the group through Deployment Profile TAC Review, which was created by the earlier-charged subgroup.
  • The document contains links to analyses of each of the specifications in SAML V2.0 Deployment Profile for Federation Interoperability, rating them along three dimensions: Importance to Federation, Enforcement Method, and Conformance Validation Opportunity. These analyses are grouped into four parts, each separately linked from the main document:
    • Part 1 - Common requirements from Section 2 of the Deployment Profile
    • Part 2 - Service provider requirements from Section 3 of the Deployment Profile
    • Part 3 - Identity provider requirements from Section 4 of the Deployment Profile
    • Part 4 - Single Logout requirements extracted from Sections 3 and 4 of the Deployment Profile
  • The original intent of the deployment profile effort was to establish an R&E profile, but it was decided that a more general interoperability profile would a prerequisite. SAML V2.0 Deployment Profile for Federation Interoperability is that prerequisite. The R&E specific profile is yet to come. It will likely be more prescriptive in areas where the interoperability profile provides options.
• What does adoption mean?
  • InCommon would be more specific in its documentation for IdPs and SPs.
  • This would be added to the IdPaaS group’s requirements
    • It was noted that IdPaaS service offerings may make certain compliance issues options for their customers. We’d still need their customers to opt for compliance, however.
      
  • Steering would make the "adoption" decision. TAC would recommend adoption to Steering.
    
    • Steering would likely want an impact statement addressing the federation overall, as well as SP operators. They also likely want a recommendation for IdPaaS to require compliance.
• Next steps for TAC
  • The subgroup will work on an impact statement.
  • All TAC members should review Deployment Profile TAC Review and its linked Parts and be prepared to vote on a recommendation to Steering.

EMail Updates

CTAB

CTAB held office hours to answer community about BE (and touched on some questions about SIRTFI, AUPs and NIH on the side) from the community. No formal meeting beyond that.

--- Eric

International, SeamlessAccess, and Browser Interaction updates

International Update
Reminder: please sign up for the upcoming REFEDS meeting (16 June 2021, https://events.geant.org/event/580/) and TNC21 (21-25 June, https://indico.geant.org/event/8/registrations/37/)!

SeamlessAccess Update
SeamlessAccess is planning two workshops in May: one for small/medium publishers, one for federation operators(repeated to capture the widest range of timezones). Registration is not yet open, but they will be going out in the next week or so.

WAYF Entry Disambiguation WG progress
The WAYF disambiguation working group has finalized its charter, and a blog post will be going out in the next week or so to promote the charter and let interested parties know what outputs are expected. The group still needs representatives from the IdP operator world, including both IdP operators that represent university systems and IdP operators that represent a single institution.

Browser Technology Changes
Save the date: May 25-26, 10am-1pm PT. Meeting to be held under the auspices of the W3C WICG; membership is required, but is free (https://www.w3.org/community/wicg/). Goal is to have all major browser vendors present, as well as representatives from reference architecture services (e.g., Microsoft Teams, Google Sign-in, Academic Federation, Verizon Enterprise) to talk about the problems, solutions being explored, and how to continue the conversation so everyone who wants to can contribute and stay informed. 

Heather Flanagan — Translator of Geek to Human
https://sphericalcowconsulting.com 

Federation Testing Environment

Hello,

I reached out to Tim Lloyd, CEO of LibLynx, about being a co-chair for the Fed Test WG but haven't heard anything back yet.

The wiki page and email list are up - thanks, Albert! - and you might have seen the announcement I just posted to participants. I'll cross-post to REFEDS and educause.

IIRC, there is a fed ops list, which would be good to target. If you can think of any others, please let me know. Thanks!

     Janemarie

CACTI

The 13 April 2021 CACTI meeting discussed secrets management, specifically the need for guidance on how to detect and respond to SAML entity key compromise.  Ideas for community outreach included a future IAM Online session.  CACTI may start a working group dedicated to this topic, and it would like to ask the InCommon TAC to look at secrets management best practices/guidance.