Minutes
Attendees : Heather Flanagan, Judith Bush, Matt Porter, Keith Wessel, Eric Goodman, Mark Rank, Steven Premeau, David St PIerre Bantz (CTAB), Les LaCroix, Matt Brookover
With (Also Starring) : Albert Wu, David Walker, IJ Kim, Kevin M. Ann W.
Regrets : Joanne Boomer, Nicole Roy, Matthew E.
Scribes : Eric G, Steve P., Judith
Agenda Bash
No changes/additions.
Status Updates - Q&A
- Tabletop security exercise - reminder call for participation is active/circulating
- EntityID item update - see notes below
- Working on close out of BE2. 68 outstanding items. Could use help with outreach to those locations.
- No questions/comments on other updates (see separate notes area)
Check in on 2022 Work Items - what do you think your realistic deliverable will be by mid November?
Deployment Profile Adoption
- Working on value statement
- Plan to reconvene the group shortly.
- Will have a draft of action items in the near term.
SAML Identifiers
- Matthew not present, will follow up offline / on future calls.
- Mark did bring some info to TAC a few months ago about Duke’s use of subject-id.
- Duke is using subject-id for some specific use cases.
Federation Testing
- Group has developed an outline of testing approach.
- Can populate with the tests that are already expected
- These are largely things that are already required by current InCommon agreements/BE/etc.
- There are others driven by the profile that are still under discussion.
- This was based on earlier discussions in TAC where Deployment Profile items were classified as “already required”, “under consideration”, etc.
Standing Items
- Browser update - We get routine updates from Heather, and arguably the DID/VC/Wallet stuff kinda fits here too.
- HECVAT management - Unclear.
- EntityID guidance - No further input from TAC members; we will record TAC's preference for Option 1 based on input received so far. Separately, the same/similar discussion around entity ID arose on the REFEDS list. It may lead to a REFEDS working group to clarify how to frame the community's position/preference on the matter (in the REFEDS Federation Metadata Registration Practices template)
- 2022 TAC accomplishments report – we're not done yet with our work for 2022, it's a little early to start on that
Heads up: Class of 2023 TAC member recruiting starting
- TechEx is in December. It will be too late in the year to influence recruiting: we need to get started; please start thinking about possible candidates for 2023 terms and reach out where appropriate.
- Four TAC members' terms expiring: Keith W, Eric G, Mark R, and and Matthew E
- Mark did do some outreach to clients to see if any had interest
Updates from Cross-Committee Chair meeting (Keith)
- One item was a focus on change and change management as requirements/needs change
- Referenced an older “futures report” from 2009:
- InCommon had published an "InCommon Futures" Report in 2009: https://incommon.org/wp-content/uploads/2019/04/InCommonFuture_20090701.pdf
- Considering making a new version for the next decade.
- Maybe a “risk registry” approach
- There is a swell of positive energy towards InCommon’s objectives/future directions.
Roundtable - What are the strengths, weakness, opportunities, challenges, needs in your institution as it relates to IAM?
- What forces (technology, business needs, cultural, financial) are pressuring you to change? What specific changes are you being asked to make?
- What is your 5 year outlook of where you’d be if you don’t make any course change?
- Any other thoughts beyond narrowly IAM?
- We are looking for common pains; where there is common pain, there is opportunity to work together to alleviate it
Discussion follows:
- Attendee A:
- IAM set up is extremely manual compared to how today’s world works, getting pressure to modernize.
- Segments solving problems on own when not solved centrally (causes fragmentation)
- Unclear on whether to use internal skills vs vendor solutions with leadership unclear on what the pros and cons for various bits
- IAM life cycle management improvements needed
- Attendee B:
- Continually challenged to replace internally developed and managed authN solutions with off the shelf/cloud solutions; evaluation continues to find gaps between offerings and needs, both features and cost/scale.
- Looking at what Librarians are looking for in expressing authorization (moreso than authentication)
- Attendee C:
- Substantial turnover of IT resources and associated loss of community and institutional knowledge. Being replaced by people who were trained in a MS/Okta/Oracle/whatever world, and see that as “the” solution.
- Uptake of OIDC
- Gaps(?) between what RE institutions need and what vendor solutions provide.
- Not only budget pressures at the University level, but also students may not value a University education at the same level as they used to (i.e., reduced investment in RE overall in some cases).
- Customers are still looking for SSO solutions that manage an SSH style of integration, which typically is not well supported.
- Attendee D:
- Perspective mostly as an SP.
- Most drivers coming from customers (aka IdP)
- Along with others' comments about institutional knowledge loss at the locations, there is also a need to set a baseline with people on the other end (the IdPs they integrate with).
- InCommon solutions (BE, etc.) look to address this, but they don’t solve all the issues they need to deal with.
- Form futures pov, more reactive to what’s needed by people. But definitely interested in VC/DID/Wallet
- Attendee E:
- +1 Staff turnover
- Keeping people up to speed on IAM issues
- New leadership wanting a different architecture
- RFP for a new IAM system.
- Windows people that want to use ADFS for everything.
- Attendee F:
- Lots of +1s
- Actually moved from a vendor product to go to Shib.
- Lot of the issues are in the IAM space
- Have a consistent identifier, but not a consistent group of business roles
- Commercial solutions don’t meet our business logic.
- Transitioning some ERP systems; may be a chance to drive more business roles from that data.
- LoA discussions
- Attendee G:
- Currently ADFS -> Azure AD
- Lots of people moving to IdP SaaS solutions.
- Still a driving need for federation.
- Shib is still a great solution for their needs. Vendors don’t really look at the more-than-bilateral integrations.
- InCommon can maybe help fill the gaps (guidance, vendors like Cirrus, etc.)
- Attendee H:
- running Universities "more like a business" driving:
- IT shift from enabling partner to cost center; efficiency as driving metric
- command and control style rather than community focus
- desire for "out of the box" single vended solutions
- current initiatives in the security/IAM space largely based on implementing controls (vended command and control solutions) viewed as requirements of federal rules or laws and insurance requirements
- our strength remains partnering with and empowering creative researchers and educators; we need to reinforce relations with those allies to influence campus IT architecture and priorities
- running Universities "more like a business" driving:
Email Updates
CTAB Update
From: Eric Goodman
Date: August 11, 2022
- Workgroup updates (many you’ll separately get here at TAC)
- REFEDS MFA Working Subgroup
- REFEDS Assurance Framework WG
- Entity Categories
- CACTI (several interesting sounding ones here…)
- BE2 closeout
- On the long tail of cleanup.
- Working to reach out to entities still not in compliance before moving to start removal discussions/processes
- TechEx (and general) planning – mostly around what input is being sought/seeds being planted at TechEx
- Discussion of future directions and what community input is desired.
- Future of trust/assurance/interop (BE or otherwise)
- Looking at potential new members
- IdP as a service Update
- Albert gave details on the service InCommon Ops is working on
- (I assume he’ll speak about it as part of his TAC update, so I’m not saying more here)
CACTI Update
From: Steven Premeau
Date: August 11, 2022
- Working group updates
- Goal is to have first-cut of descriptions of scenarios, along with applicable situations into the spreadsheet
- kicked off a couple weeks ago, still actively seeking participants.
- there is ongoing work in the IETF EMU (EAP Method Update) WG.
- They are updating EAP-TLS to use TLS 1.3 (i.e. encrypting the certificates across the wire).
- There is also discussion of privacy enhancements to other commonly-used EAP methods — PEAP and EAP-TTLS.
- Linking SSO WG
- IDPaaSv2
- Cloud Security Alliance
- REFEDS MFA (subgroup) - refining some definitions in the REFEDS MFA profile. Hoping to wrap up shortly.
- IETF EMU WG - updating EAP-TLS
- CTAB - the bulk of the meeting focused on the report and presentation to Steering on recommendations for next steps on Baseline Expectations 2 (how to deal with various entities not yet in full compliance etc.).
- Convos in CACTI, TAC, CTAB, Steering, etc. about the future of federation. Doing a planning effort that is in parallel to and connected to the larger Internet2 planning effort. Develop a framework for having those conversations so we can focus on eduroam and federation. Taking off later parts of ‘22, likely a focus for CY ‘23. Upcoming quarterly committee chairs call. Will start working on this there as well. Nascent conversations with InCommon Steering. Steering is also interested in a planning conversation.
- Planning for November IAM Online - outsourcing identity - what do you have to retain?
- Update/question from July 25, 2022 TI Component Architects call
- Should CACTI be discussing the higher-education and research position we should be taking on the constellation of these: Self-Sovereign ID / Wallet / WebAuthN / passkey (portable authenticator) / etc ?
- What, if any, role should InCommon/I2 have in shaping / facilitating / supporting these new technologies? To what extent are they solutions to problems we have, and to what extent are they just different implementations?
- (This topic generated a lot of discussion before we ran out of time)
Internet2 Ops Update
From Johnny Lasker
Date: August 11, 2022
- Finished deploying AWS CloudFront CDN in front of Federation Manager
- Serves custom error pages when the backend app is unavailable for any reason
- Caches static content closer to users
- Adds IPv6 support
- Wrapping up eduroam Administrator self-service IdP Testing feature
- Allows eduroam Administrators to test various authentication types against their IdP realm(s)
- Adds enhanced messaging capabilities for this feature and the FM in general
- Targeting for next release