InCommon Shibboleth Installation Workshop
November 7-8, 2017
9:00 am - 5:00 pm (ET)

National Institute of Allergy and Infectious Diseases

Conference Center

5601 Fishers Lane

North Bethesda, Maryland 20852

Register at www.incommon.org/shibtraining

Are you interested in learning how to install and configure the Shibboleth SAML SSO/Federation Software? Do you need to upgrade to IdPv3? Would you like to see how the containerized TIER version of the Shibboleth IdP can simplify your installation and configuration?

Join us for the InCommon Shibboleth Installation Workshop November 7-8 at the National Institute of Allergy and Infectious Diseases Conference Center in Bethesda, Maryland. The registration deadline is October 20.

The two-day training covers both the Identity Provider and Service Provider software, as well as some integration issues. We will also introduce you to the TIER (Trust and Identity in Education and Research) version of the Shibboleth IdP, which is delivered via a Docker container and is pre-configured to work well with InCommon. The workshop focuses on installing and deploying IdPv3 and the Shibboleth Service Provider. Here is what you can expect:

    •    A two-day, directed self-paced workshop

    •    Hands-on installation of the identity provider and service provider software

    •    Experienced trainers providing overviews and one-on-one help 

    •    Discussions on configuration and suggested practices for federation

    •    Attendance is limited to 40


The workshops will offer the chance to:
    •    Install a prototype Shibboleth identity and service provider in a virtual machine environment

    •    Gain experience with the Docker container version of the Shibboleth IdP (the TIER version)

    •    Discuss how to configure and run the software in production

    •    Learn about integration with other identity management components such as LDAP and selected service providers


Knowledge of identity management concepts and related implementation experience is strongly recommended. Organizations are encouraged to send one or two attendees who best represent the following functions:

    •    System install, integration, and ongoing support staff

    •    Campus technology architects


To learn more about Shibboleth, see the Shibboleth wiki (wiki.shibboleth.net). More information on federated identity can be found at www.incommon.org.

Members of the Kantara Initiative Federation Interoperability Working Group have recently approved the SAML V2.0 Implementation Profile for Federation Interoperability. The document described below now enters a 45-day public comment and IPR review period in preparation for a member ballot to consider its approval as Kantara Initiative Recommendation.

This document encompasses a set of software conformance requirements intended to facilitate interoperability within the context of full mesh identity federations, such as those found in the research and education sector. It attempts to address a number of common barriers to interoperability and details features that are necessary in order to use SAML metadata as a foundation for scalable trust fabrics. It supersedes the eGovernment Implementation Profile V2.0bis from June 2011.

This is an open invitation to comment. Kantara Initiative solicits feedback from potential users, developers and other interested parties, whether Kantara Initiative members or not, for the sake of improving the interoperability and quality of its technical work. The public review opened on June 14, 2017, and will close July 29, 2017, at 11:59 UTC.

To comment please email your comments to staff@kantarainitiative.org with the subject "FIWG COMMENT SUBMISSION".


InCommon Shibboleth Installation Workshop
July 19-20, 2017
Lafayette College
Easton, Pennsylvania

www.incommon.org/shibtraining

InCommon will hold a Shibboleth Installation Workshop July 19-20 at Lafayette College in Easton, PA. Registration is available at www.incommon.org/shibtraining and details on the location at Lafayette College are on the wiki.

The two-day training sessions cover both the Identity Provider and Service Provider software, as well as some integration issues. The workshops focus on installing and deploying IdPv3 and the Shibboleth Service Provider. Here is what you can expect:

    •    A two-day, directed self-paced workshop

    •    Hands-on installation of the identity provider and service provider software

    •    Experienced trainers providing overviews and one-on-one help 

    •    Discussions on configuration and suggested practices for federation

    •    Attendance is limited to 40


The workshops will offer the chance to:
    •    Install a prototype Shibboleth identity or service provider in a virtual machine environment

    •    Discuss how to configure and run the software in production

    •    Learn about integration with other identity management components such as LDAP and selected service providers


Knowledge of identity management concepts and related implementation experience is strongly recommended. Organizations are encouraged to send one or two attendees who best represent the following functions:

    •    System install, integration, and ongoing support staff

    •    Campus technology architects



A revised eduroam info sheet describes the features and benefits of the federated global wireless access service for research and education. It may be particularly useful in providing a high-level overview of the service to campus stakeholders.

Internet2 operates the U.S. node for eduroam, which allows individuals from a participating institution to use their home credentials for access. Eduroam is a worldwide federation of RADIUS servers allowing users to achieve seamless access when traveling to another participating institution. Some campuses have chosen to use eduroam as their default campus wireless network.

For more information about the eduroam service and how your campus can participate, visit www.incommon.org/eduroam.

The Network Startup Resource Center (NSRC) has developed a series of videos that will take you through the policies and technologies of identity management on a local level, as well as how identity federations like InCommon are of value. There are 10 videos that cover the topics below. You will find background information at the NSRC's website. The NSRC produced the videos in partnership with GEANT (the pan-European network and a fundamental part of Europe's e-infrastructure).

Here is a list (and links) of the videos.

Campus Identity

Federated Identity

Identity and Business Models

Internet2 has started deployment of a new service desk, ServiceNow. As of March 27, all email sent to our support address (admin@incommon.org) will create a ticket in ServiceNow, which will generate an automated email response The same set of InCommon/Internet2 people will respond to requests through the new service desk system. We will continue to use admin@incommon.org for support requests from participants and certificate service subscribers.
 
Over the last three years, we have seen significant increases in the volume of mail to admin@incommon.org. ServiceNow will help us organize and respond to your requests in a more efficient and timely manner. We hope you find this change helpful, and we're always open to your feedback (email admin@incommon.org). Increased maturity in both service delivery and operations are among InCommon’s main work areas for 2017, and this move to ServiceNow is critical to achieving those goals.

March 22 TAC Work Plan Webinar

Wednesday, March 22, 2017
2 pm ET | 1 pm CT | Noon MT | 11 am PT
https://internet2.adobeconnect.com/iam-online

The InCommon Technical Advisory Committee (TAC) will present its draft 2017 work plan during this webinar, March 22, at 2 pm ET. The TAC provides recommendations related to the technical operation and management of InCommon. The work plan outlines the proposed technical priorities, particularly for the InCommon Federation.

This webinar is intended to gather community feedback on the work plan. This year’s draft plan includes these topics (among others):

  • Support for OAuth/OpenID Connect

  • Improving IdP discovery (Discovery 2.0)

  • Less restrictive attribute release policies

  • Improve Service Provider onboarding processes


Please plan to join us to learn about the 2017 plans and provide feedback and suggestions.

The OpenID Connect Survey Working Group, chartered by the InCommon Technical Advisory Committee (TAC), recently conducted a study to understand the community’s interest and use of OIDC/OAuth protocols. The survey also asked how InCommon and Internet2 may help campuses in the adoption of these protocols.

The results are in. The survey working group has compiled a report summarizing the survey findings and the working group's recommendations. You are invited to review the report and provide feedback. The deadline for comments is March 24, 2017.

Shibboleth Installation Workshop - June 13-14, 2017 - Denver, Colorado

InCommon Shibboleth Installation Workshop
June 13-14, 2017
University of Denver
Denver, Colorado

Registration: www.incommon.org/shibtraining

Denver details: https://spaces.internet2.edu/x/rIKTBg

Registration is open for the an InCommon Shibboleth Installation Workshop June 13-14, at the University of Denver. The two-day training sessions cover both the Identity Provider and Service Provider software, as well as some integration issues. The workshops focus on installing and deploying IdPv3 and the Shibboleth Service Provider. Here is what you can expect:

    •    A two-day, directed self-paced workshop

    •    Hands-on installation of the identity provider and service provider software

    •    Experienced trainers providing overviews and one-on-one help 

    •    Discussions on configuration and suggested practices for federation

    •    Attendance is limited to 40


The workshops will offer the chance to:
    •    Install a prototype Shibboleth identity or service provider in a virtual machine environment

    •    Discuss how to configure and running the software in production

    •    Learn about integration with other identity management components such as LDAP and selected service providers


Knowledge of identity management concepts and related implementation experience is strongly recommended. Organizations are encouraged to send one or two attendees who best represent the following functions:

    •    System install, integration, and ongoing support staff

    •    Campus technology architects


To learn more about Shibboleth, see the Shibboleth wiki (wiki.shibboleth.net). More information on federated identity can be found at www.incommon.org.

InCommon Shibboleth Installation Workshop
April 4-5, 2017

University of Michigan (Arbor Lakes Dome)
Ann Arbor, Michigan
www.incommon.org/shibtraining

Registration is open for the first InCommon Shibboleth Installation Workshop of 2017, April 4-5, at the University of Michigan in Ann Arbor. This two-day training session covers both the Identity Provider and Service Provider software, as well as some integration issues. The IdP portion of the workshop is based on IdPv3.

We will focus the training sessions on people who wish to learn about and deploy IdPv3. Here is what you can expect:

  • A two-day, directed self-paced workshop
  • Hands-on installation of the identity provider and service provider software
  • Experienced trainers providing overviews and one-on-one help
  • Discussions on configuration and suggested practices for federation
  • Attendance is limited to 40
  • Registration closes March 17

The workshops will offer the chance to:

  • Install a prototype Shibboleth identity or service provider in a virtual machine environment
  • Discuss how to configure and running the software in production
  • Learn about integration with other identity management components such as LDAP and selected service providers

Knowledge of identity management concepts and related implementation experience is strongly recommended. Organizations are encouraged to send one or two attendees who best represent the following functions:

  • System install, integration, and ongoing support staff
  • Campus technology architects


For more information and a link to register, go to https://spaces.internet2.edu/x/9wJ-Bg

To learn more about Shibboleth, see the Shibboleth wiki (wiki.shibboleth.net). More information on federated identity can be found at www.incommon.org.

Nominations are open for the instantiation of CACTI, the Community Architecture Committee for Trust and Identity. This new committee will provide technical guidance and inform the strategic direction for Internet2's Trust and Identity (T&I) services. CACTI membership must comprise and connect a range of perspectives and experiences, established and rising community technical leaders, and national and international backgrounds.

Nominations for membership, including self-nominations, may be made using this nomination form. Nominations will be accepted through midnight (EST), March 8, 2017. The goal is for the first meeting of CACTI to occur online shortly before the upcoming Internet2 Global Summit, April 23-26 in Washington DC.

CACTI's charter describes its duties, membership, and other details, and its role in the ecosystem of T&I related Internet2-sponsored community guidance is described in https://internet2.box.com/v/commarchguideI2TI.

Over the years, the Internet2 community together with national and international partners has helped to shape the research and education identity and trust landscape. Going forward, CACTI will play a large part in continuing this important work.

At the request of the InCommon Certificate Service community, Comodo has created a new system that will greatly streamline the issuance of EV (extended validation) certificates. This new system is called “Anchor Certificates.” Cert Service subscribers can now request an Anchor Certificate, and apply it to all of their domains, then go through the industry-mandated EV process once for all of the domains, which will streamline future EV certificate requests. This will not actually create a new certificate, but uses the same validation process as with EV certificate requests. Once the Anchor Certificate is set, EV cert requests are treated just like any other cert, without going through the EV validation process again for 13 months. Under the current process, each EV cert request went through the entire validation process.

In conjunction with Comodo, we have published a wiki page that details the process of ordering an anchor certificate.
 
The InCommon Certificate Service Working Group surveyed certificate subscribers last year and had a number of recommendations. This is one step toward improving the EV documentation and process. Survey results and the 2017 work plan will be detailed over the next few weeks.

Once again this year, we intend to schedule four Shibboleth Installation Workshops at campus locations in various regions. These are two-day workshops best described as directed self-paced workshops that cover both the IdP and SP software, as well as some integration issues. This year we also intend to offer material about the TIER software package (of which Shibboleth is a part).

I’m looking for campuses interested in hosting one of the 2017 trainings. The campus responsibility is to provide a room that will comfortably hold 44 people with laptops, pads of paper and cups of coffee. The campus also provides a robust wireless network and arranges for catering for said coffee, as well as lunch and refreshment breaks. InCommon provides the trainers and will handle the registration process. In return for hosting, we provide two complimentary registrations for the campus.

A couple of the considerations in selecting locations are:

  • Region (we try to spread these around to make travel easier for attendees)
  • Relative ease of travel (such as proximity to Interstates and at least a medium-size airport)

You can see our host outline for details: https://goo.gl/0o3YdL

If you are interested in at least exploring hosting one of these events, please send me email (woodbeck@internet2.edu).

InCommon needs enthusiastic volunteers to bring their unique expertise to the InCommon Technical Advisory Committee (TAC), an advisory body to the InCommon Steering Committee. We invite you to nominate such people for membership on the InCommon TAC, including self nomination.

TAC works best when its members span a variety of perspectives, including (but not limited to):

  • universities and colleges of all sorts and sizes
  • research organizations, traditional and virtual
  • regional R&E network providers
  • sponsored partners
  • trust and identity solution providers
  • international partners

TAC supports InCommon’s mission "to create and support a common framework for trustworthy shared management of access to online resources." Specific duties include: 

  • review and advise on InCommon's operations, technology choices, and the impact of policies on technical concerns
  • review and advise on InCommon service offerings, and make recommendations for new service development and service retirement
  • work with InCommon staff to ensure secure, robust, and reliable operation of InCommon services
  • engage with the trust and identity community to ensure that InCommon technology meets the needs of the participants
  • attend biweekly conference calls and the face-to-face meeting at the annual Internet2 Technology Exchange

The InCommon Steering Committee appoints TAC members to three-year terms. Individuals should have the necessary technical expertise, experience in the education and research community, and a track record of participation in that community.

Please send TAC member nominations to nominations@incommon.org by Tuesday, October 11, 2016. Self-nominations are welcome. Please include some information describing the strengths and experience the individual would bring to the TAC, and the constituencies they are familiar with. Please distribute this invitation to all interested parties.

See http://www.incommon.org/docs/policies/TACcharter.html for the TAC charter (revised December 2015); see http://www.incommon.org/about.html for the current TAC membership. New members would assume their membership in early February. Send questions and comments to Steven Carmody (steven_carmody AT brown.edu), InCommon TAC Chair.

InCommon is conducting a proof of concept for SIRTFI (Security Incident Response Trust Framework for Federated Identity). This is the first step toward supporting a global incident response system for research and education trust federations.

With the ever-increasing and evolving cybersecurity threats, and our increasingly interconnectedness through eduGAIN, federation operators need a way to quickly collaborate in the face of a security incident. One compromised account at an institution can provide access to a multitude of service around the world. SIRTFI provides a framework for an effective coordinated response in the event of an incident.

SIRTFI stipulates preventative measures and identifies organizations that are capable of participating in a coordinated incident response. Federation participants that comply with SIRTFI are marked in the federation’s metadata, raising the bar in operational security across the federation. A very good explanation is available at https://refeds.org/wp-content/uploads/2016/02/Why_Sirtfi.pdf .

InCommon’s proof of concept involves three participants (University of Chicago, LIGO, and the National Center for Supercomputing Applications) that agree to the SIRTFI framework and have the entity attribute added to their metadata. But there are also more than 100 identity providers from other federations with the SIRTFI attribute, and InCommon participants will also see these in metadata.

Once the proof of concept has been evaluated, we anticipate encouraging all InCommon participants to adopt the SIRTFI framework. In the future, we expect this will become a requirement for federation participation.

What can you do right now? One SIRTFI requirement is to have security contacts in metadata. It is a simple process, with your site administrator logging into the Federation manager and adding a security contact. This is useful information to include, independent of the adoption of SIRTFI.