Minutes: COmanage-TAC call 16-Sept-2011


Heather Flanagan, Internet2 (Chair)  
Ken Klingenstein, Internet2
Benn Oshrin, Internet2  
Scott Koranda, U. Wisc-Milwaukee
Steven Carmody, Brown
Steve Olshansky, Internet2  
Emily Eisbruch, Internet2 (scribe)  

Carry Over Action Items

[AI] (Heather) will check  that everything in simple glossary is also in MACE glossary.   https://spaces.at.internet2.edu/display/macepaccman/Another+Glossary+Page
[AI] (Steven) will send Ken details on the Commerce Dept. safe harbor issue.
[AI] (Keith) will check whether the Project Bamboo IAM infrastructure work plan is available on the wiki, and if yes, he will send the group a link.
[AI] (Ken) will send out a link to the Eve Maler presentation from the July 2011 Cloud Identity Summit.
[AI] (Keith) will start a problem statement on the need for a "virtual Switzerland."
[AI] (Keith) will send a pointer to OpenSearch information
[A] (Ken) will provide a link to the French listing regarding applications and sets/bundles of attributes.   
[AI] (Steven) will develop a one-page write-up on attribute aggregation.


2011 Fall Member Meeting Planning


COmanage Working Group:
     - Monday, Oct 3 @ 12:00 PM - 1:00 PM, room 306B

Goal of WG session:
- Review current roadmap and discuss any major changes in landscape that could impact COmanage development)
- Would like to reinvigorate the collaboration with international partners.

Track  Session on Wednesday
     - Wednesday, Oct 5 @ 4:30 PM - 5:30 PM: Unravelling the Pain of Collaboration: a look at common
 challenges and new solutions to the issue of trust, service, and support of collaborative organizations.
      Heather Flanagan , Internet2
      Scott Koranda , University of Wisconsin-Milwaukee
      Remco Poortinga-van Wijnen , SURFnet  

Capturing the use cases around account linking

Heather has started to capture use cases for account linking at:https://spaces.at.internet2.edu/display/fedapp/Account+Linking

- Scott noted that LIGO is interested in account linking use cases related to linking between institutional identities using social identity  
- An example is with people making transitions between two institutions and there occurs a gap, during which time the person needs access to LIGO resources.  
- The current nervousness about trusting social identity could be reduced in the future with  Google two- factor identities
- Eventually account linking of multiple federated identities will be important for LIGO
- Over time people will want to use their campus identities to access LIGO resources, and those campus identities will have to be linked to the LIGO identity
- An issue is that some actions in LIGO -- related to command line tools -- can only be accessed w a Kerberos ticket  (SAML can be used when the command line is not involved)
- It will not be possible to  use the campus identity for the Kerberos ticket, LIGO credentials will be required
- The closer you get to affecting the instrument , the more likely you will need 2 factor authentication

- Steven reported that account linking has been discussed on the Social Identity calls.
 - One issue is recognizing that a social account and an enterprise account belong to the same person
- Keith is looking at those use cases as part of Project Bamboo

Ken's Report
- Some shift is being seen internationally with federation being branded within the collaboration umbrella
- This could be an indicator of how federations will be seen in the future, more as enablers.
- It is hoped that when  a permanent Internet2 VP for Net+ is in place, it will be possible to engage in discussions about Internet2 offering a service instance of COmanage
-  Some discussions have taken place with folks at NSF who are interested  in virtual panels.
- There is alignment between virtual panels  and COmanage work
- We may want to create a COmanage service instance that could incorporate the virtual panel concept.
- For this, it would be important to have a video modality into the COmanage platform

- There is continuing interest within Internet2 regarding non web apps
- The UK is pushing the Radius approach  
- Chris Phillips' blog compares Shib with ECP to Moonshot approach:http://digitalinnovators.wordpress.com/2011/09/13/browserless-fed-signon-tech-contrasted/

- OpenID Connect is another approach getting much attention
- Ken noted that some rebelled against the complexity of SAML, but now OpenIUD Connect involves much of the same complexity concerning handling attributes and trust issues.
- OpenId Connect announced a Discovery 1.0 : http://openid.net/specs/openid-connect-discovery-1_0.html
- OpenID Connect also announced an operational attribute authority -- you pass it info on an identity and it  returns a trusted value for the address of the identity ; LOA not certain

- There is some concern about the Net+ services being rolled out -- those services may be using the word "federated" on their websites but actually have a proprietary approach.
- Hope to capture lessons learned from rollout of the Net+ services
- Net+ offerings as currently envisioned will not be directly offered to VOs, however, VO's may be able to obtain access to the Net+ services via a sponsoring institution

- In the current REFEDs workplan, domestication of apps is a big piece
- Inside REFEDs, the conversation is moving from AUTHN to all of the other values
- At the recent REFEDS mtg in Helsinki, there was consensus that group management is inside the REFEDs space
- This gives us ability to approach vendors with a common approach around  domestication

- COmanage may be  the architectural paradigm that applications will need to fit into

LIGO and InCommon

There is a desire to move forward with InCommon membership for LIGO , after some delays related to contractual liability issues
Emily will set up a call for JohnK and ScottK  and Ken to discuss. (DONE)

Next COmanage Meeting: Monday, Oct. 3 at 2011 FMM in Raleigh at noon ET
Next COmanage TAC Call: Friday, Oct. 14 at 2pm ET