CACTI Call, Tuesday, May 11, 2021
Attending
Members
- Rob Carter, Duke, (Chair)
- John Bradley, Independent
- Joshua Drake, Indiana University's Center for Applied Cybersecurity Research
- Matthew Economou, InCommon TAC Representative to CACTI
- Kevin Hickey, Detroit Mercy
- Marina Krenz, REN-ISAC
- Jeremy Perkins, Instructure
Guests, Co-Chairs of the Federation 2.0 Working Group (of REFEDS)
- Tom Barton, Internet2 and University of Chicago
- Judith Bush, OCLC
Internet2
- Steve Zoppi
- Emily Eisbruch
Regrets
- Margaret Cullen, Painless Security
- Les LaCroix, Carleton College (Vice-Chair)
- Marina Adomeit, SUNET
- Stoney Gan, University of South Florida
- Michael Grady, Unicon
- Barry Johnson, Clemson
- Chris Phillips, CANARIE
- Bill Thompson, Lafayette College
- Kevin Morooney, Internet2
- Ann West, Internet2
- Nicole Roy, Internet2
Pre-Read Materials
- Read the draft report of the REFEDS Federation 2.0 working group (here's the WG wiki space, for background)
Action items from March 30, 2021
- AI - Rob and Les - slot the user centric identity topic into a future CACTI agenda
- AI - Rob and Les - form ideas to share with CACTI for continuing the secrets management discussion with others in the community (ongoing)
Action items from March 16, 2021
- AI - Rob reach out to the CACTI email list to start to gather contacts and use cases for upcoming discussions around OIDC.
- AI - Rob reach out to leaders of MidPoint/Banner Integration working group to talk with CACTI re: Banner, (AnnW did intro with MattB) . (Note Banner WG is folding into the MidPoint WG)
Discussion
- Internet2 Intellectual Property Agreement reminder
- CACTI Charter pointer
Announcements
- CAMP week call for proposals deadline has been extended until Friday, May 14
- CACTI has submitted two proposals for CAMP week
- CACTI exchange with the community (town hall)
- Secrets management, security and trust (will also be discussed at July IAM Online)
Work of the Federation 2.0 working group within REFEDS
https://wiki.refeds.org/display/GROUPS/Federation+2.0
- Intros of Judith Bush and Tom Barton and the work of the REFEDS federation 2.0 working group
- Tom Barton
- U. Chicago and Internet2
- Judith Bush
- OCLC Library consortium
- Involvement with IAM started around 2008
- Involved with InCommon and REFEDs community, worked on Deployment Profile
- Serves on InCommon TAC
- Tom Barton
- Kevin Morooney has suggested that perhaps CACTI will provide some response/feedback based on the Federation 2.0 working group report.
- History of Federation 2.0 effort
- Tom noted that discussions with Roland Hedberg around the OPEN ID Connect Federation spec led to the idea of Federation 2.0 work
- Tom proposed a Federation 2.0 WG to REFEDs.
- It was not initially accepted, but things evolved well.
- The current Federation 2.0 effort recognizes that we can’t take for granted the persistence of R&E Federation.
- There is a lot of good to be enabled by the continued existence of R&E Federation.
- Looking at what needs to happen, what strategies and actions are needed, for R&E federation to continue.
- The term Academic interfederation is useful. Global scale is a key to the value.
- It is challenging to make things happen across all the federations globally
- edugain https://edugain.org/ is a technology for interfederation, it’s not about organization, leadership, leading the whole.
- What's needed is advocacy and representability; There is a need to scale across domains
- Leadership and outreach to tool builders, software implementers, cloud providers is needed
- Libraries and others need to support academic entities and also for profits, for example bio med companies.
- Access control and trusting an authorization, in this area the academy has specific things to offer.
- Question: What happened with the focus on OPENID Connect Federation?
- Answer: OPENID Connect is just one technology
- Issues are independent of protocol
- The trust issues are bigger than any one technology
- Are identity providers “claim providers”?
- How do you provide the trust?
- Individual who has been authenticated has primary relationship with the SP
- organizational access control -- let this person use my license for this thing,
- Different trust structures
- How to do permission and access control in the cloud?
- May need finer-grained control
- We appeal to new leadership to engage in the academic domain?
- Provides scope and vitality
- Trust underpinnings that federation has built, outside traditional use cases, such as SSO,
- Maybe there are other benefits? Such as verifiable credentials
- Trust to be applied towards “who is the authority appropriate to issue claims about this particular thing?”
- Tom: we are not building solutions
- There is a group member affiliated with NIST, there are many opportunities
- Need to address , what is it about federated operations that engenders trust,
- Some of the extra academic areas, may have the concern that they need willingness to rely on the trust framework
- Sustainability
- national federations all working to solve the same problem their own way,
- there are opportunities to share costs by sharing solutions
- make global interfederation more sustainable by providing individual federations a solution or common message for the human trust piece
- Challenges
- A potential threat: it may not be easy enough to get the “little amigos” onboard. Need to make it easier for new players to onboard to federation
- It’s complex for new players to engage with R&E federation because there are so many different pieces.
- There are inconsistencies. Why do I call? Who can tell me?
- There’s a community that needs things (like SAML) to be simpler than they are right now,
- There are also issues around overall value, we need a better pitch to make the value more apparent and simpler to grasp
- Jeremy noted that Instructure is exploring ways that a non native institution user could authenticate from Canvas. Create handshakes.
- Use case:
- Example: institution A pays for a service, a textbook provider,
- Student from institution B takes class at institution A.
- Instead of needing a new account to get access to the textbook resources, student uses credentials from Institution B to access resources at institution A.
- Institution A would register w Canvas their interest in supporting that.
- Institution A and B trust each other for this pool of authenticated users.
- Authorization broker function
- Libraries have a similar pattern to the above use case.
- How to get access control done
- There will be a lot that goes into managing access
- This is federation on a small scale.
- Not the whole InCommon federation, a smaller piece
- Privacy issues:
- There are cases of bulk loading data to SPs, invisible to the federation user, they don’t know about the whole data set and how it's being used.
- What is the trust being projected from academia? Can we do better?
- Are we protecting our population as well as we could be?
- Privacy concerns with crossing national boundaries.
- organizations send a lot of attributes, some that are not used.
- Sometimes there is an explicit trust contract
- Often there is no contract, especially in academic and research endeavors
- Rob and Les may reach out to Tom and Judith about next steps where CACTI can be of help to the Federation 2.0 effort
- Thanks for a good conversation.
Next CACTI Meeting: Tuesday, May 25, 2021