CACTI Public Meeting Notes 11-May-2021

CACTI Call, Tuesday, May 11, 2021

Attending

Members

• Rob Carter, Duke, (Chair)   
• John Bradley, Independent   
• Joshua Drake, Indiana University's Center for Applied Cybersecurity Research  
• Matthew Economou, InCommon TAC Representative to CACTI   
• Kevin Hickey, Detroit Mercy 
• Marina Krenz, REN-ISAC  
• Jeremy Perkins, Instructure   

Guests, Co-Chairs of the Federation 2.0 Working Group (of REFEDS)

• Tom Barton, Internet2 and University of Chicago
• Judith Bush, OCLC 

Internet2 

• Steve Zoppi      
• Emily Eisbruch  

Regrets

• Margaret Cullen, Painless Security
• Les LaCroix, Carleton College (Vice-Chair)
• Marina Adomeit, SUNET
• Stoney Gan, University of South Florida
• Michael Grady, Unicon
• Barry Johnson, Clemson 
• Chris Phillips, CANARIE 
• Bill Thompson, Lafayette College
• Kevin Morooney, Internet2
• Ann West, Internet2 
• Nicole Roy, Internet2

Pre-Read Materials

•  Read the draft report of the REFEDS Federation 2.0 working group (here's the WG wiki space, for background)

  Action items from March 30, 2021

• AI - Rob and Les - slot the user centric identity  topic into a future CACTI agenda
• AI - Rob and Les - form ideas to share with CACTI for continuing the secrets management discussion with others in the community (ongoing)

  Action items from March 16, 2021

• AI - Rob reach out to the CACTI email list to start to gather contacts and use cases for upcoming discussions around OIDC.
• AI - Rob reach out to leaders of MidPoint/Banner Integration working group to talk with CACTI re: Banner, (AnnW did intro with MattB)  .  (Note Banner WG is folding into the MidPoint WG)

 Discussion

• Internet2 Intellectual Property Agreement reminder
• CACTI Charter pointer

Announcements

• CAMP week call for proposals deadline has been extended until Friday, May 14
  • https://www.incommon.org/academy/camp-meetings/2021-camp-week/
• CACTI has submitted two proposals for CAMP week
  1. CACTI exchange with the community (town hall)
  2. Secrets management, security and trust (will also be discussed at July IAM Online)

Work of the Federation 2.0 working group within REFEDS
https://wiki.refeds.org/display/GROUPS/Federation+2.0

• Intros of Judith Bush and Tom Barton and the work of the REFEDS federation 2.0 working group
  • Tom Barton
    • U. Chicago and Internet2
  • Judith Bush
    • OCLC Library consortium
    • Involvement with IAM started around 2008
    • Involved with InCommon and REFEDs community, worked on Deployment Profile 
    • Serves on InCommon TAC
• Kevin Morooney has suggested that perhaps CACTI will provide some response/feedback based on the Federation 2.0 working group report.
• History of Federation 2.0 effort
  • Tom noted that discussions with Roland Hedberg around the OPEN ID Connect Federation spec led to the idea of Federation 2.0 work
  • Tom proposed a Federation 2.0 WG to REFEDs.
    • It was not initially accepted, but things evolved well.
• The current Federation 2.0 effort  recognizes that we can’t take for granted the persistence of R&E Federation.
• There is a lot of good to be enabled by the continued existence of R&E Federation. 
• Looking at what needs to happen, what strategies and actions are needed, for R&E federation to continue.
• The term  Academic interfederation is useful.  Global scale is a key to the value.
• It is challenging to make things happen across all the federations globally
•   edugain  https://edugain.org/ is a technology for interfederation, it’s not about organization, leadership, leading the whole. 
• What's needed is advocacy and representability; There is a need  to scale across domains 
• Leadership and outreach to tool builders, software implementers, cloud providers is needed
• Libraries and others need to support academic entities and also for profits, for example bio med companies. 
• Access control and trusting an authorization, in this area the academy has specific things to offer.  
• Question:   What happened with the focus on OPENID Connect Federation?
  • Answer: OPENID Connect is just one technology
• Issues are independent of protocol
• The trust issues are bigger than any one technology
• Are identity providers “claim providers”?
• How do you provide the trust?
• Individual who has been authenticated has primary relationship with the SP
• organizational access control --   let this person use my license for this thing, 
• Different trust structures
• How to do permission and access control in the cloud?
• May need finer-grained control
• We appeal to new leadership to engage in the academic domain?
• Provides scope and vitality
• Trust underpinnings that federation has built, outside traditional use cases, such as SSO, 
• Maybe there are other benefits? Such as verifiable credentials
• Trust to be applied towards “who is the authority appropriate to issue claims about this particular thing?”
• Tom: we are not building solutions
• There is a group member affiliated with NIST, there are many opportunities
• Need to address , what is it about federated operations that engenders trust, 
• Some of the extra academic areas, may have the concern that they need willingness to rely on the trust framework
  
  
• Sustainability
  •  national federations all working to solve the same problem their own way,
  • there are opportunities to share costs by sharing solutions 
  • make global interfederation more sustainable by providing individual federations a solution or common message for the human trust piece
• Challenges
  • A potential threat: it may not be easy enough to get the “little amigos” onboard.  Need to make it easier for new players to onboard to federation 
  • It’s complex for new players to engage with R&E federation because there are so many different pieces.
  • There are inconsistencies. Why do I call? Who can tell me?
  • There’s a community that needs things (like SAML) to be simpler than they are right now, 
  • There are also issues around overall value, we need a better pitch to make the value more apparent and simpler to grasp
• Jeremy noted that Instructure is exploring ways that a non native institution user could authenticate from Canvas.  Create handshakes.  
• Use case: 
  • Example: institution A pays for a service, a textbook provider,
  • Student from institution B takes class at institution A.
  • Instead of needing a new  account to get access to the textbook resources, student uses credentials from Institution B to access resources at institution A. 
  • Institution A would register w Canvas their interest in supporting that.
  • Institution A and B trust each other for this pool of authenticated users.  
  • Authorization broker function
• Libraries have a similar pattern to the above use case.  
• How to get access control done
• There will be a lot that goes into managing access
• This is federation on a small scale.
• Not the whole InCommon federation, a smaller piece
• Privacy issues:
  • There are cases of bulk loading data to SPs, invisible to the federation user, they don’t know about the whole data set and how it's being used.
  • What is the trust being projected from academia? Can we do better?
  • Are we protecting our population as well as we could be? 
  • Privacy concerns with crossing national boundaries.
  • organizations send a lot of attributes, some that are not used.
• Sometimes there is an explicit trust contract 
• Often there is no contract, especially in academic and research endeavors
  
  
• Rob and Les may reach out to Tom and Judith about next steps where CACTI can be of help to the Federation 2.0 effort
• Thanks for a good conversation.

Next CACTI Meeting: Tuesday, May 25, 2021