CACTI notes of Tuesday, September 28, 2021

Attending

Members

  • Rob Carter, Duke, (Chair) 
  • Les LaCroix, Carleton College (Vice-Chair)
  • John Bradley, Independent 
  • Matthew Economou, InCommon TAC Representative to CACTI
  • Stoney Gan, University of South Florida
  • Michael Grady, Unicon
  • Kevin Hickey, Detroit Mercy 
  • Marina Krenz, REN-ISAC 
  • Barry Johnson, Clemson
  • Chris Phillips, CANARIE 

Internet2 

  • Steve Zoppi 
  • Nicole Roy
  • David Walker
  • Kevin Morooney

Regrets

  • Marina Adomeit, SUNET
  • Netta Caligari
  • Ann West


Action item review

  • AI Rob -- reach out to JohnB and Shilen about the U2F issue  Action Item from Aug 3 , 2021
  • AI  Rob,  Les and Nicole - work on putting structure around the discussion of CACTI Spheres of Influence. Action Item from July 20 , 2021
  • AI - Rob and Les - slot the user centric identity  topic into a future CACTI agenda. Action Item from March 30, 2021
  • AI - Rob reach out to the CACTI email list to start to gather contacts and use cases for upcoming discussions around OIDC.  Action Item from March 16, 2021

Discussion

 Announcements and Updates

  1. Federation manager move to AWS October 11 (was Sept. 29)
    1. This is the Monday after CAMP, and the day before the next CACTI call.
  2. Committee nominations form availability
    1. Nicole expects Netta to distribute this the week before CAMP
  3. REFEDS meeting Thursday; 2022 work plan and strategy document (11:10 ET)

Community Update - Kevin Hickey - University of Detroit Mercy

As is true for most institutions, Detroit Mercy started with multiple services, each with own identity silo. Significant developments include:

  • 2007
    • Decision to deploy Ellucian Banner w/ LDAP for other services, particularly Blackboard and web
      • Ellucian also provided calendar and email
      • AD was used for desktops and some mail.
  • 2015
    • Ellucian dropped email and calendar support, so Detroit Mercy moved those to Office 365
    • Also deployed Ellucian's Ethos Identity with OpenLdap and CAS/Shib
  • Present (as of 18 months ago)
    • Moved identity to Azure AD w/ SAML
      • Also using Azure's 2-factor authentication (Duo would be a second potential failure point and additional cost).
    • Reasons were cost and existing support in Banner.
    • Azure AD is now the core of their identity system.
      • Can now join InCommon Federation, using Cirrus's Identity Bridge.
        • Shibboleth would have required in-house support.

Going forward, Grouper and Midpoint from the Trusted Access Platform look good for managing provisioning and authorization.

Discussion:

  • There really wasn’t any resistance to the decision to use Azure AD. It removed the need for multiple authentication (and 2-factor) solutions.
  • Chat from Chris Phillips: “@kevinH: there’s (to me ) a lot of cost wit the AADS just to do RADIUS. If you are cisco there’s a ISE 3 infra to look at which means no need for the extra cost : https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.html. Additionally, the geteduroam.app cert SSO sign in to get device certificates also skips this too — and is likely a stronger story and is beta."
  • Detroit Mercy currently has ~85K people in Azure AD. All effectively have "A3" licenses.
  • Currently getting started with eduroam; may look at other Radius services. (Chris mentioned issues with Cisco)
  • Stoney mentioned the University of South Florida moved to Azure. Transition was without serious problems, as is operation.
    • Currently decommissioning Shib/CAS

Working Group Charter

Rob shared Mike Corn’s slides presenting survey results from the “Community IAM Collaboration” discussion Mike conducted with Ann West.

  1. Nearly 50% of the respondents are looking at hybrid on-prem/SaaS deployments, with ~25% each looking at On-prem or SaaS only. (I.e., 75% wanted at least some SaaS)
  2. Regarding an architecture pattern, 42% are looking at mix and match, 21% AD, 13% single vendor, and 15% Trusted Access Platform
  3. Not much interest in replacing SSO, more on AuthZ, group management, guest management, etc.
  4. There were many answers to “If you could get one question answered regarding your IAM implementations, what
    would that be?" This could be good fodder for the working group.

We’ll want to consider what this means for our services going forward. Our next step is to figure out how to hand this off to a working group.

There was some discussion in the chat of theimportance of SSO. It’s still important but not a current pain point. It’s a commodity, no longer something experimental, still being developed.


Next CACTI Meeting: Tuesday, October 12, 2021

  • No labels