Page tree
Skip to end of metadata
Go to start of metadata


 Oct. 18, 2018 Open CACTI meeting 

At Technology Exchange in Orlando

12:10pm to 1:30pm ET

Oceana Grand Ballroom 11


  • Chris Philipps - CANARIE
  • Robb Carr - Duke
  • Jill Gemmel - 
  • Scott Koranda - tOSU
  • Michael Gettes - University of Florida
  • Marteen Kramers - 
  • Todd Higgins - 
  • Mark Schieble - MCNC
  • Les - 
  • David - GEANT
  • Hannah.... CERN
  • Nathan Dorrs - 
  • David - University of Alaska 
  • Jon Miner - UW Madison
  • Klaas Weirenga - GEANT 
  • Matt Brookover - Colorado School of Mines
  • Gabrie
  • Roland
  • Niels Van Dijk - 
  • Jim Basney - UIUC
  • Eric... 
  • Cristos... 
  • Kevin Morooney - Internet2
  • Ann West - Internet2
  • Steve Zoppi - Internet2
  • Nick Roy - Internet2
  • Shannon Roddy - Internet2
  • Dave Shaffer - Internet2
  • Erin Murtha - Internet2
  • Mike Zawacki - Internet2
  • James Babb - Internet2


Intellectual Property reminder

  1. Administrivia 
    1. Intellectual Property reminder
    2. Overview of CACTI for newcomers 
    3. Looking for feedback, guidance from the community
  2. Updates 
    1. eduPerson and MACE-DIR 
      1. Sign the yearbook poster in the ACAMP room. 
      2. Will have a sign-off ceremony. 
      3. Intend to preserve mailing list archives, other artifacts from MACE-DIR
    2. Developments around OIDC within R&E 
      1. Coverage throughout TechEx, ACAMP sessions
      2. OpenID Foundation WG created:
        1. Designed to keep track of activities within the community. 
        2. Strategic way to get R&E viewpoint into the technology
        3. Seeking feedback from community, fill in gaps in work
  3. Main Business
    1. initial draft FIM4R gap assessmentundertaken by CACTI (chartered by Kevin)
      1. Consultation document available on Internet2 wiki (link here). Please lend your thoughts there. 
      2. Overview: Moving from FIM4R recommendations to assessment. 
      3. Iterative process to complete the gap analysis. Had ~10 gaps; send prioritized list to I2 with gaps to later turn into digestible recommendations. Kept working through this process and ultimately discovered the key was collaboration. 
        1. TIER components meet service need but not implementation
        2. Universities support science as part of their mission, which is a team project spanning institutions. All scientists need this.
        3. Smaller institutions don't have the resources to build a complex infrastructure but they still need to be able to participate, collaborate
      4. Worked with subgroup in CACTI to develop this document along with Nick Roy and David Walker.
      5. Recommendations
        1. Support collaboration-as-a-service. 
          1. Provide IdP-as-a-service
            1. Niels: Not surprised by this requirement for smaller orgs, but larger one wouldn't need it. Is there competition with commercial/3rd party providers?
            2. A: Competing IdP service may not support R&S, wouldn't be able to offer the level of assurance as solutions that come from academic environment
            3. Nick: Need to be clear between IdP as a Service and IdP of last resort. Niels seems to be speaking to the latter
            4. Q Klaas: Is the idea that you are concerned with attributes for all services, or just the ones the campus uses
              1. Eric Goodman: Both in the recommendation, but IdPaaS is SAML based, talks to a school's identity server. 
            5. Q Christos: The hope that we could get away from manage individual accounts, move to federated accounts.
              1. Chris P: Speaks to the need for clarity, similar to IdPaaS vs. IdP of last resort discussion above. Need to define the service, make the scope & function clear. 
              2. Jill: Addresses long tail schools
            6. Q Niels: I encourage I2 to spin up a collaboration platform. You aren't the only ones doing this work - suggest looking at/participating in work ongoing in the EU (e.g. AEGIS Group) 
              1. Jill: Yes - I2 should take a more proactive role in fostering international collaborations is a recommendation in the report.
            7. Michael: Be mindful of classifying this as a solution gear toward the "long tail" could create confusion, concern at R1 level. 
              1. Jill: We were hoping that by raising Baseline Expectations (BE) to include FIM4R requirements in the future. Review and revise in future BE.
            8. Scott: Hesitate to be too agressive re: R&S. If we want R&S to reflect updated practices we may want to put that first. Or decide on how to future proof R&S first. Should decide which to go with. 
              1. Scott: Example would be move between SAML versions
            9. Jim: Concerned about sentiments expressed in document that CILogin isn't sustainable. I encourage discussion on that topic. 
              1. Jill: Agree. We were trying to be provocative, 
              2. ...: Part of the problem is the "Post-Jim Basney" approach. If it's in the critical path then we need a roadmap for how it will be sustained by more people than just Jim. 
              3. Gabriel:Not clear in the wording why an IdP as a service is needed.
                1. Jill: Ok, we can look at this - part of earlier discussion and will readdress it.
              4. Niels: If we're doing a gap analysis then need to consider the above carefully. It's a gap. 
            10. Jill: Anyone see anything missing? Or misstated? Please review the doc and reach out if you see anything. 
              1. Scott: I think there are some assumptions about the SP side, their functionality & behavior. Could be worth calling out more explicitly. For example BE needs to be defined for SPs. 
            11. Gabriel: Oblique references made to OIDC, but isn't called out explicitly. Seems like it should be dealt with more directly. 
              1. Chris: What's your suggestion there?
              2. Gabriel: I get that it's a gap analysis, so I get hat some things don't need to be called out. 
                1. Scott: Guessing the assumption is that problem right now is solved with proxies. We could just say that. We don't feel like there's a need to move all SAML architecture to OIDC. Maybe we just say that. 
                2. Eric: Isn't this addressed by the requirement for periodic review? 
                  1. Jill: yes, I think so. Also, as Chris has mentioned that CACTI is looking at OIDC and what does it mean for the current and future architecture. Looking at schemas, etc. We don't have a path forward to recommend yet. We suggest documenting current best practices for things not handled well by SAML. 
                3. Scott: Question is what's the gap around OIDC. If the need is being met by proxies then we can just say that. If that's not true then we're missing something. 
                4. David: We deliberately avoided protocol discussions. Trying to separate needs from methods. So the obliqueness was intended
                  1. Scott: Developers will read into it, draw their own conclusions, could cause confusion. 
                5. Gabriel: Seeing some things missing. SIRTFI, etc. Feels like it needs another pass 
                  1. Jill: this is the very first draft; we have more work to get the rest of the way there. The folks drafting the paper need to have a conversation whether mentioning OIDC with proxy is best practice or address this differently. 
                  2. Gabriel: What we (IdP operators) need to do is summarize the state of things on our end
                  3. Chris: we felt that we got that. If you still feel that there's a gap, then we need to address that.
                  4. Gabriel: Sometimes language in the draft is generic, doesn't go into detail. 
                  5. Chris: so some of those things are fortifying activities
                  6. Niels: I wondering if it would be prudent to put some timeline in here. 
                  7. Hannah: I like the paper as is, appreciate that you're going the recommendations route rather than needs & solutions route. 
                    1. Jill: we were asked for recommendations to Kevin, and it needs to be at an executive level for messaging and research prioritization as recommended by the community. We could have a more global discussion.
                    2. Chris: Section later in paper addresses this, too. I think the points above reinforce the need for international collaboration. 
                  8. Warren: FIM4R is aware that we're only addressing one particular stratum (via InCommon). Question is how the work gets done across all stratum. 
                  9. Also think this is very useful and good; FIM4R community will appreciate the feedback as well. Better than the version one paper. (smile)
            12. Chris: Encourage everyone to continue to comment. Comments are open for the next 30 days. 
                1. Shannon: Did search through for security, but there's a gap. Seems there's room for proactive security assessments 
                2. Jill: we recommend making SIRTFI part of BE. It was established as European communication channels; needs detail who should make contact.
                3. Shannon: Had a couple of occasions to share security information, but difficult to find the right people effectively. 
                4. Jill: encourage Shannon to review and give feedback
              1. Chris: first document we've done like this and we're leveraging new territory. So, Shannon, we rely on working groups below us. We have some gaps, and we want to work with you to help augment our knowledge in this space. CACTI wants to keep T and I workspace current. We need to be in front of the community in a proactive way. Other gaps?
            13. ? - It's hard for InCommon to reach out to campuses. How do we know that our staff's time is well spent by participating in these discussions/developemnt
              1. Chris: We speak to need to fill talent gap. 
              2. ? - I'm speaking more to a management gap
              3. Gap between researchers and IT staff on campuses. We need campus leadership to get these people talking and making it a priority to collaborate with identity folks.
              4. Jon - We want to participate, but sometimes get pushback from our leadership unless someone else internally (researchers, etc) are actively pushing for something. 
              5. Davis - FIM4R can't necessarily resolve that. However, would like to bet that all researchers have a similar problem. Research these days is collaborative and solving some of these problems. 
              6. Vast number of researchers don't know that they need to ask for federated identity. 
              7. There's a communications gap between us and the researchers. They don't have much/any expertise on the topic of IAM. 
              8. Ann: need much more broadly represented set of researchers in the government. Harness their contacts and ideas.
                1. Some of the best outreach for InCommon is putting RS, BE into CCR solicitation. 
                2. Key to integrate research into advisory groups.
          2. Aggregate existing resources
          3. Domesticate new appliances
          4. Create an I2 "virtual office" or "non-profit marketplace"
          5. CILogin seemed like a good fit, but needs more stable sustainability base. 
          6. Rigorous promotion of current pilots that are using COmanage to replace parent/affiliate guest account approaches
          7. Non-web applications (e.g. ssh) not well supported; focus on promoting best practices.
        2. Increase focus on sustainability practices
          1. Routine assessments of Trust and Identity 
      1. Q and A
    2. Call for Topics
      1. What is a priority for YOU we should be talking about?