InCommon Steering and TCIC Joint Meeting
May 16, 2016
Klara Jelinkova, Rice University
Dennis Cromwell, Indiana University
Michael Gettes, Penn State
Ted Hanss, University of Michigan
Sean Reynolds, Northwestern University
Pankaj Shah, Texas LEARN
Dave Vernon, Cornell University
Ann West, Internet2
Melissa Woo, Stony Brook University
Steve Carmody, Brown University
Chris Spadanuda, University of Wisconsin-Milwaukee
Tom Barton, University of Chicago
Dennis Cromwell, Indiana University
Eric Denna, University of Maryland
Tracy Futhey, Duke University
Ron Kraemer, University of Notre Dame
John O’Keefe, Lafayette University
Kelli Trosvig, University of Washington
Kevin Morooney, Internet2
Steve Zoppi, Internet2
Emily Eisbruch, Internet2 (scribe)
Mike Zawacki, Internet2 (scribe)
Note that this is the first joint meeting between InCommon Steering and the TIER Community Investor Council.
eduGAIN Update (international interfederation)
Background information at www.incommon.org/edugain
Ann provided background information about eduGAIN and InCommon’s adoption and integration process. In short, eduGAIN is a federation of federations, allowing individuals from any of those federations to access a service in any federation. This enables and simplifies international collaboration.
InCommon signed a lightweight legal agreement with eduGAIN, then made changes to the InCommon Participation Agreement (PA) to reflect the new international scope. The process for changing the PA (as defined in the PA) involved notifying each InCommon participant of the changes, which would take effect 90 days after the notification. The strategy was to make only the changes necessary for eduGAIN, making it relatively easy for participants to accept.
Since the goal is to make things seamless for scientists, researchers, and faculty, by default all Identity Providers are exported to eduGAIN (they can always opt out, if they choose). Since many Service Providers are not international in scope, they must opt in to be included in eduGAIN. To date, 24 IdPs have opted out of export and 115 SPs have opted in.
InCommon completed eduGAIN integration February 15, 2016. All participants accepted the revised Participation Agreement (although NSF is still operating under a memorandum of understanding, which was signed when they first joined InCommon; we are working with them on signing the standard PA).
eduGAIN integration resulted in a significant increase in the size of the metadata file that InCommon now imports and distributes. For example, the number of identity providers increased from 424 to 1,991.
InCommon managed adoption of edugain is in a deliberate way with an extensive communications plan aimed at various target audiences. We tried to make the process very clear and transparent, then we did a survey afterwards to determine reactions and perceptions. The main lessons learned:
- The eduGAIN rollout worked well
- We can effect large-scale change in a relatively short time period
- It takes a lot of work
Comment: InCommon is good at making these complicated and powerful tools easily available. People on campuses don’t understand the capabilities we’ve brought them. It is incumbent on all of us to communicate. It would be helpful to craft a few simple bullets to lay out the ongoing benefits of eduGAIN.
Update on Shibboleth Consortium
Steering and TCIC received a briefing on the structure and purpose of the Shibboleth Consortium, which is the independent organization that is responsible for the Shibboleth software. The consortium owns the Shibboleth intellectual property. The key point is that Internet2 does not own Shib, but does have input and has a seat on the board. (More information is at https://shibboleth.net/consortium).
The consortium is funded through membership fees paid by NRENs (National Research and Education Networks like Internet2), academic and non-profit organizations, and commercial companies). There are currently 21 members of the consortium. Fees are based on size or revenue and members become a principal member by paying an additional fee. Principal members automatically have a set on the board. Member fees fund 2.5 - 3.0 FTE positions to develop the Shibboleth software.
There are three principal members - Internet2, JISC (the U.K. federation), and SWITCH (the Swiss federation). Internet2’s board member has been Shel Waggener, but that has changed to Steve Zoppi (with Kevin Morooney as the secondary member). In addition to the principal members, the board consists of a developer representative (Scott Cantor), and two member representatives. JISC is the manager of the consortium, and Internet2 manages the financials. Internet2 also contracts with Ohio State and Georgetown for the U.S. developers.
Concerns and Challenges
InCommon and TIER have a heavy reliance on Shibboleth, but the Shib Consortium is significantly under-resourced. The Shib developers have only roughly 15% of their time to do new work on the software; the rest is maintenance and support. This is not sustainable, particularly with TIER development and the desire for new features.
Potential solutions include:
- Internet2 and/or InCommon providing additional resources to the consortium
- Individual institutions join the consortium, thus providing additional resources
- Internet2/InCommon could employ additional developers and assign them to the Shibboleth project
- Internet2 could employ developers (or solicit campus developers) to fork the Shib code, then create a company around that version of Shibboleth that is tailored to InCommon and TIER. Internet2 would control this branch of the code.
There was discussion about the long-term competitiveness of the Shibboleth software if other products enter the market. It will be helpful to think of InCommon as a SAML federation that is served by Shibboleth. It also may be that having a version of Shibboleth as a tailored piece of software for our specific needs is not a bad thing.
Finally, Kevin Morooney, Ann West, Steve Zoppi and Dave Lambert met on May 15 with the new leadership of JISC and discussed Shib Consortium and some of these concerns. The plan is to clarify the issues in writing and to continue the conversation at the upcoming TNC meeting in Prague.
Shibboleth Migration Issues
Institutions have been slow to upgrade to Shibboleth IdPv3 from IdPv2 (end-of-life of v2 is July 31, 2016). While InCommon has provided communications to its participants, there is concern that this has not been presented in a way to make the upgrade compelling. Some thoughts on communications:
- Public health analogy - everyone must stay healthy to ensure community health
- The SWITCH federation has experienced some breeches
- Idea: The CILogon newsletter has started to list those IdPs that do not release the necessary attributes for its service provider (“wall of shame”) - maybe something similar?
A key question prior to communicating - what will happen to those not in compliance on July 31? Is the communication “it would be nice if you do this?” Or, “you must do this, or this will happen?” Ann has drafted some thoughts.
“Deep Dive” Summary
“Deep dive” refers to a meeting held in Denver in May 2016 and involving four community members (John O’Keefe, Klara Jelinkova, Ron Kraemer, and Bruce Vincent) plus members of the Internet2 staff (Kevin Morooney, Ann West, Steve Zoppi, Dave Gift,and Ana Hunsinger). The purpose of the meeting was to consider the ever-growing trust and identity portfolio and look at a process for prioritization and identifying the gaps. An overview of the meeting is available.
InCommon Operations Review
An extensive review of the operational responsibilities of InCommon took place in September 2015. The InCommon Operations Report demonstrates a lack of capacity, as InCommon matures and moves from a “best effort” type of philosophy, to “this cannot fail.” In addition, InCommon is not staffed to support organizations that do not have the necessary technical staff and resources (the non-R1 campuses) to make things work.
InCommon Marketing and Segmentation Study, Phase 1
InCommon contracted with Covalence Solutions in December 2015 to conduct a marketing and segmentation study. This came about because of an apparent change in the demographics of the types of organizations now joining InCommon, their perception of the federation, and the potential need for greater support.
Some of the changing demographics include:
- Sponsored Partners represent the segment with the largest growth (in terms of percentage)
- InCommon engages higher ed and research organizations more than sponsored partners, since they represent our our core mission
- The next 10 years may bring a need for greater focus on the sponsored partners
Ann reviewed the results of the first phase of the study, which focused on the result of internal interviews (that is, interviews with Internet2 staff and a few engaged volunteers).
Some general comments made during this presentation:
- The Certificate Service has played a significant role in the growth of InCommon. There are about 150 higher ed institutions that are participants and do not have an IdP in metadata
- That’s OK. Internet2 provides a valuable smorgasborg of services at a good price. So institutions may buy in for one part only
- Some campuses are unable to benefit from federation but would like to. Need an “EASY” button
- We are not that great at marketing, sales and support
- The marketing consultant developed three tiers related to readiness and likelihood of joining InCommon. He suggests targeting the top tier, setting a goal, and getting them into the federation.
- There is significant growth in the smaller sized sponsored partners
- The next phase will include “external” interviews around value proposition (some participants, some non-participants, some lapsed participants)
- Comment: If we bring in more high value SPs, this has a multiplier effect. That would be a different approach, since we have always recruited the campuses not the SPs
- Long term sustainability and viability
- Define integration “connection points” between campus and component
- Secure the deliverables and manage them consistently
- Make the suite extensible
- Establish best practices: connect and teach the community
There was a substantial discussion about the need for a process of prioritization TIER work, a process for campuses helping to drive architectural decisions, and the level of resources necessary. Klara and Kevin will establish a small long-term strategy group to identify and explore such questions as:
- A prioritization process
- The number of FTEs needed, recruiting and paying for those people, and the time necessary for them to come up to speed on the project
- Alignment of services and continue evaluation of current and potential components
- Potential models for continued funding of TIER
- Potential models for continued development of TIER, including potential corporate partnerships
- Thoughts on messaging and gathering feedback from the community
- Risk analysis
Dave Lambert said he would like this discussion to take place prior to August.
Steering/TCIC also suggested a draft communication to inform the community about the results of this meeting.
Thanks to the first release we now better understand the problems in this space and are better positioned to create a longer term, sustainable model for TIER and InCommon to move forward. We will have a second release by year’s end. This release will be more iterative rather than a “big-bang” style release, and will proactively address the challenges we’ve identified and are now better equipped to anticipate. Shibboleth, which we rely on, is managed by an international Consortium and TIER/InCommon needs to affect changes there. Shib isn’t a side car; it’s key. We will create a group of key leadership members to evaluate and advise on prioritization and long term strategy for TIER and InCommon.