CTAB call Tuesday, April 6, 2021


  • David Bantz, University of Alaska (chair)  
  • Brett Bieber, University of Nebraska (vice chair) 
  • Pål Axelsson, SUNET  
  • Tom Barton, University Chicago and Internet2, ex-officio  
  • Ercan Elibol, Florida Polytechnic University  
  • Richard Frovarp,  North Dakota State 
  • Eric Goodman, UCOP - InCommon TAC Representative to CTAB 
  • Meshna Koren, Elsevier  
  • Jon Miner, University of Wisc - Madison  
  • Andy Morgan, Oregon State University  
  • John Pfeifer, University of Maryland   
  • Dave Robinson, Grinnell College in Iowa, InCommon Steering Rep, ex-officio  
  • Chris Whalen, Research Data and Communication Technologies 
  • Jule Ziegler,  Leibniz Supercomputing Centre  
  • Robert Zybeck, Portland Community College 
  • Johnny Lasker, Internet2  
  • Kevin Morooney, Internet2 
  • Ann West, Internet2  
  • Albert Wu, Internet2  
  • Emily Eisbruch, Internet2 


  • Rachana Ananthakrishnan, Globus, University of Chicago  


Updates from Federation Operators /BEv2

    • Albert is updating Baseline Expectations wiki  weekly, typically on a Monday
    • https://spaces.at.internet2.edu/display/be
    • As we send out email notices around BEv2, we see a surge of actions and activities in response
      • This tapers off after about a week or two
    • Sent another round of email notices today
    • 17% of orgs meet BEv2, without endpoints being measured
    • About half of entities have Error URLs
    • This week we will start adding data from the endpoint scanning
    • Criteria for measuring SSL scores/ TLS scores evolves over time
    • With SSL scores evolving, it's hard to know how long being in compliance will last 
      • Note that contact info can go stale (become inaccurate) over time also
    • What's the best way to handle entities that don’t meet the “A” score in SSL/TLS testing?
    • Went through requirements with developers this week
    • There is a plan to add info to Federation Manager dashboard to display whether an entity is in compliance w BEv2
    • This will simplify email outreach, we can point to the dashboard

Updates from Kevin Morooney 

    • There was an Internet2 board meeting on Friday last week
    • Kevin spoke about changes NIH is making and what InCommon is doing to facilitate those changes
    • A board  member brought up baseline expectations
    • Kevin provides regular updates on CTAB’s work to Howard Pfiefer, Internet2 CEO

 Working Group Updates

    • Assured Access WG updates
      • Assured Access Working Group wiki
      • Progress is being made on Assured Access draft document
      • Hope to finish draft within a few weeks
      • Several CTAB members are participating
      • Developing a great set of content for those who want to dig in
      • A checklist might also be helpful
      • Concrete recommendations for a campus
      • Group discussed Identity assurance process that NIH needs
      • There's a multi-step process
      • Don’t get to NIST IAL 2 in a single step
      • Kyle Lewis has made important contributions
      • Chris W: Kyle also bringing helpful info back to the NIH team around identity assurance
      • There’s been discussion of login.gov as the alternative
      • However, login.gov is challenging for onboarding new users
      • REFEDS assurance framework from an IDP is going to be much easier for scientists to use versus login.gov
      • Hope to share the draft with the upcoming IAM Online

    • REFEDS MFA subgroup updates
      • REFEDs assurance group is spinning  up a REFEDS MFA subgroup
      • Time sensitive group
      • Hope to get this moving by middle to end May, in time to   have recommendations in time for the new eRA requirements  

    • REFEDS R&S WG - Jule
  •  InCommon Steering updates
    • Kevin: InCommon Steering meets monthly.
    • Met for two hours off cycle in January to do work plan for year
    • Has decided to add a few more meetings
    • Will focus on how we communicate the value of what we do in R&E Federation

  • InCommon TAC Updates
    • There have been Zoom certificate update discussions
    • HECVAT (Higher Education Community Vendor Assessment Toolkit)
    • https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit
    • Common software evaluation checklist , ways of improving how it captures SAML compatibility
    • Institutions share their assessments of vendors
    • Making questions more specific and relevant 
    • There may be a subcommittee to work with  HECVAT and propose changes
    • Ongoing conversation around OIDC and the relevance of OIDC at Federation level

  • R&S Focus Sub Group update
    • The proposed new sub group is In the works
    • Andy and Rachana chatted with Tom and Albert
  • NIH community  events
    • April 1, 2021- Office Hour
      • there were 74 attendees
      • We got to the end of the questions from attendees
      • Questions like “I don’t have Shibboleth”,  what do I do?
      • What about Azure? 

    • Upcoming IAM Online Webinar https://incommon.org/academy/webinars/
      National Institutes of Health and Identity Management Requirements
      Wednesday, April 14, 2021   2 pm ET | 1 pm CT | Noon MT | 11 am PT

Discussion around NIH Requirements

  • Shib 4.x SAML proxy has some ability  to function as proxy and help Azure navigate MFA
  • Does not solve problem of campuses that don’t agree to gateway product
  • Should make it easier for orgs using ADFS or Azure  
  • REFEDs MFA subgroup work may also be helpful
  • It makes sense to share what can and can’t be done, e.g. stay away from expressing preferences on what’s technically superior
  • Baseline Expectations versus NIH requirements
    • There's some confusion about Baseline versus NIH requirements
      • Need clearer messaging
    • Some early adopters are still using outdated approaches
    • At   webinar on April 14, there will be mention of baseline and also NIH work
    • Perhaps use pyramid graphic Tom created comparing Baseline versus NIH
    • Emphasize it’s a journey
    • Albert: Baseline is foundational requirement for being part of InCommon Federation
    • NIH requirements are not a federation ask; its an NIH ask, we don’t want to say that though, NIH requirements can grown larger than NIH
    • Why not make NIH a new category? Have considered this
    • It’s a matter of timing, right now NIH is asking for new requirements
    • In the future, we can establish research collaboration standards
    • That would take more time
  • NIH pubmed just published new set of FAQs 
  • States that by June 2021 they will favor federated credentials
  • If you have federated SSO it will work fine
  • With Sept 2021 deadline from eRA, it’s not a cliff you fall off of; It’s a bump
  • For an InCommon organization that’s not ready for Sept 2021, researchers use login.gov but then can migrate back to federated credentials

Updates on TLS Scoring (Office Hour prep)

  • Scoring components and remediation table
  • This table is to help people understand their SSL grade, how to remediate, and what are consequences
  • DECISION: ScheduleBEv2  Office Hour at next scheduled CTAB call - Tuesday, April 20, 2021 
  • We will get news out in as many channels as possible

  • Orchestrating communication 
    • clarify NIH vs BE vs R&S (2.0?) asks
      Community bandwidth to digest / do work

Next CTAB Call, Tues. April 20 will be converted to an open office hours call



  • No labels