CTAB call January 26, 2021


 Attending

  • David Bantz, University of Alaska (chair) 
  • Brett Bieber, University of Nebraska (vice chair)  
  • Pål Axelsson, SUNET  
  • Rachana Ananthakrishnan, Globus, University of Chicago  
  • Tom Barton, University Chicago and Internet2, ex-officio  
  • Ercan Elibol, Florida Polytechnic University  
  • Richard Frovarp,  North Dakota State  
  • Eric Goodman, UCOP - TAC Representative to CTAB   
  • Meshna Koren, Elsevier  
  • Jon Miner, University of Wisc - Madison  
  • Andy Morgan, Oregon State University  
  • John Pfeifer, University of Maryland   
  • Chris Whalen, Research Data and Communication Technologies 
  • Johnny Lasker, Internet2  
  • Kevin Morooney, Internet2
  • Ann West, Internet2
  • Albert Wu, Internet2
  • Emily Eisbruch, Internet2   

Regrets

  • Jule Ziegler,  Leibniz Supercomputing Centre
  • Robert Zybeck, Portland Community College
  • Dave Robinson, Grinnell College in Iowa, InCommon Steering Rep, ex-officio

  Action Items  

  • AI (Brett) work with Albert to do outreach for the new Assured Access WG
  • AI (CTAB) provide possible written response to REFEDS Baseline Expectations Consultation prior to Jan 31, 2021,
    • update as of Jan 26, CTAB members should respond to the consultation as individuals if possible
  • AI: (Albert) chat with Dean on whether we should expand the list of InCommon newsletter recipients (DONE)

DISCUSSION


CTAB/NIH Assured Access Working Group

  • Albert set up a wiki and email list for the new Assured Access working group
  • For the new Assured Access working group, still need to
    • Send out invitation
    • Doodle poll to identify best meeting time
  • AI Brett will work with Albert to do outreach for the new Assured Access WG
  • Suggestion to inform all InCommon participants about the new Assured Access working group
  • Use core group to set meeting time and then inform the community  and invite others

Discussions with NIH

  •  TomB and Albert had a call with ChrisW and JeffE from NIH  on Jan. 22, 2021
    • Notes from the call were emailed to the CTAB email list   
  • eRA (Electronic Research Administration) , which is part of NIH, will require MFA for all eRA users by September 15, 2021
  • To achieve that goal, eRA has been pointing users to login.gov, where their federated credentials do not support MFA
  • This brings a sense of urgency for our community to rally to support MFA
  • eRA uses a NIH gateway that NIH demonstrated at CAMP in 2020
  • If we speed up implementation to support MFA through that NIH gateway we could have substantial number of users able to use MFA and access eRA
  • eRA  is one collection of services, accessed thru NIH login service 
  • Previously, we had thought that by a certain date all NIH logins would need to have MFA, and by some other date, all federated logins to NIH would need to meet identity proofing requirements
  • But due to speed with which eRA is progressing, JeffE will pursue an approach to signal or filter, to allow eRA and other NIH services with specific and current MFA needs to use federated authentication from the NIH gateway by February
  • Will implement account linking
    • With this linking, if an eRA user gets login.gov credentials, but then subsequently their institution deploys MFA, then the user could use either login approach
  • This is welcome news and provides more flexibility
  • Another service mentioned: RAS (Researcher Authorization Service) 
  • RAS will have a data object called a Passport, with approvals affixed to allow access to services
  • Will be in critical path for many researchers
  • Current NIH SP proxy does not support MFA, but it will soon.
    • Still need login.gov for a few more weeks  
  • The NIH login service supports a variety of different kinds or credentials (including login.gov). Each credential mechanism has a corresponding widget/tile
  • Each NIH service can decide which credential services to use and display those tile


Concern around abandonment of federated login

  • Concern was expressed that most people will stick with login.gov to access NIH and that this is an abandonment of federated login
  • Tom: eRA will promote federated logins, researchers will prefer to use their campus credentials
  • ChrisW: International institutions will need to get IAP  from their institutions
  • Rachana: the advantages of the institutional credential must be emphasized
    • Globus had IDP of last resort, and it’s hard to get people to stop using it
    • It’s important to be careful of policy enforcement around identity linking
    • Promote use of campus credentials and login.gov as last resort

 Communications to the Community

  •  eRA is more concerned with MFA
  • But assurance will be more important to other services like RAS
  • How to communicate this effectively
  • Split out MFA as its own thread , independent of identity assurance?
  • Promote use of REFEDs MFA profile
  • But also promote identity assurance overall
  • US Federal info systems (like at NIH) still need to meet FISMA Moderate
    • Must use FICAM approved credential, though FICAM does not exist anymore
    • That was in NIST SP800-53 rev 4 requirement IA-8 
    • NIST version 5 backs off on that
    • Focuses on AAL2 and open profiles that can be reviewed
  • Short term there is a need to adapt to change in demands of Federal Info Systems
  • We need to bring this up with the community and provide a roadmap 

REFEDS MFA

  • Campuses should adopt REFEDs MFA quickly
  • So campuses can sign into eRA using their campus credential
  • Does current REFEDs MFA profile need any adjustments?
    • Implementers need guidance on what if my Duo is broken for 5 minutes, etc.
    • Fail Open Close is an issue 
    • Native case, how to signal individual MFA event    
    • Forced MFA event  
    • What’s appropriate can be can be interpreted differently 
    • Implementation will shine light on gaps and ambiguities in the profiles
    • That will clarify what needs to be updated in the profile in the future
    • CTAB should raise these issues and have the discussion w NIH
    • We can come to a reasonable agreement by the time this must be implemented
    • Same with any other standard or profile, there are things needing clarification
  • For the Assured Access working group charter, there was suggestion not to include MFA
  • The Assured Access working group should focus on assurance
  • REFEDs Assurance Working Group is working on MFA
  • ChrisW: concern about separating out MFA from the Assured Access working group scope
  • Some controls in NIST spec require both assurance and MFA, and possible NIH recommendation to combine
  • For the September 15 eRA deadline, assurance is most important

Looking ahead to BEv2 activities in the next 6 months…

  • There is a template email for outreach to community members that are not in compliance with BEv2
  • An API is being used
  • Data will be used for dashboard
  • We do not have SSL scoring yet
  • CTAB received email asking if the requirement for SSL security applies only to endpoints in metadata or if they have others, if it should apply to those as well
  • We can only check for those endpoints  in the metadata

STOPPED HERE, DISCUSS MORE AT FUTURE CALLS:

  • Timed articles to provide guidance/advice on specific solutions/workarounds
  • Gauging the need for office hours?
  • Instrumentation / tracking progress

How do we incentivize adoption of research collaboration enabling/required specs?

  • MFA
  • R&S / additional entity categories / attributes work?
  • Assurance
  • Relationship to REFEDS WG efforts
  • Messaging to execs / non-IAM specialists

-------------------------------------------------------------------------

Teeing up for future call: Baseline Expectations 3 data points

  • No labels