CTAB call Tuesday, June 15,  2021

 Attending

• David Bantz, University of Alaska (chair)  
• Brett Bieber, University of Nebraska (vice chair) 
• Pål Axelsson, SUNET  
• Ercan Elibol, Florida Polytechnic University  
• Richard Frovarp,  North Dakota State  
• Jon Miner, University of Wisc - Madison  
• Chris Whalen, Research Data and Communication Technologies 
• Jule Ziegler,  Leibniz Supercomputing Centre  
• Robert Zybeck, Portland Community College  
• Tom Barton, Internet2, ex-officio 
• Johnny Lasker, Internet2  
• Albert Wu, Internet2  
• Emily Eisbruch, Internet2  

Regrets

• Rachana Ananthakrishnan, Globus, University of Chicago  
• Eric Goodman, UCOP - InCommon TAC Representative to CTAB 
• Meshna Koren, Elsevier
• Andy Morgan, Oregon State University
• John Pfeifer, University of Maryland  
• Dave Robinson, Grinnell College in Iowa, InCommon Steering Rep, ex-officio
• Ann West, Internet2
• Kevin Morooney, Internet2

Discussion

• Intellectual Property reminder   

Working group updates

• REFEDS Assurance Working Group https://wiki.refeds.org/display/GROUPS/Assurance+Working+Group    
  
  • • The RAF 2.0 draft
      
      •  addresses identity proofing component, how to make it more understandable, easier to use, 
        
      • now refers to existing standards, such as Kantara, hope to define our own criteria, 
        
      • the current RAF 2.0 draft includes a similar approach as SIRTFI.  
        
    • Discussed record retention
      
    • Standards like Kantara, eIDAS, IGTF
      
    • Rearrange conformance criteria, 
      
    • refers to Baseline Expectations, 
      
    • hope to highlight that in more detail and move that section up in the document
      
      
• REFEDS MFA subgroup  
  • no report
    
    
• Assured Access Working Group 
  • https://spaces.at.internet2.edu/display/aawg/Assured+Access+Working+Group
  • Draft REFEDS Assurance Framework Implementation Guidance for the InCommon Federation Is still open for community consultation

• • Will wait until consultation is closed to make the updates
  • Next step: get the Assured Access Working Group back together to review the consultation feedback

Deployment profile and Adoption Analysis 

• • The  SAML V2.0 Deployment Profile for Federation Interoperability was published  in 2019
  • Intention was that it would be adopted, but it was not specified what adoption meant
  • There is huge variation on adoption, for example:
    • Clock Skew --- has been adopted
    • Log out ---  There have been complications  and adoption has not happened
  • The SAML2 Adoption Analysis document is being developed by InCommon TAC
    • https://docs.google.com/document/d/1M8Ivzl-yQfoiFEazKcctyssq-ziWHegqp-gbf6xtijA/edit#heading=h.npeaippurhs looks at the Deployment Profile
  • There are 3 sections of the SAML2 Deployment profile
    • • Common Requirements
      • IDP Requirements
      • SP Requirements

• • InCommon TAC Adoption Analysis looks at each section/statements and analyzes it for suitability for adoption
  • Assesses how feasible it is to adopt given today’s climate
  • Recommendations on:
  • 1. How soon should we adopt 
  • 2. How adoption should take place, what it should look like
    • InCommon TAC is spinning up a Testing working group to provide recommendations around this
    • Some items, such as related to metadata, can be enforced
    • Some are testable through testing tools
    • Some statements are not testable 

• • Some of the content may be useful within Baseline Expectations
  • Example: In Baseline Expectation : “your entity follows the standard of current security practices,”
  • some of the issues in the Deployment Profiles might connect to that
  • But others items (for example, log out behaviors) may not rise to level of Baseline Expectations
  • CTAB should become familiar with the deployment profile
    
    
  • For IDP as a Service,  technical details will be needed
  • TI.145.1
  • Deployment Profile provides a lot of what is needed in terms of expected best practices
  • For an IDP operator, if you are not configured perfectly, it’s OK, but we can point to this in examining disputes.
  • Question: which of the provisions of the Deployment Profiles are most likely to cause issues, perhaps around IDP as a Service?
  • Albert: Don’t anticipate issues, those participating in IDP as a service will comply
  • Wonder how Microsoft and OKTA will respond. 
  • Larger vendors may have a different perspective 
  • Not sure how campuses will respond to the Deployment Profile expectations
    • Depends on how we frame and position the Deployment Profile
  • Deployment Profile clarifies SAML 
    •  InCommon is a SAML federation, the Deployment Profile explains what we mean by SAML
  • There are some considerations around international
  • If InCommon deploys this but the rest of the world is not deploying this, it will become a conversation at some point
  • It would be worthwhile to compare this to edugain SAML profile   https://technical.edugain.org/doc/eduGAIN-saml-profile.pdf
  • Focus on metadata exchange
  • Difficult for a federation operator to test 
  • InCommon is a mesh federation
  • We don’t interact with the orgs directly
  • Albert: Found some gaps in the Deployment profile as we reviewed it
  • Some R&E specific elements were omitted from the SAML deployment profile
  • There was intention for the working groups to go back and “tailor” 
    • But that has not occurred
  • Does not include non SAML issues such as attribute exchange
  • Does not address higher level stack issues, such as MFA behavior
  • Status on IDP as a Service Effort
    • Albert and Ann are working on program description of IDP as a Service
    • IDP as a Service is NOT a program where we operate a single IDP
    • It’s a program where we invite vendors to meet certain criteria so they can offer qualified solutions
    • Goal is that a handful or more of vendors will offer and IDP as a Service 
    • We need requirements and then we need criteria to measure success
    • Hope to launch IDP as a Service as part of the InCommon Catalyst program
      • https://incommon.org/community/catalyst/
      • Vendors who’ve expressed interest in supporting federated single sign on
      • InCommon Catalyst Program has worked out legal and procedural issues
      • Still some details to work out
    • Example: how to deal with roles and responsibility trust relationships with cloud provider in the middle
    • In order to scale, the vendor running IDP as a Service would want to have direct access to update certificates
    • We don’t have a friendly way to enable that today; need to work that out
    • Hoping larger vendors will start to pay attention and participate, more details and clear details will make it more attractive 
    • Will be interesting to use this deployment profile with NIH
    • Some chicken and egg problem, need broad adoption
    • NIH hopes to finalize new login service by end of July 2021
    • Adoption Analysis Report is being prepared by InCommon TAC for InCommon Steering review in July
    • Will there be a Community Consultation for this SAML Profile Adoption Analysis? Not sure
    • David: we should add to our CTAB agenda reports on IDP as a Service and on the the SAML profile adoption analysis

• Early responses (if any) to Baseline Expectations v2 letter to Execs & Site Admins 
  • Letter on BE v2 is scheduled to be sent out this week. 

Next CTAB Call : Tuesday, June 29, 2021