CTAB call Tuesday, March 23, 2021
Attending
- David Bantz, University of Alaska (chair)
- Brett Bieber, University of Nebraska (vice chair)
- Pål Axelsson, SUNET
- Rachana Ananthakrishnan, Globus, University of Chicago
- Tom Barton, University Chicago and Internet2, ex-officio
- Ercan Elibol, Florida Polytechnic University
- Richard Frovarp, North Dakota State
- Eric Goodman, UCOP - InCommon TAC Representative to CTAB
- Meshna Koren, Elsevier
- Jon Miner, University of Wisc - Madison
- Andy Morgan, Oregon State University
- John Pfeifer, University of Maryland
- Dave Robinson, Grinnell College in Iowa, InCommon Steering Rep, ex-officio
- Chris Whalen, Research Data and Communication Technologies
- Johnny Lasker, Internet2
- Kevin Morooney, Internet2
- Ann West, Internet2
- Albert Wu, Internet2
- Emily Eisbruch, Internet2
Regrets
- Jule Ziegler, Leibniz Supercomputing Centre
- Robert Zybeck, Portland Community College
Intellectual Property reminder
New Action Items
- AI - Rachana and Andy will report back with proposed charter and name for the working group to look at issues around R&S
- AI - Andy, David, Albert will discuss issues around the community's endpoint requirement concerns before next BEv2 office hours
Older Action Item
- AI - TomB will take issue of a standard to tell the SP what they can report back to IDP when abuse is detected to SIRTFI working group and report back to CTAB
DISCUSSION
Update on Federation Operations / Baseline Expectations v2
- Targeted alerts for BEv2 were sent out to InCommon site admins last week.
- See blog https://incommon.org/news/federation-site-admins-receive-baseline-expectations-notices/
- Albert has begun plotting progress https://spaces.at.internet2.edu/display/be
- The data we have looks promising
- Note: The measurement we have is for SIRTFI and ERROR URL, not endpoints
- 55 orgs met BEv2 in January 2021
- 103 orgs as of last Friday
- 35 orgs updated in the last week since the targeted email announcement
- There have been questions around “what do I need to do meet the requirement for SIRTFI?”
- Answer is “go into Federation manager and check the Complies with SIRTFI box”
- See page 7 here
- Answer is “go into Federation manager and check the Complies with SIRTFI box”
- There have been questions about TLS Scoring, and why grade of A is being required
- TO DO: CTAB should put out a statement on why we are requiring a TLS Scoring grade of A
- Some orgs have legacy apps that don't support TLSv1.2, they must support old browsers on campus
- There are cases where application server is incapable of current TLS
- Suggestion: CTAB should produce best practices, recommendation on how to handle use cases for supporting legacy apps
- e.g. Limit use of browsers in those application settings, install a 2nd browser
- e.g. Limit use of browsers in those application settings, install a 2nd browser
- TO DO: CTAB should put out a statement on why we are requiring a TLS Scoring grade of A
- There have been questions on ERROR URL, and what should the page look like
- Examples:
- https://errorurl-sp-demo.swamid.se/demo/idp-support-example.php?code=ERRORURL_CODE
- https://refeds.org/specifications/saml-v2-0-metadata-deployment-profile-for-errorurl-version-1-0
- Some community members would like something more than these examples provide
- Suggestions: Provide sample pages for IdPs to use as reference/copy from
- Implementation Guide
- There is an implementation guide for BEv2, but not many have read it.
- Albert has taken the implementation guide (from the Trust and Identity Document Repository) and made it into wiki pages, and there will also be an FAQ,
- these wiki pages has been published along with NIH support materials
- Should we direct people to FAQ or to implementation guide?
- Albert: direct people to the cover page with links for both FAQ and implementation guide. Implementation guide is primary
- There is an implementation guide for BEv2, but not many have read it.
- Preparing Responses to Common Questions around BEV2
- Before the next BEv2 office hours, CTAB should get together and discuss issues, such as around support for older apps, or around logging, browser and app limitations
- We can encourage community members to reach out to CTAB before office hours
- Our messaging should emphasize "Let's talk, we will help you find solutions"
- Possibly on org can still get grade of A with TLS 1 if careful about encryption suites
- Before the next BEv2 office hours, CTAB should get together and discuss issues, such as around support for older apps, or around logging, browser and app limitations
- AI - Andy, David, Albert will discuss issues around the community's endpoint requirement concerns before next BEv2 office hours
Scheduling next BEv2 Office Hours
- Next CTAB BEv2 Office Hours could be at slot of one of the upcoming CTAB calls
- Would be helpful to have the Qualys SSL labs scanning in place before we address the issues related to endpoints
- Shannon R and Johnny will discuss issues around Qualys SSL labs scanning tomorrow
- It’s not always completely straightforward
- There are business logic issues
- For example, how to handle cases of unreachable, scan can’t complete etc.
- Suggestion to be reasonably forgiving
- There are business logic issues
- Not yet ready to schedule office hours
- There will be an NIH Office hour on Thursday April 1
- InCommon has scheduled a second open office hour with representatives from InCommon and the National Institutes of Health to discuss the coming changes to the NIH electronic Research Administration (eRA) modules.
- The office hour will take place Thursday, April 1, at 4 pm ET, 3 pm CT, 2 pm MT, 1 pm PT
- Aim for CTAB BEv2 office hours 4 weeks from today?
REFEDS R&S Working Group
- There has been discussion about whether eduPersonAssurance and REFEDs assurance framework should be added to R&S v2
- Some concern about lack of fit
- Heather F is trying to guide to consensus
- What does it take to seamlessly collaborate? It takes more than entity categories
- NIH is asking for a good sampling of the things needed to bundle together for a collaboration to work
- Includes authentication and identity assurance
- R&S Entity Category can signal support for attribute release
- Should it signal more?
- Authentication assurance and identity assurance are needed in many cases for collaboration
- If scope is not big enough to encompass minimum things that research orgs need to interoperate, then more is needed
- The more problems we try to solve with same tool, the more complex things get
- Some think of R&S as an attribute release mechanism
- In absence of specifying Research Assurance Framework as signaling, then what will work?
- Need to standardize on a means of signaling.
- How to get R&S more widely adopted within InCommon Federation?
Proposed new working group to tackle issues around MFA and R&S as part of BEv3
- Suggestion that Rachana lead a group to tackle the issues round MFA and R&S as part of BEv3
- Andy will co-chair this working group
- Hope for recommendations from this group
- They would liaise with REFEDs R&S working group regarding R&S
- Revising the R&S spec should happen in the REFEDS R&S working group
- AI Rachana and Andy will report back with proposed charter and name for the proposed working group to look at issues around MFA and R&S as part of BEv3
For Future CTAB call
- Next steps around R&S / MFA / SA attribute bundles
(related, new REFEDS entity categories) - What about IdP products that are not “R&E” friendly, ala Azure AD, Okta, etc
- Recipes on how to configure specific/popular IdP products to do xyz
- Where does consent flow fit in this?
- Working groups for detailed discussion, digesting, recommending on these topics?
- Would a “recipe book” for BE2 be useful?
Next CTAB Call: Tuesday, April 6, 2021