CTAB Call August 8, 2023

Attending

• David Bantz, University of Alaska (chair) 
• Warren Anderson, LIGO 
• Tom Barton, Internet2, ex-officio 
• Matt Eisenberg, NIAID  
• Richard Frovarp,  North Dakota State  
• Eric Goodman, UCOP - InCommon TAC Representative to CTAB  
• Kyle Lewis,  Research Data and Communication Technologies 
• Jon Miner, University of Wisc - Madison (co-chair) 
• Andy Morgan, Oregon State University  
• Kevin Morooney, Internet2  
• Rick Wagner, UCSD HERE
• Albert Wu, Internet2  
• Harsh P Biscuitwala from Alfa Jango,  in place of Johnny Lasker, Internet2 
• Emily Eisbruch, Independent, scribe  

Regrets

• Pål Axelsson, SUNET 
• Ercan Elibol, Florida Polytechnic University 
• Mike Grady, Unicon
• Scott Green, Eastern Washington U
• Meshna Koren, Elsevier
• Johnny Lasker, Internet2 
• Andrew Scott, Internet2 
• Ann West, Internet2 

Discussion

• Internet2  Intellectual Property reminder
  
• Agenda Bash
  

Working Group Updates

• • InCommon TAC
    
    • Reviewed and approved a proposed technical change to the signing process for metadata (made to address breaking changes in how CAs are handling certain certificate types)
      
    • Discussed NIST/CACTI meeting and thoughts (update and discussion, but no call to action)
      
    • Reviewed TechEx proposed sessions and content
      
  • SEWPG -  SIRTFI Exercise Working Group
    
    • Conducted practice exercise with SEPWG members
      
    • Call for Participation documents being drafted – plan to submit blog post to Apryl Motley by next week, target release for email announcements for CFP with link to signup form - next week
      
    • Conducted IAM online on ‘how to Sirtfi’ on 19 July, over 50 attendees
      
      

Updates from the quarterly cross-chairs meeting

• • John Krienke and Albert have been working on proposed adjustments on how the InCommon Federation operates, to adjust to current trends
    
  • creating a proposal document, called "this old house," that will go to InCommon Steering for review
    
  • One area for improvement: 
    • We currently assume campus IAM office will be single point of contact for InCommon
      
    •     Exec and two site admins are responsible for all changes to IDPs and SPs
      
    • But some site admins don’t know about all the SPs that are registered 
      
    • Hope to engage with application teams (the SP operators)
      
    • Proposal to change model slightly so that SP operators can become metadata admins
      
    • There are some regional support organizations joining InCommon
      
    • They want to orchestrate on behalf of member organizations
      
    • Same as single campus model versus a department model.
      
    • Proposal takes us closer to how EDUROAM operates
      
      
  • Also the proposal addresses sponsored partners
    
  • Sponsored partners currently need a letter from an existing Higher Ed member
    
  •    But is this still a needed practice? 
    
    
  • There will be impacts to the InCommon Participation Agreement if the proposals are adopted
    
  • Question: how does the “middle thing” paper relate to this?
    
  •      Answer: likely  “this old house” and “middle things” will converge
    
  • MIddle things is an InCommon TAC group, being led by Ken Klingenstein, David Walker, Tom Barton, Mark Rank, and Albert Wu
    
  • Question: Is CTAB endorsement going to be needed for This Old House ? 
    
  • Kevin: Hoping groups like CTAB have visibility and will weigh in on the proposed document and help shape it
    
  • David: let’s schedule a CTAB meeting a run-through of the This Old House document
    

 Next Steps for Federation maturity

• Need to define better the work for each of the top priorities identified in the Mural Collaboration and discussions
  
  • Entitlements - success stories, more

  • Federation Support / purpose|value for smaller (non-R1) schools

  • SaaS providers’ conflicting models 

• Context and background:
  • Baseline Expectations has been successful
    
  • At this point, moving forward in increasing trust in federation, the bar probably should not be all or nothing anymore
    
  • We should give guidance on how to do things (such as MFA, for example)
    
    
• Noted that REFEDS Assurance Framework (RAF) v2 will be finalized in 2023
• When  the RAF assurance guidance doc finishes consultation stage and is final, updating the assurance guidance will be a priority
• Important questions to decide work items:
  
  
• What do we want to accomplish? What does success look like?
  
• When do we want to conclude the work?
  
• Who should be involved? / How do we want to do this work?
  
  

Note: the remainder of the call focused on discussing/defining potential CTAB work around Entitlements

• Entitlements - success stories, more?
• We all have some SPs who need info about which users have which  abilities and roles
  
• There are a variety of ways of managing roles, through group management or eduperson entitlement.
  
• There is a lack of consistent standards
  
• Providing examples will be valuable
  
• Would be helpful to share good, extensible procedures
  
• REFEDS best practices: https://wiki.refeds.org/display/FBP/Federated+Authorization+Best+Practices 
  
  • Eric: Seems like there are three aspects/questions being discussed
    
    • https://wiki.refeds.org/display/FBP/Federated+Authorization+Best+Practices
      
    • vs advice about how to convey this information within an organization 
      
    • I.e., what kind of information would CTAB want to recommend/establish standards for signaling between organizations outside?
      
    • Managing who has what permissions (e.g., grouper, etc.). An internal infrastructure point
      
    • How is it expressed? Using SAML or other mechanisms.
      
    • How frequently does it occur that an SP out of the IDP scope of influence is interested in consuming entitlements from the IDP?
      
  • Tom:
    
    • Some people think federation is mostly about authentication
      
    • Access management could be a next service for federation
      
    • Could an SP operator add an entitlement?
    • Best addressed with new ability to delegate access management?
      
      
  • Andy: OSU performs access control at IDP level for some applications, versus passing along an entitlement value.
    There is overlap with provisioning of accounts
    
    
  • Albert: similarities to proxies, which is being discussed by middle things group
    
  • Tom: have a proxy service offered by federations? Verifiable credentials.  Many more sources of authority in federated context 
    
  • David: concern about expanding the issue to include entitlements and authorizations more generally , could be an unmanageable task
    
  • Andy: entitlements versus attribute release 
    
  • There are many bilateral use cases 
    
  • What is the federation-wide role for entitlements? 
    
  • David: best practices to make your IDP and SP work better together are needed for campus IAM practices
    
  • This is more a matter of providing advice on internal practices around bilateral relationships
    
  • Warren: entitlements are particular to the SP involved. 
    
  • SAML is a way to transmit info. LIGO uses a  proxy or Attribute Authority, but I don't see how that scales outside of a single organization very well.
    
    
  •  Everybody in the federation cares about this, but is this something CTAB should tackle?
    
  • Albert: should we have an exploratory group to define this topic?
    
  • Use next CTAB call to continue the discussion or spin up a subgroup
    
  • Look for an email from Albert on this
  • Also, this could be an ACAMP discussion topic
    
    
• Discuss on a future CTAB call:
  • Federation Support / purpose|value for smaller (non-R1) schools
    
  • SaaS providers’ conflicting models 
    

Next CTAB Call: Tuesday, August 22, 2023