CTAB Call Tuesday July 25, 2023



David Bantz, University of Alaska (chair)
Warren Anderson, LIGO
Tom Barton, Internet2, ex-officio
Richard Frovarp,  North Dakota State 
Eric Goodman, UCOP - InCommon TAC Representative to CTAB
Mike Grady, Unicon
Jon Miner, University of Wisc - Madison (co-chair) 
Andy Morgan, Oregon State University
Kevin Morooney, Internet2
Ann West, Internet2
Albert Wu, Internet2 
Harsh P Biscuitwala from Alfa Jango,  in place of Johnny Lasker, Internet2 
Emily Eisbruch, Independent, scribe 


Pål Axelsson, SUNET 
Matt Eisenberg, NIAID 
Ercan Elibol, Florida Polytechnic University 
Scott Green, Eastern Washington U
Meshna Koren, Elsevier
Johnny Lasker, Internet2
Kyle Lewis,  Research Data and Communication Technologies
Andrew Scott, Internet2
Rick Wagner, UCSD 


Working Group updates

  • CACTI (Richard)
    • Met with NIST to discuss their IAM roadmap and potential future collaborations. A good chunk of the discussion revolved around verifiable credentials.
    • Received a status update about the InCommon Certificate Services
      • Supports ACME, which is important given Google's proposal that certs go to 90 days of validity in browsers
    • Good to see engagement from NIST. There is a workshop coming up today. Please participate if interested.  
    • NIST is primarily govt agency focused
    • NIST does not have direct authority around agency’s implementation of the NIST guidelines
    • Ann discussed future Tech Ex participation with Connie LaSalle of NIST
    • InCommon Certificate Service https://incommon.org/certificates/
      • InCommon certificate service was also discussed on CACTI call, including future use cases, tie-in with  eduroam user certificates
      • Community group is being put together to reboot the InCommon certificate service community engagement
      • Figuring out the logical buckets for new features, trying to right size
      • Thanks to Michael Trullinger of Cal State Systems office, who is assisting in the analysis and evaluation of the logical buckets   

  • REFEDS Assurance Group - RAF 2.0 in consultation 
    • Waiting for the consultation to conclude on Aug. 15, 2023
    • Helpful comments have been  received, please add your input

Potential new items for 2nd half of year 2023 CTAB work plan or for 2024 CTAB work plan

  • Framing the next chapter of federation maturity 
  •  It will be helpful to define  why we care about the following items identified on the mural collaboration board.

  • Popular items from the mural collaboration board

    ▪    Entitlements - success stories, more?

    ▪    Federation Support / purpose|value for smaller (non-R1) schools

    ▪    SaaS providers’ conflicting models (EG: SaaS vendors “don’t do federation the way we think of it; we aren’t going to persuade them to adopt our model, but perhaps develop guidance or ‘tips and tricks’  on how InC participants can deal with them; an example is to swallow and adopt persistent email address that will be SaaS vendors’ Identifier.”)

    ▪    Honorable mentions

    ▪    Elephant in the room - commercial IdP solutions’ “walled garden” 

    ▪    Federal agencies 

    ▪    Define “federation ready”

    ▪    Challenge: SPs trusting IdPs (and IdPs validating) strong auth vs. SPs specifying auth methods (issue with REFEDS MFA today)

                ◦    “We don’t want to tell folks what they have to do for federated collaboration,so in that vacuum, vendors are telling folks exactly what to do” 
“We (InC) are no more a real “standard” than what the IAM do is “standard”!”

    •    Comments

    ◦    Goals including things like scaling our community’s response to NIST guidelines, amplifying our community’s voice

    ◦    How do we adapt to the reality, teach ourselves to accommodate recalcitrant SaaS vendors? That is the “other side of the coin” of attempting to influence commercial/SaaS providers to adopt practices better suited to R&E federation.

    ◦    Train according to IDPro guidelines?
    ◦    Why does appealing to vendors to comply with desired standards have limited impact?

    ◦    We may not have a solution that is better for the vendors given their use cases. Our desired approach in some cases creates extra complication for vendors 

    ◦    InCommon has considered bilateral to be out of scope, we push towards multilateral as the only correct model. Is that reasonable, given our audience?  We hope to grow with non R1 schools.

    ◦    Comment: support for multilateral is very important for R&E collaboration, but apart from that, InC federation and R&E best practices provideshuge benefits: secure just-in-time metadata exchange, standardized MFA signaling, JIT account provisioning,...Campus culture and habits may be holding us back. 

    ◦     Provisioning versus bulk update; some vendors offer to do provisioning

    ◦    Users are accustomed to asking as consumers. 

    ◦    Should we support email as a first class identifier?

    ◦    There are many reasons why schools don’t like using email as identifier, but it’s a good question to revisit

    ◦    Documentation for new InCommon vendors is lacking

    ◦    We do more hand holding for IDP operators

    ◦    Maturing federation involves creating a better, easier learning curve

    ◦    Explaining more about SAML for newbies

    ◦         but SAML may already be on the losing end of the OIDC contest

    ◦         SAML is just a tool

    ◦         Maybe we need to articulate what we care about independent of SAML

    ◦    One issue is that things change so rapidly, documentation becomes outdated

    ◦    Commercial solutions, such as OKTA, play a valid role

    ◦    Summary

    ▪    Consolidation, for example, deal with 6 vendors for 95% of SAAS apps

    ▪    Become more user centric, enable the user, this is important, but hard to define the CTAB work item

    ▪    Hard to know what new trends will persist

    •    AI - Albert will brainstorm regarding issues around SAML and generalizing what is most important  

Next CTAB call: Tuesday, August 8, 2023


  • No labels