InCommon Pilot Call
Feb 27, 2014
See Keith's slides
PARTICIPANTS: Ann West (InCommon/Internet2), Shaun Abshere (WiscNet), Bernie A’cs (IllniCloud), Corey Schofield University of Victoria, George Laskaris, John Desha (Utah), Jordan Clark (Nebraska), Mike Danahy (Nebraska) Mark Scheible, Scott Isaacson, KINBER, Mark Johnson, Mark Scheible (MCNC), Mike Kerry (KINBER), Keith Hazelton (UW Madison), Mike Danahy, (Nebraska), Brian Peterson (UEN) Dean Woodbeck (InCommon), Gary Diamond (UEN), Jennifer Griffin (The Quilt)
MEETING NOTES: (Call Recorded)
Policy Reminder
http://www.internet2.edu/membership/ip.html
1)Guest speaker is Keith Hazelton, and call will extend for 60 minutes. Review the eduPerson schema InCommon Federation Attribute Overview and InCommon Federation Attribute Summary.
a) Presentation
b) "isMemberOf" handle "isParentOf:Student"?
i) If the IdP is know to the student then yes.
ii) Student defines a group of parent.
iii) Person to Person relationships is underdeveloped
c) Is the parent an eduPerson too?
i) Yes, you need to define a one-on-one relationship.
d) Intilement instruction – how do you use it there seems to be a conflict about parsing.
i) Eduperson intilement wouldn’t it need to be parsed.
(1) If a community agrees on how to use it then follow that structure. This could be treated as an opaque key.
(2) There should be a definition of how the schema was constructed.
e) “isMemberOf” defines a group or set of individuals and requires IDP/SP agreement of values and what they represent. Entitlement defines an individual’s privilege or authorization and also requires IDP/SP agreement of values and what they represent. Is this a correct summarization?
i) Yes
f) That connection - parent:student - would likely (still) be made in the application being accessed.
g) Keep things simple and start with a modest set of goals. Expect to see quality attributes but remember to include / collaborate with all partners
2)Discussion:
a) Abshere, Shaun (WiscNet): has anybody read/written a document that gives a categorical list of applications-in-demand by K12 or Tech Colleges (e.g., LMS with performance tracking; online assessment testing and tracking; etc) and then categorizes the list by Service Provider expectations for identity management?
i) Bernie: Is interested in that listing if it exists as well..
b) Bernie: Looking to use a relatively standardized collection of attributes: PrincipleName, OrgDN, Affillitation, & Entitlement, where OrgDN is LEA identifier; Affilliation using the controlled vocabulary to categorize user’s organizational role, & Entitlement for any custom values that need to be fulfilled for specific SP relationships. However, there seems to some to be cases that may need more, for example OrgDNUnit (for building or school), and others to account for personnel that work in more than one OrgDNUnit or even OrgDN(s). Similarly the roles an individual fulfills at multiple orgs may in fact be different. With this in mind 4 may not be enough, is there some advise regarding the minimalist approach for a standard
c) Mark Scheible, MCNC: The granularity of "org" in K-12 does present a problem. Even eduPersonScopedAffiliation would likely be based on LEA and not school. Entitlements can get complicated. It would definitely take some careful thinking about how to assert the use case you present.
d) Shaun Abshere, (WiscNet): Example use cases from Wisconsin: K12 student taking classes at technical college or university but using only K12 ID;
e) Mark Scheible, MCNC: Depending on the specific use case, it may just need to be part of the application being accessed. In other words the application would recognize the user has two affiliations and must have the user "pick" how they want to enter the application.
f) Shaun Abshere, (WiscNet): Use Case 2: all students at a certain grade level statewide log in to an SP's online assessment application
g) Mark Scheible, MCNC: @shaun - that's where a unique identifier (statewide) would be very valuable.
h) Ann West, InCommon/Internet2: @shaun I think Keith is looking for attribute needs. What kind of information needs to be passed to the SP?
i) Shaun Abshere, (WiscNet): understood.
3)Questions:
a) Are there real world use cases?
i) There are a variety of edge cases in K-12 that may not be representative of Higher ed. How do you express job locations and relationships. (instructor / principle)
ii) Who would know which role the SP needs to receive? Which services are being accessed at the SP
iii) There is a case relating to small , medium and large kids. Scrutiny in privilege depends on consent. This is very complicated when it comes to small kids and the schema.
iv) Privo is looking into this.
END OF CALL