Attendees:
John Buysse
Brett Bieber (Nebraska)
Rob Gorrell (UNCG)
Jeremy Livingston (Stevens)
Amel Caldwell (University of Washington)
Mike Dickson
With:
Romy Bolton
Mike Zawacki
Steve Zoppi
Regrets:
Kim Owen
Jeff Egly
Sara Jeanes
Ann West
Agenda
- Intellectual Property Reminder - All Internet2 activities are governed by the Internet2 Intellectual Property Framework
- Public Content Notice - eAC minutes are public documents. Please let the eAC and note taker know if you plan to discuss something of a sensitive nature.
- Agenda bash
- Approval of last meeting’s minutes
- https://spaces.at.internet2.edu/display/eduroam/eAC+Meeting+2022-07-29
- Rob Approves, Jeremy Seconds
- SO updates
- Network Nebraska
- Brett: Recent release of state funds for broadband expansion which was explicitly tied to our eduroam work. That linkage has driven adoption - we’re at 52ish% of all districts in the state with eduroam. Have gotten our board to approve long term funding for the SO program, folding it into standing fees. Will be presenting at TechEx with Painless. We’ll present on our SO work, Painless will present on integrating Google with eduroam. NETA (Nebraska Educational Technology Association) conference with a panel discussion
- The Sun Corridor Network
- Working for deployments within housing complexes. Engaging with Maricopa County and Maricopa Community College System as an eduroam partner within the community. Working through procurement and legal processes to get an agreement they can use with constituents. In the interim signing on participants as a pilot.
- UETN
- Pivoted to work on SP-only. Working on eduroam-to-go! Repurposing old equipment to build a self-contained eduroam SP-only site to assist with deployment.
- Mike D: Really interested in the SP-in-a-box offering. Seems like a great way to incentivize SPs, drive ubiquity
- Brett: There was some discussion on the global eduraom Slack channel, possible collaboration with Japan’s REN (Hedeaki Goto is leading that effort).
- UETN’s monthly https://docs.google.com/document/d/1VtBTYreyciTvbNlBl9QIATGwSCnfYNzY-y_vb0sTCyA/edit
- Link Oregon
- Identifying schools to participate in their pilot. Working to build a support network, including Higher-Ed participants, to support the eduroam rollout.
- CEN
- Continue to work with pilot schools and plans for upscaling support and partnering with state-funded orgs.
- New Releases/service updates (Mike)
- IdP testing
- https://spaces.at.internet2.edu/display/eduroam/eduroam+Admin+IdP+Realm+Testing
- Further improvements planned, soliciting feedback from the community. Rob Gorrell has provided some suggestions to the team
- Brett: Great to see, would like to see
- Best way to send feedback? Help@incommon for initial thoughts and feedback.
- Steve: Is help@incommon.org sufficient? Is it responsive enough?
- Rob: Fine for me personally. I’ve also reached out to Mike and Sara as well. Response time is always good.
- Brett: Steve does that work for you as well?
- Steve: Yes, but we’re always open to adjusting methodologies. Every feature that we create we try to keep the documentation loose at first to avoid “leading the witness”
- Rob: my two (minor) feedback points on self testing…
- 1. username needs to be entered without realm to be successful when we usually promote always authn w/ realm
- 2. some of the info from logging is missing making the attempts difficult to locate in the log viewer (this I posted to the admins list about).
- Steve: WRT point #1 we struggle with that in other contexts. Trying to drive some consistency of design approaches.
- Mike D: Is this testing against all configured RADIUS servers?
- Rob: It does test against all configured servers.
- HECVAT release
- https://docs.google.com/spreadsheets/d/1k8YRXXtPkLXTd1u_4I6NYKNbQzOq_J9P/edit#gid=579748633
- IAM Online presentation on the HECVAT: https://www.youtube.com/watch?v=S3-lInuuSSE
- Possible eAC work item: IdPaaS (IdP as a Service) (Brett/Mike)
- Managed IdP for eduroam
- Similar work being done for the InCommon Federation
- Final report: https://spaces.at.internet2.edu/download/attachments/145064286/20200929-IdPaaS%20WG%20Final%20Report.pdf?version=2&modificationDate=1601401869523&api=v2
- Project page: https://spaces.at.internet2.edu/display/IDPAAS/IdPaaS+Home
- Brett: Lots of similarities in methodology here with the work of the User/Device Onboarding working group. The dream is to be able to remove major barrier for adoption of eduroam (and InCommon!) by organizations of all technical skillsets. Recall the presentation by Stefan Winter for geteduroam, guest service, etc.
- Rob: Having had some experience on both sides of community working groups, I see lots of potential for convergence of eduroam and InCommon. One gap to consider is how to handle different authentication methods - do you require certs? Prohibit them? Incorporate then in future state deployments? I’d like to talk about that before we really dug into this service for eduroam
- Brett: Great point. Would be good to think through what Margaret, others have said about secondary credentials. One thing to think about is that those questions will drive complexity. One way to address this is to focus the service on the infrastructure that starts outside the organization’s credential store and focus on the rest of the plumbing. Margaret and Mark will address this in their presentation on Google integration
- Rob: With username/password authentication I’d agree that those credential stores usually already exist. Less so with cert based authentication. Do we still want to push for certs? Especially if we have EAP based auth that might be “secure enough” as a secondary credential?
- Mike D: Agree with that. Seeing lots of schools that lean heavily on Google, Microsoft, etc. Also, need to think about how to handle guest users. Is that included, or will it be? Want to think about how to handle that, as many schools might be reluctant to provision guest accounts on their ID store.
- Rob: There was a working group that looked at Guest Access. Ended u recommending deploying eVA or something like that service. So that would be different from IdPaaS
- Steve: The Venn diagrams of lIdPaaS, IdP of last resort, and guest services lightly touch but overlap very little.
- Brett: Another reason I thought this would be a good topic for our group was to provide our perspective on what being a good eduroam/federation participant would look like. Think about how to square community requirements with commercial providers like Azure, etc. There may be vendors that could fulfill the need for that “adaptor”. If we were continuing down the path laid out by User/Device WG, what would our expectations be? What are our requirements and expectations? Rob hinted at that with his question about credential store integration. Don’t know that we’ve talked about that for eduroam the way InCommon has developed its Baseline Expectations program.
- Rob: For us, our BE is the best practices guide. Would like to see us continue to keep that current. Good point of engagement with 3rd party vendors.
- Brett: LIke your idea to ensure BPG is up to date. Could use that as the basis of a BE like document.
- Rob: Agree.
- Brett: WOuld love to have a way to abstract away protocol level stuff and be left with a set of requirements for both identity and wireless auth federations. Recall the article where some security research group determines that “eduroam is insecure” when it’s really one org’s IdP that’s insecure.
- Rob: For me, brings things back around to more guidance, requirements for auth methods. What’s the security potential for both on paper? What is it in the field?
- Steve: This is really a problem for all federations, even though the resources they’re protecting are different (e.g. network access risks are different than ability to configure the network, gain access to data, etc) Faced with the dichotomy between managing authentication and authorization. eduroam is a service AND a network layer so it occupies several spaces. Need this group’s thoughts to ensure we’re implementing in a way that makes sense, won’t break things
- Brett: Question for Steve and Mike - the IdPaaS WG might be aware of this community, yes? Or no? And is there a way for us to engage with that group?
- Steve: Can’t speak with certainty that they’re aware of this group, and their work is along different lines, but do know that members of this WG reference eduroam in their discussions
- Rob: I’d hazard a guess that, for example, cert based auth doesn’t factor into those discussions.
- Steve: Cert based auth isn’t popular in the browser based authentication world but it does happen in some cases. For example CILogon leverages certs, thought the contexts aren’t 1-to-1.
- Brett: One other piece that’s mind expanding to consider - the difference between CILogon for HPC vs. how the SOs scale their work. That abstraction of protocol I mentioned earlier and understanding the benefit federated authentication brings is a great conversation to drive more of in this community. Like the idea of evolving K12 from thinking about federation for wifi access to thinking about identity federation
- Steve; I always end up thinking about “what will this cost us”. So if you work closely with, say, RADIUS it seems simple to talk about just the functionality. Making something elegant and simple for a broad swath of the population is hard, but valuable for serving smaller community segments, but also drives costs. There’s a little bit of “the composition has too many notes vs it has just enough notes” that we need to strike. This group’s insights for what the MVP is will be invaluable to us
- MikeD: Good/fast/cheap conundrum applies here.
- Steve: Faced this with Shib. It’s too hard until people realize what they need to have if they don’t have Shib. That drove development of the Shib UI, which doesn’t do everything but it does enough to help less technical audiences.
- Rob: Good analogy. I feel like we are with eduroam where we were with Shib in 2008.
- Steve: Agree. Complexity is less with eduroam but many still need help.
- Rob: Yes - complexity is a barrier for adoption. It’s been a challenge for us. How do we find the thing that will solve most of the problems for smaller audiences? Fixing everything isn’t possible, just want to help a majority of those who most need help.
- Steve: Need to be sure we address the 80/20 split. Not easy to do, need to be mindful that you don’t try to fix everything for everyone. Separately, we’re looking at sequences half a year out or more. Want all working groups to keep that in mind when they undertake their efforts
- Brett: Think it was great to put this idea in front of us. Want to keep us thinking about the work of the IdPaaS group and think about how that would inform both our work on a potential IdPaaS and think about the implications for the “Baseline Expectations” for eduroam.
- Steve: Keep in mind that we’ll all place bad bets now and again, we just want to
- Rob: Coming back to BPG and ensuring they’re current is key
- Link to the previous Guest Access Working group outcomes: https://spaces.at.internet2.edu/pages/viewpage.action?pageId=210796656
- Items for discussion (Mike)
- User/Device requirements doc
- Appreciate all of the efforts and it’s still under discussion and analysis. With Sara out and the end of the year push looming we will continue to assess.
- Privacy KB article
- New membership, recruitment (Brett/Mike)
- https://docs.google.com/forms/d/e/1FAIpQLSdgB2gT4XQ5yjNUycVsqv-bVWE4Jdeag3N2LaFEOTTtOMynew/viewform
- Initial three year stint is coming to an end (6 potential seats). We are actively recruiting. Users rolling off can resubmit their names. Hint - Jeff Egly :-)
- Please actively recruit/reach out to anyone you think of who might be a good fit for eAC.
- Congratulations to Sara and Emily Jeanes! Kara Alice Jeanes, born on Saturday 27th
- Well wishes from the committee!
- Rob says daycares make good SP locations
- AOB?