TAC Meeting October 17, 2018
Face-to-Face at TechEX
Attending: Mark Scheible, Judith Bush, Mike Grady, Janemarie Duh, Eric Goodman, Heather Flanagan, Keith W, Eric Kool-Brown, Matt Brookover, Heather Flanagan
With: Ann West, James Babb, Steve Zoppi, Dave Shafer, Nick Roy, Mike LaHaye, IJ Kim, Albert Wu, Nathan Dors, Chris Phillips, Dean Woodbeck
Internet2 IPR reminder
Introductions for new staff, James Babb and Albert Wu, and guests Michael Gettes and Chris Phillips
Nominees and recruiting
It has been hard to direct nominees how to submit a nomination request, so Mark and Dean created a link on the public TAC page to submit a nomination.
Still a challenge to find the TAC home page. “InC-TAC” is hard to remember to search for. Have to google “InCommon InC-TAC”
Please direct people to that page for self-nominations, work on recruiting at TechEx
Mark reviewed the nominations from 2018 and added some previous nominations back into the mix. Nomination period is open until close-of-business Wednesday, October 24. We have a TAC meeting the day after, discussing those nominations will be a focus
(AI) TAC members please discuss with any nominees you have proposed, whether or not they are willing/able to serve, and indicate ‘Y’ or ‘N’ in the appropriate column on the nominations wiki
Need to solicit participation from research, security, and smaller schools
Question: Why do we have standards-space work called out as a skill set for leadership?
It would be valuable, but not a requirement
2019 Work Plan topics
Question about OCLC and Unicon needing to recuse themselves from this discussion due to running IdPaaS services?
It’s fine for these representatives to participate in discussing the charter.
We have been asking representatives from groups that might run this type of service to join such a working group.
Don’t want to prevent people who have working knowledge from participating.
IdP proxies should be part of this working group, but also interested in SP proxies - so maybe SP proxies should be a different WG.
How does this work relate to the IdPoLR working group in REFEDS?
Is the scope explicitly presuming that the authN source data is under the institution’s control? That would be the difference between this and an IdPoLR.
TAC members and InCommon staff stated that is the difference between this and an IdPoLR.
IdPoLR is more for individuals without an institutional IdP, whereas IdPaaS is for campuses that can’t run their own IdP
WG outcome: provide recommendations and requirements for InCommon to offer an IdPaaS
Tom Barton’s IdPaaS WG Charter Proposal
Question about why representation of the largest possible segment of InCommon membership is a goal
The goal is to get a lot of participants who currently can’t participate, so this follows naturally from that goal. There is a shortage of IAM skillsets available at these institutions.
There is a CIO selling point here, with the push toward for-fee services.
This is only a goal if we assume that institutions cannot run this on their own.
It is also a good way to convert the part of our services that need to be ‘hub-and-spoke’ into that model, in support of things like protocol transitions.
Does InCommon need to look at the value of a hub?
Need to include this in the charter. Could be implicit, or explicit, goal.
Afraid that if we try to figure out an H&S model at the same time we are doing IdPaaS, that could cause confusion. Also one is more policy and the other is more a technical specification.
Don’t want to jump to architectural conclusions
Don’t want to slow down the discussion by introducing a discussion about federation topology into it
Mesh federations are becoming more hub-n-spoke-y, hub and spoke federations are becoming more mesh-y.
Michael Gettes’ IdPaaS Draft
Acting as a member of the community
Not waiting for a WG to get started - have been talking about this for a long time
Recent activities at CSG and the opportunity at ACAMP will help complete this paper, turn the paper over to InCommon staff.
A lot of schools don’t participate in InCommon. Having schools do the same thing (standardized service) will drive up the value of InCommon for SPs.
Overall approach, two-level service
“Friendly” - $15k/year
Question on thoughts between “Friendly” column and TIER
On-prem is one of the “Friendly” options - longer-term goal to get off of the on-prem for some set of schools
“Not friendly” - $50k/year or more
This needs to come through the TAC Working Group. Michael’s work will be made available to the TAC WG.
We need to finalize this charter and approve it, and let Steering know, and recruit chair, members/set up working spaces.
Also share with CACTI as part of FIM4R gap closure work.
TAC members interested in participating:
Eric Goodman (although more interested in SP proxy work)
Keith Wessel (also raising half a hand)
Mike Grady (as appropriateness permits)
The TAC workplan needs to address requirements coming out of WGs that happened in the previous year - next steps as addressed by upcoming TAC work.
REFEDS Federation 2.0
Judith met with Tom Barton
Will have an ACAMP session to elicit more work on the charter
Schedules: they will come up with a revision of the charter and start calling for members - hope to have scheduling Doodles out in time to have first meeting in January.
Time is more difficult to manage because it is an international WG
RA21 - InCommon Support
RA21 is looking for an operator of a discovery and an IdP persistence service
Not restricted to just publishers, but publishers want this implemented
They are most interested in the IdP persistence piece, with the discovery piece a lesser priority
Goodness involved in GÉANT possibly running it because of GDPR
Code would be managed by Internet2
GÉANT wants to know if this is something that would be useful for all federations/participants in eduGAIN? Likely should be considered a community asset.
Currently working among those parties to determine whether or not we can/should do this.
Do we want to make this change/is this a direction we want to go in, and is the functionality worth the cost.
There is debate even within RA21 - don’t want just anyone to use this, vs. the more people can use it, the better it works. Still being actively discussed.
There are competing requirements on the Library side between the desire to provide absolute privacy, and the desire to provide access to protected resources.
What is the role of the federation operator in this?
Adhering to the UX guidelines
Do we do this as a federation operator, along with GÉANT?
Is this wayf.incommon.org version 3?
There is a search component to this that needs to be done to enable discovery to conform to RA21 UX guidelines. Needs to also be a way for SPs to signal to the DS that they know an IdP won’t work.
We’ve talked about this at REFEDS but never really asked these questions- educating them enough about RA21 to ask the question about what parts of this we should be implementing.
IdP persistence piece is a critical security component.
CAF as another federation operator: All the federations have their own central DS. It is a minor lift to use that to provide the IdP hint using the central DS. What is the delta to meet RA21 needs?
IdP proxies for ADFS, Okta, etc.
For SPs that can’t do multilateral federation (lots of commercial SPs)
Topic(s) for Researcher and OIDC members to sink their teeth into!
Each of the above topics have implied hooks for Research and OIDC
AI: TAC carefully review these draft minutes and redact anything that is not appropriate to share yet