Minutes
Attending: Mark Rank, Mary McKee, Heather Flanagan, Eric Kool-Brown, Janemarie Duh, Matthew Brookover, Matthew Economou, Eric Goodman, Keith Wessel
With: David Walker, Les LaCroix, Dean Woodbeck, Nick Roy, Jessica Coltrin, Dave Shafer, Ian Young, Albert Wu, Steve Zoppi, Shannon Roddy, Ann West
Intellectual Property Reminder - All Internet2 activities are governed by the Internet2 Intellectual Property Framework.
Public Content Notice - TAC minutes are public documents. Please let the TAC and note taker know if you plan to discuss something of a sensitive nature.
Action Items
(AI) Keith Wessel and Janemarie Duh will draft a note to Scott Cantor about the timing of the IdP4 release and the new default for algorithms (and to understand how it will affect interoperability and the federation).
(AI) Eric Goodman, Matthew Economou, Mark Rank will review the technical details of the algorithm change in IdPv4 and provide summaries to the TAC email list.
(AI) Janemarie Duh, Eric Kool-Brown, Albert Wu, and Matt Brookover will meet to discuss the proposed Test Federation working group, the user stories that have been developed, and suggest a direction for the working group.
International Update
In the world of global federation work, we have several conferences and meetings coming up over the next few weeks in the R&E FIM space:
- TIIME and FIM4R (17-20 February)
- TF-IAM at APAN 49 (2-6 March)
- T&I Hackathon (23 March)
- eduGAIN Town Hall (24-25 March)
- I2 Global Summit (29 March - 1 April)
While in general, it sounds like interest in TIIME is slowing down, FIM4R is still a hotbed of FIM discussion. FIM4R is still sorting out their agenda for the meeting; stay tuned there.
TF-IAM is always interesting in that it explores what’s happening in the emerging federations of the Asia-Pacific region. Terry Smith will be providing a report out from TF-IAM at the eduGAIN Town Hall.
The eduGAIN Town Hall is going to be a major event; registration is full at 65 participants. The agenda can be found here: https://wiki.geant.org/display/eduGAIN/Trust+and+Identity+Townhall+2020
And in REFEDS land, the SC is voting on the 2020 Workplan, and will be having a retreat on 23 March to discuss the future direction for REFEDS. Is it time to be a more strategically focused organization, or should we continue on our year-to-year planning cycle? If you’re curious, the draft agenda for that meeting is on the REFEDS wiki: https://wiki.refeds.org/display/STEER/DRAFT+Steering+Committee+Agenda%2C+23+March+2020
Trust and Identity and Ops Updates
IdPv4 and GCM
The release of Shibboleth IdPv4, scheduled for the end of February 2020, includes a change in default to use GCM cryptographic algorithms for outbound encryption. This could cause some problems for the federation and participants. One result may be for InCommon to introduce algorithm support for SPs and to define defaults. Unfortunately there is not much time to react to this. This is not an immediate threat, but we need to move in this direction.
SPs would need to change their metadata to support the new algorithms. InCommon Ops is considering a solution that would involve adding a default algorithm to all SP metadata, while also providing a way for SPs to indicate support for GCM. Note that this change in IdPv4 would affect only new installations, not upgrades from previous releases.
(AI) Keith and Janemarie will draft a note to Scott Cantor about the timing of this and understanding how it will affect interoperability and the federation.
(AI) Eric Goodman, Matthew Economou, and Mark Rank will review the technical details of this change and provide summaries to the TAC email list.
Samesite cookie impact to federation
There was a discussion about the Samesite cookie impact on the federation. It appears that Google is changing the Chrome defaults on Monday. One potential workaround is a "two-cookie solution" (which Scott Cantor intends to use). This solution involves setting two cookies – one with no samesite properties and another with the samesite properties. The newer browsers that correctly handle the new cookie properties will send the cookie with the samesite properties set and suppress the other. Older browsers will send the older/non-samesite-properties cookie (but will suppress the new one). Applications need to be modified to look for both cookies. Also, (quoting) “it doesn't really work well for JSESSIONID, since that [reading session info out of cookies]'s all hardwired into the containers”.
Prioritize work items for 2020
The four proposed workplan items are:
- Test Federation
- Cloud Cookbook
- IdP as a Service
- Seamless Access
There is a document to collect user stories related to each of these items
Potential themes as organizing principles for the working group and desired outcomes:
- “Making Federation Easier”
- “Increasing the Value of InCommon”
Test Federation
- Albert has developed some user story ideas
- New or existing participants can validate the service they intend to bring online - test interoperability
- Federation operator test changes to the infrastructure (like MDQ) - validation, Q/A, staging
- Provide a checklist that participants can use to understand whether they are following the right practices to be federation-ready
- Training for those new to federation/SAML
- Use for InCommon training sessions
- Could also help someone understand whether a service actually works in the federation
- Nick drafted a test federation requirements document in 2018
- (AI) Janemarie, Albert, Matt B, Eric K-B form a subgroup to discuss the user stories and help set a direction for this potential workgroup.
Cloud Cookbook - No discussion
IdP as a Service - This will be deferred until the current working group completes its work and report
Seamless Access
- TAC should monitor the progress and results and determine whether it is a possible solution for discovery, MDQ, and other things
- Note that the Seamless Access service is considered "Beta" at least through June of this year