Minutes

Attending: Heather Flanagan, Mark Rank, Mary McKee, Matthew Brookover, Steven Premeau, Janemarie Duh, Judith Bush, Eric Goodman

With (Also Starring): David Walker, Nicole Roy, Johnny Lasker, Shannon Roddy, Steve Zoppi, Albert Wu, Ann West, David Bantz, IJ Kim, Les LaCroix

Status updates / Q&A

HECVAT - does TAC want to add this to work plan, if so, in what context? What do we want to ask Nick Lewis

  1. HECVAT (Higher Education Community Vendor Assessment Toolkit) is a joint effort of EDUCAUSE and Internet2. Nick Lewis (Net+ security program manager) is Internet2’s point person.

  2. Duke (Mary) proposed adding federation/SAML issue. Campus security are already paying attention to the HECVAT. It would provide us with a standard template for vendors to declare their support.
    1. Mark Rank mentioned that this can ease vendors’ burden of responding to RFx questions from customers, as they can simply provide their HECVAT response.
    2. What are the opportunities to “catch the wave” of others who are dealing with these and similar issues?
    3. This will be put on the TAC’s work plan.
    4. This complements Baseline. The deployment specification issues have short, medium, and long time frames, all of which can be asked in HECVAT so that they are not a surprise when they become (short-term) Baseline requirements.

Browser Technology Changes (update and discussion)

  1. There’s a Browser Interactions Work Group in the OIDF space looking at federation use cases / scenarios. Heather, Nicole, Eric and others are contributing to this effort.
  2. EricG mentioned that it was requested in the workgroup that scenarios should be specific to specific technologies, even though our scenarios may be flexible about implementation. Nick: For example, IdPs need to maintain state in the user’s browser. Cookies and browser storage each address the same concern, but we should call out how each is used..
  3. Heather: It is helpful to provide examples of how specific sites (e.g., Elsevier) work currently.

On the horizon - What next with OIDC (in Federation), what advice do we offer (to Steering)? What do we need to know?

  1. The OIDF OIDCre working group will resume regular bi-weekly meetings starting next Monday March 15th at 4:00pm CET/8:00am PST.
    1. See also the notes in the International Update.
  2. Albert: Does OIDC matter to us? Is it used in multilateral federation? Current use cases seem to be non-browser and/or bilateral.
    1. Mary: Multilateral is not usually the starting point. Duke supports OIDC along with SAML
    2. OIDCre doesn’t seem ready to adopt. 
  3. We’ll continue this discussion in the next call.

Next Meeting -  Thursday, March 25, 2021 

EMail Updates

International, SeamlessAccess, and Browser Interaction Updates


Subject:[TAC-InC] International, SeamlessAccess, and Browser Interaction Updates
Date:Wed, 10 Mar 2021 14:28:20 -0800
From:Heather Flanagan


So many updates, so little time!

---

International Update
REFEDS has several activities in progress of potential interest to TAC:

  1. R&S 2.0 status - The R&S 2.0 working group has agreed to remove (for now) the OIDC information from the specification. The group agreed to add it back in when there is actual standardization in this space, with a goal of having a 2.1 spec that includes that information before the end of 2021. The next call will focus on if/how to include information on Assurance, and Jule Ziegler, chair of the REFEDS Assurance Working Group, will be there to discuss.
  2. REFEDS consultation - eduPerson Analytics ID. This consultation involves a new attribute to be added to the eduPerson schema that would provide a way for an institution to send through a set of reporting codes as part of the authentication transaction, which SP will then use to create segmented usage reports. The primary use case captures the need of a publisher/library scenario where data is needed to understand the use of a given resource and be able to classify that resource into buckets (such as internal billing codes). This happens outside the authentication/authorization transaction and so is not itself an entitlement. The consultation is open until 5 April. Please see the consultation page for more detail: https://wiki.refeds.org/display/CON/Consultation%3A+eduPersonAnalyticsID
  3. REFEDS OIDCre WG update - The REFEDS WG will spin up, after Heather finds a pair of chairs for the group. Related to this is the state of the OIDF working group (which has IPR considerations that have resulted in the REFEDS group spinning up again to collect the feedback from the people who cannot accept the OIDF IPR) : the OIDF WG trying to figure out what to do, how often to meet, and what the state of adoption is for the current eduPerson <-> OIDC mappings.
  4. REFEDS meetings
    1. REFEDS will hold a meeting on 1 April to go over the results of the 2020 Survey. This survey, which has happened annually for several years, is the best (and possibly only) way to see how academic federations are evolving over time. Registration is free: https://events.geant.org/e/refedssurvey
    2. The REFEDS meeting in association with TNC will be held on 16 June starting at 13:00 CEST for three hours. This will be a set of live presentations and Q&A and is happening the week before TNC itself. Registration is free.
  5. TNC21 - and speaking of TNC, registration is free and open here: https://tnc21.geant.org/. Sessions will from from 21-25 June, and be prepared to wake up early.


Browser Technology Update
The OIDF Browser Interactions working group met on 10 March to discuss the ramifications of Google's recent blog post, https://blog.google/products/ads-commerce/a-more-privacy-first-web/. There are a lot of moving parts to turning Google into a "privacy preserving" company, and the WebID component is just one small part of that. It is unclear how all the different parts will end up interacting with each other even within Google. The group also offered useful feedback on how to make the scenarios submitted by Heather Flanagan and NIcole Roy (https://github.com/IDBrowserUseCases/docs/pull/2 and https://github.com/IDBrowserUseCases/docs/pull/3) more useful by calling out more specifically what features are used in the browser and for what purpose or function (e.g., indicate where the decorated links are located, where first or third party cookies are used) in the description. They also suggested using sequence diagrams instead of flow diagrams. When there are artifacts that are opaque to the browser - such as where the SAML content is encrypted - make that clear as well.

SeamlessAccess update
Latest monthly newsletter is out: https://seamlessaccess.org/posts/2021-03-10-march2021newsletter/

More and more institutions are starting to register their interest in using SeamlessAccess via the registration page, all using the Standard and Limited integrations (see https://seamlessaccess.atlassian.net/wiki/spaces/DOCUMENTAT/pages/425987/Integrations for more information on the different integration types). As sites go into production, the Service Provider stakeholder page will be updated to capture those implementations (https://seamlessaccess.org/stakeholders/for-service-providers/).

The next major technical piece of work for SeamlessAccess is how to filter IdPs from a list, either by making them unavailable or by somehow signaling whether they will work or not for a user. Leif Johansson has drafted a blog post that will be published later this month describing these plans in more detail.

Heather Flanagan — Translator of Geek to Human
https://sphericalcowconsulting.com

  • No labels