Date, Time, and Location

Thursday, March 24, 2022
1:00pm ET | 12:00pm CT | 11:00am MT | 10:00am PT

Minutes

Attending: Judith Bush, Eric Goodman, Keith Wessel, Mark Rank, , Matt Brookover, Joanne Boomer, Steven Premeau, Heather Flanagan, Matt Porter

With (Also Starring): David St Pierre Bantz (CTAB). Les LaCroix (CACTI), David Walker, Albert Wu

Regrets: Matthew Economou


Agenda Bash + request for notable working and advisory group updates

    • CACTI update sent, 
    • CTAB was primarily focused on the work plan. CTAB spent facetime on the issue of supporting the board’s role of increasing trust in the federation other than more baseline. “Optional” instructions  regarding MFA becomes “nice to have” by implementers.
    • No updates from Heather, will come: see an announcement re REFEDS community chat regarding browser “stuff”
    • Keith shared InCommon TAC accomplishments  report with Steering 

Status Updates - Q&A

  • Teaser: IdP as a service program is being picked up again

  • OPS no updates, steady state

Update regarding IdP Discovery Document (Albert)

  1. Can SPs limit the IdPs? Yes, that is on the roadmap for the standard implementation. As well as bringing in IdPs that are needed by the SP but not in the federation.

  2. Latest document https://docs.google.com/document/d/1AMlIsqnU2vB01HTzGmp6uRE6fHe8GGsbr3MSY4XDm5U/edit

  3. TAC consents for this to be sent to Steering

  4. Just before sending to Steering, InCommon heard from SWITCH that they ARE maintaining their discovery code. More of an FYI as authors believe this does not change the recommendations given other issues.


Overview of emerging issues affecting federation evolution (discussion continues)

  1. Proxies can mean different things. Here, consider a service provider component:
    1. SAML -> other protocol
    2. SAML aggregation point -> other resources
    3. Additional processing such as account linking, etc before user reaches resource
  2. See 
    1. CI Login, does all above
    2. NIH login is a gateway to all NIH resources
    3. EDUCAUSE
    4. Many many resources use this pattern
  3. This is treated as a local matter in current documentation. 
    1. Consider SAML to an OAuth2 that gives indefinite refresh token
    2. “We can have reasonable arguments about which party should have this control?” 
      1. LIGO might make a decision independent of the org
      2. An institution that have contracted access to a SP and wants to control who is affiliated
    1. Does the SP attesting via entity categories decrease friction? EG: if “R&S” is asserted, does it really reduce the friction?
    2. This points to a principle that everything behind the proxy MUST have the same requirements 
    3. Is the entity that placed the proxy in place responsible for everything behind the proxy?
    1. How To & Policy (trust issue)
    2. Example SessionNotOnOrAfter
    3. Example “What is going on behind the proxy that i do not know about?” How can i trust the proxy? (But is that just general trust issue with SPs?)
    4. Technical or organizational trust? 
    5. An SP is not literally an application, but is a policy point. With a proxy, that policy point passes on to descendants which can make other policy decisions. POINT NOT BOUNDARY
    6. Compare to how you have to deal with HIPAA agreements
    7. Is the eventual SP a member of the Fed? Is the behavior of the contract?
    8. Judith explains OCLC’s proxy behavior (contractual). Eric explains UC’s and notes of others who run proxies to simplify onboarding (one entity ID gets releases and why should i go through that pain again)
    9. Propose TAC make a position paper before ACAMP for a jumping off place instead of the perennial discussion.
    1. EG: 
      1. UCTrust attestation on the InCommon members who are UC members. 
      2. Pixie Dust
      3. IdP filtering - Seamless tagging that an IdP is preferred for a type of SP (library resources)
      4. R&S certifier? 
    2. InCommon prohibits the augmentation by another organization
    3. SAML Metadata has an affiliation group.
      1. Have a UCTrust affiliation group lists the SPs that are members
      2. PROBLEM: would ANY other IdP software than shib  have the release configuration functionality  
    4. Are these patterns similar enough to discuss one solution? Federation would need to adjust policies. 
      1. Yes, 20% technical, 80% policy
    5. We will continue the next meeting….
    6. Setting Context: Making Federation Easier... What's missing
    7. RECAP: last meeting, role of SP and cloud SAS service changes
    8. … the context is - Albert is providing a set of observations of trends for us to consider whether the trends point to adjustments needed in the federation model. In keeping the goal “Making Federation Easier” let’s look at these trends and consider whether there are changes we should be making.
    9. Next topic: Proxies (aka Middle Things)
    10. NEXT:  third party attestation on a party’s metadata. 
  2. Thanks to Albert for framing up this discussion!

Email Updates

CACTI Updates

Subject: CACTI Update 
From: Steven Premeau
Sent On: Thur, March 24, 2022

Short update today:

  • The Linking SSO working group has schedules it's first meeting (for April 6, 2022)
  • Continued discussion of 2022 CACTI Themes.


  • No labels