Minutes

Attending

Attendees: Keith Wessel, Mark Rank, Matt Brookover, Joanne Boomer, Judith Bush, Steven Premeau, Eric Goodman

With (Also Starring): Les LaCroix (CACTI), David Bantz (CTAB), Ann West, Steve Zoppi, Albert Wu, Kevin Morooney, Johnny Lasker, David Walker,, Nicole Roy

Regrets: Heather Flanagan, Matthew X. Economou

    • Updates 
      • Mark spoke to his draft doc on deployment profile 
        • Because of schedules will be following up async with some folks 
        • Keith and others believe there was good outcomes from last discussion, need to just get to Mark so he can put into more words.
        • Hope to make progress by 5/27
      • Call for SP Proxy conversation participants from Albert
        • People are busy, so may defer first meeting to Aug/Sep
        • Ken K is interested in participating. 
      • CACTI may be interested in informal working group on SAML identifier adoption 
        • CACTI was asked by TAC if they were interested in participating.  We identified two volunteers and passed that back to TAC.
          • The last I heard they were waiting to be contacted.
        • This is a sub element of deployment profile adoption (subject-id and targeted-id) 
          • Matt Economou was championing this.
        • Some lack of clarity on the status of this effort.
  • Keith will follow up with Matt E out of band
  • Federation 2.0 updates/next steps/challenges
    • First, timeline and history and the process the working group had, then a bit about where we are today, then next steps for TAC
    • In 2018, the question of looking forward was on the InCommon and REFEDS plan. InCommon said join with the REFEDS working group rather than another working group
    • Judith Bush and Tom Barton were co-chairs, reached out broadly
    • Got recommendations to use scenario planning - determine some of the largest uncertainties your situation is facing and then try to write stories against the scenarios
    • Conducted surveys and interviews, remarkable number of in person interviews, survey had decent number of responses
      • Cliff Lynch from C&I responded among others
      • That input was something the working group went over
      • A lot of uncertainty and concern about the future of the federation
      • Part of it had to do with resources - staffing/financial
      • Who is driving the agenda of identity, will we be overtaken by outside agencies/corporations
      • Questions about inequities and social issues as well
    • Chose a funding dimension and how flexible would things be, will things be directed by a central group
    • Had a workshop in Estonia, got stories about how researchers work together. Even the best case scenario stories raised questions.
    • One of the insights in all of these somewhat negative spaces, if there had been an entity working to say, advocating with large corporations for the needs of the education community or the use of standards across borders/institutions. Things that happen within our federation. The advocacy between entities needed to be much more authoritative. Also more coordinated.
    • What about REFEDS - it doesn’t dictate to federations on what to do. It’s a place for federation operators to come together to work on what best practices should be, but the adoption is at the federation level, but not necessarily required
    • NR: “We’re all hippies :)” Real point: Who’s in charge? When talking to other groups, our answer is “we all are”.
    • DW: Doesn’t have to be a top down thing, but needs some balance
    • Do we really have a choice if the industry is going in a different direction
    • Should we be worried about the details about SAML or talking with vendors about the needs of education
    • Sharing in the implementation of the wheels vs. re-inventing/re-implementing these wheels
    • We’ve written a report about the need for a global structure. The value statement is to give federation operators what they need to work with each other
    • AW: REFEDS didn’t think the report was actionable, it was too vague. REFEDS doesn’t have the authority to act on what is being proposed
    • At the end of the report, there were 2 very critical steps
      • REFEDS help convene a place where the heads of the federations, the community that needs to make these commitments to each other, they create a leadership charter. How to engage groups, individuals. Agree on how they are going to agree.
      • Then test this via how to extend REFEDS Baseline Expectations across all the federations
    • Report was turned in, REFEDS steering could not come to consensus on if they would adopt this. Agreed to another round of consultation and then see from there.
    • 45 minute slot in Trieste to talk further about it and fill in concrete details where things were more abstract
    • A parallel group, edugain Futures group, points to some of the same outcomes this group aims for
    • While a lot of work has gone into the report, unclear if InCommon or TAC wants to pick it up from here
    • How do we create an entity that can speak on behalf of multiple federations and go before Microsoft for example. We don’t have that collective voice yet.
    • DW: we may not need a new organization, there could be an existing one. Edugain has agreements with national federations to do certain things, but focused on interoperability and metadata. Change would be required if it’s an existing organization. We need to somehow insert international priorities into the national priorities.
    • KM: Kevin and Klaus have been invited to the Global CEO Forum. They are led by network engineers. They work through global complexity. Everyone in the room can make resources available and help solve the problem. It’s important to know what the process is to find where the buck stops at each federation. We could use visibility into who has resource allocation authority at each federation. There could be various reasons to not even want the authority.
    • DW: need to help people understand what can be done, even if it won’t be done
    • JB: one need here is the future of federation. It sounds like the call for that is getting to the ears that need to hear it. There a plenty of good things to do, but if only one federation does it it’s not as impactful as an aligned effort of multiple federations
    • Next WG meeting is this Wednesday 11 ET
    • The report may need to be more socialized in the meantime before REFEDS could approve it
    • JB may need a new TAC liaison to this WG
    • MR: is there a sense or data that outlines how much inter-federation traffic is taking place?
    • JB: may be able to get something like that from a hub/spoke federation
    • AW: we may be able to get samples, but not a true global picture


Emailed Updates


From: Heather Flanagan

Date: Wednesday, May 18, 2022

International Update

REFEDS

  • The eduPersonDisplayPronoun consultation remains open until May 25.  More information can be found on the consultations page: https://wiki.refeds.org/display/CON
  • Have you registered to attend the 44th REFEDS meeting on Monday, 13 June 2022? Remote participation will be supported (but you need to register to get the link). https://refeds.org/meetings/44th
  • The R&S 2.0 WG is working through a question as to whether an SP can indicate the need for more than one of the attribute release entity categories in metadata. Relevant notes can be found on the REFEDS wiki.

SeamlessAccess

The WAYF Entry Disambiguation Working Group has completed its recommendations and has requested approval to publish. They expect to have the document out before the end of this month.

The Contract Language Working Group is also close to completing its contract template. Expect an announcement in the next few weeks.

The product roadmap is always available to the public: https://seamlessaccess.org/services/

Browser Interactions

The Federated Identity Community Group published a blog post called "Introduction to Federated Identity and the FedID CG". See https://www.w3.org/community/fed-id/2022/04/21/introduction-to-federated-identity-and-the-fedid-cg/. The group expects to publish a draft report later this month.

Wallets and Federation

Interest is slowly increasing, though we don't yet have chairs for the group. Instead, we have what looks to be an interesting Slack channel: #inc-did-wat. Thank you to Nicole Roy for kicking that off.



From: Steven Premeau

Date: Thursday, May 19, 2022

CACTI Update

  • Received a community update from Margaret Cullen
  • (Continued) Discussion of digital ids and wallets


InCommon Ops Update


From: Nicole Roy

Date: Thursday, May 19, 2022

- We have successfully tested the release candidate version of our Shibboleth MDA tooling, which we will deploy to production at 3:30 MDT on May 26th. This change gets us moved to the new edugain metadata signing key. It also allows in two IdPs from edugain (FEIDE and ZAMREN) which were being filtered by the previous version of our MDA tooling.

- We will have an FM release next Wednesday the 25th, which is mostly about allowing eduroam admins to add other eduroam admins to their organization(s). This is a “parity” item with the old eduroam portal, which allowed this functionality.

- We successfully upgraded our MDQ Node.js runtime from Node.js 10 to 14. This upgrade was necessary in order to stay on an AWS-supported version of Node.js.




From: Eric Goodman

Date: Thursday, May 19, 2022

CTAB Update

Most of the time on the CTAB call this week was discussing the general topic of “making federation easier” and “clarifying and communicating the value of InCommon”. The topic has been a point of emphasis anyway, but of course the (now misleadingly titled) “registering an Okta IdP in InCommon” thread on the Participants list increased discussion in this area.

I think the minutes when the come out will address most of the content of the discussion. I believe that Albert’s “SP Proxy” thread on the TAC list is also implicitly tied up in this general discussion of the value (current and potential) of the InCommon federation.

There were also updates from the MFA Subgroup and the TLS Working Group.

MFA Subgroup

MFA Subgroup has an edited draft of the REFEDS MFA Profile. At a high level there are no major changes from the existing version. This doc attempts to more concretely define some expectations called out in the existing profile, and attempts to distinguish normative vs. informational elements of the profile. But (my take) it does not add many new requirements/restrictions on the use of MFA. The primary new requirement is the statement:

A bearer cookie MAY be accepted for reuse of a previously performed authentication challenge (of one or all factors) occurring within the 12 hour window.

This is a general comment that addresses the Duo “remember me” feature, but tries to do so in a product-agnostic way.

TLS Workgroup

TLS Workgroup is discussing ways to address resources and workload required to maintain compliance checking for TLS implementations, as well as how to handle (future) substantial changes in how TLS grading is done. E.g., what would happen if SSL labs substantially changed their grading process in a way that impacted a large number of InCommon entities.

  • No labels