Minutes

Attendees : Heather Flanagan, Judith Bush, Matt Porter, Keith Wessel, Eric Goodman, Mark Rank, Steven Premeau, David St PIerre Bantz (CTAB), Les LaCroix, Matt Brookover

With (Also Starring) : Albert Wu, David Walker, IJ Kim, Kevin M. Ann W.
Regrets : Joanne Boomer, Nicole Roy, Matthew E.
Scribes : Eric G, Steve P., Judith

Agenda Bash

No changes/additions.

Status Updates - Q&A 

  1. Tabletop security exercise - reminder call for participation is active/circulating
  2. EntityID item update - see notes below
  3. Working on close out of BE2. 68 outstanding items. Could use help with outreach to those locations.
  4. No questions/comments on other updates (see separate notes area)

Check in on 2022 Work Items  - what do you think your realistic deliverable will be by mid November? 

Deployment Profile Adoption

  1. Working on value statement
  2. Plan to reconvene the group shortly.
  3. Will have a draft of action items in the near term.

SAML Identifiers

  1. Matthew not present, will follow up offline / on future calls.
  2. Mark did bring some info to TAC a few months ago about Duke’s use of subject-id. 
  3. Duke is using subject-id for some specific use cases.

Federation Testing 

  1. Group has developed an outline of testing approach. 
  2. Can populate with the tests that are already expected
    1. These are largely things that are already required by current InCommon agreements/BE/etc. 
    2. There are others driven by the profile that are still under discussion.
    3. This was based on earlier discussions in TAC where Deployment Profile items were classified as “already required”, “under consideration”, etc. 

Standing Items

  1. Browser update -  We get routine updates from Heather, and arguably the DID/VC/Wallet stuff kinda fits here too.
  2. HECVAT management -  Unclear.
  3. EntityID guidance - No further input from TAC members; we will record TAC's preference for Option 1 based on input received so far. Separately, the same/similar discussion around entity ID arose on the REFEDS list. It may lead to a REFEDS working group to clarify how to frame the community's position/preference on the matter (in the REFEDS Federation Metadata Registration Practices template)
  4. 2022 TAC accomplishments report – we're not done yet with our work for 2022, it's a little early to start on that

Heads up: Class of 2023 TAC member recruiting starting 

  1. TechEx is in December. It will be too late in the year to influence recruiting: we need to get started; please start thinking about possible candidates for 2023 terms and reach out where appropriate. 
  2. Four TAC members' terms expiring: Keith W, Eric G, Mark R, and and Matthew E 
  3. Mark did do some outreach to clients to see if any had interest

Updates from Cross-Committee Chair meeting (Keith)

  1. One item was a focus on change and change management as requirements/needs change
  2. Referenced an older “futures report” from 2009: 
    1. InCommon had published an "InCommon Futures" Report in 2009: https://incommon.org/wp-content/uploads/2019/04/InCommonFuture_20090701.pdf
    2. Considering making a new version for the next decade.
    3. Maybe a “risk registry” approach 
  3. There is a swell of positive energy towards InCommon’s objectives/future directions. 

Roundtable - What are the strengths, weakness, opportunities, challenges, needs in your institution as it relates to IAM? 

  • What forces (technology, business needs, cultural, financial) are pressuring you to change? What specific changes are you being asked to make?
  • What is your 5 year outlook of where you’d be if you don’t make any course change?
  • Any other thoughts beyond narrowly IAM?
  • We are looking for common pains; where there is common pain, there is opportunity to work together to alleviate it

Discussion follows:

  • Attendee A: 
    1. IAM set up is extremely manual compared to how today’s world works, getting pressure to modernize.
    2. Segments solving problems on own when not solved centrally (causes fragmentation)
    3. Unclear on whether to use internal skills vs vendor solutions with leadership unclear on what the pros and cons for various bits
    4. IAM life cycle management improvements needed
  • Attendee B:
    1. Continually challenged to replace internally developed and managed authN solutions with off the shelf/cloud solutions; evaluation continues to find gaps between offerings and needs, both features and cost/scale.
    2. Looking at what Librarians are looking for in expressing authorization (moreso than authentication)
  • Attendee C:
    1. Substantial turnover of IT resources and associated loss of community and institutional knowledge. Being replaced by people who were trained in a MS/Okta/Oracle/whatever world, and see that as “the” solution.
    2. Uptake of OIDC
    3. Gaps(?) between what RE institutions need and what vendor solutions provide.
    4. Not only budget pressures at the University level, but also students may not value a University education at the same level as they used to (i.e., reduced investment in RE overall in some cases).
    5. Customers are still looking for SSO solutions that manage an SSH style of integration, which typically is not well supported.
  • Attendee D:
    1. Perspective mostly as an SP.
    2. Most drivers coming from customers (aka IdP)
    3. Along with others' comments about institutional knowledge loss at the locations, there is also a need to set a baseline with people on the other end (the IdPs they integrate with).
    4. InCommon solutions (BE, etc.) look to address this, but they don’t solve all the issues they need to deal with.
    5. Form futures pov, more reactive to what’s needed by people. But definitely interested in VC/DID/Wallet
  • Attendee E:
    1. +1 Staff turnover
    2. Keeping people up to speed on IAM issues
    3. New leadership wanting a different architecture
    4. RFP for a new IAM system.
    5. Windows people that want to use ADFS for everything.
  • Attendee F:
    1. Lots of +1s
    2. Actually moved from a vendor product to go to Shib. 
    3. Lot of the issues are in the IAM space
    4. Have a consistent identifier, but not a consistent group of business roles
    5. Commercial solutions don’t meet our business logic.
    6. Transitioning some ERP systems; may be a chance to drive more business roles from that data.
    7. LoA discussions
  • Attendee G:
    1. Currently ADFS -> Azure AD 
    2. Lots of people moving to IdP SaaS solutions.
    3. Still a driving need for federation. 
    4. Shib is still a great solution for their needs. Vendors don’t really look at the more-than-bilateral integrations.
    5. InCommon can maybe help fill the gaps (guidance, vendors like Cirrus, etc.)
  • Attendee H:
    1. running Universities "more like a business" driving:
      1. IT shift from enabling partner to cost center; efficiency as driving metric
      2. command and control style rather than community focus
      3. desire for "out of the box" single vended solutions
    2. current initiatives in the security/IAM space largely based on implementing controls (vended command and control solutions) viewed as requirements of federal rules or laws and insurance requirements
    3. our strength remains partnering with and empowering creative researchers and educators; we need to reinforce relations with those allies to influence campus IT architecture and priorities

Email Updates

CTAB Update

From: Eric Goodman
Date: August 11, 2022

  • Workgroup updates (many you’ll separately get here at TAC)
    • REFEDS MFA Working Subgroup
    • REFEDS Assurance Framework WG
    • Entity Categories
    • CACTI (several interesting sounding ones here…)
  • BE2 closeout
    • On the long tail of cleanup.
    • Working to reach out to entities still not in compliance before moving to start removal discussions/processes
  • TechEx (and general) planning – mostly around what input is being sought/seeds being planted at TechEx
    • Discussion of future directions and what community input is desired.
    • Future of trust/assurance/interop (BE or otherwise)
  • Looking at potential new members
  • IdP as a service Update
    • Albert gave details on the service InCommon Ops is working on
    • (I assume he’ll speak about it as part of his TAC update, so I’m not saying more here)

CACTI Update

From: Steven Premeau
Date: August 11, 2022

  • Working group updates
    • Goal is to have first-cut of descriptions of scenarios, along with applicable situations into the spreadsheet 
    • kicked off a couple weeks ago, still actively seeking participants.
    • there is ongoing work in the IETF EMU (EAP Method Update) WG.  
    • They are updating EAP-TLS to use TLS 1.3 (i.e. encrypting the certificates across the wire).  
    • There is also discussion of privacy enhancements to other commonly-used EAP methods — PEAP and EAP-TTLS.
    • Linking SSO WG
    • IDPaaSv2 
    • Cloud Security Alliance 
    • REFEDS MFA (subgroup)  - refining some definitions in the REFEDS MFA profile. Hoping to wrap up shortly.
    • IETF EMU WG - updating EAP-TLS 
    • CTAB - the bulk of the meeting focused on the report and presentation to Steering on recommendations for next steps on Baseline Expectations 2 (how to deal with various entities not yet in full compliance etc.).
    • Convos in CACTI, TAC, CTAB, Steering, etc. about the future of federation. Doing a planning effort that is in parallel to and connected to the larger Internet2 planning effort. Develop a framework for having those conversations so we can focus on eduroam and federation. Taking off later parts of ‘22, likely a focus for CY ‘23. Upcoming quarterly committee chairs call. Will start working on this there as well. Nascent conversations with InCommon Steering. Steering is also interested in a planning conversation.
  • Planning for November IAM Online - outsourcing identity - what do you have to retain? 
  • Update/question from July 25, 2022 TI Component Architects call
    • Should CACTI be discussing the higher-education and research position we should be taking on the constellation of these: Self-Sovereign ID / Wallet / WebAuthN / passkey (portable authenticator) / etc ?
    • What, if any, role should InCommon/I2 have in shaping / facilitating / supporting these new technologies?  To what extent are they solutions to problems we have, and to what extent are they just different implementations?
    • (This topic generated a lot of discussion before we ran out of time)

Internet2 Ops Update

From Johnny Lasker
Date: August 11, 2022

  1. Finished deploying AWS CloudFront CDN in front of Federation Manager
    1. Serves custom error pages when the backend app is unavailable for any reason
    2. Caches static content closer to users
    3. Adds IPv6 support
  2. Wrapping up eduroam Administrator self-service IdP Testing feature
    1. Allows eduroam Administrators to test various authentication types against their IdP realm(s)
    2. Adds enhanced messaging capabilities for this feature and the FM in general
    3. Targeting for next release


Next Call August 25, 2022

  • No labels