Minutes

Attendees: Derek Eiler, Mark Rank, Steven Premeau, Matt Porter, Keith Wessel, Krysten Stevens, Eric Goodman, Matthew Economou, Heather Flanagan, Joanne Boomer

Reps from other groups: David St Pierre Bantz 

Staff: Nicole Roy, Albert Wu, Johnny Lasker, Dave Shafer, 

Others:  David Walker

Regrets: Ann West, Steve, Kevin 

Scribes: Steven, Eric

Agenda Bash + request for notable working and advisory group updates

Status Updates - Q&A

T&I / Operations -

planning to close non-SAML access for delegated admins

FedCM hackathon – Nicole and Paul Caskey attending

Will be enhancing Federation Manager to confirm baseline compliance more proactively (currently only on edits) 

800-63-4 - Meeting weekly, going over comments made on draft in a set of Google documents. If you have comments please provide   (Request access via ____ ) 

TAC work plan theme

• Deployment Profile adoption
• Subject identifiers
• Attribute Release / Entity Categories
• Federation testing
• Looking for some way that we can provide tools to allow deployers to confirm interoperability before releasing their code into prod/the wild.
• After sorting through all the perspectives on what testing is or should be, settled on “black box” testing – testing whether the IdP or SP does the “correct” thing(s) when observed from the outside.
• Allows for use cases / stories that can be configured in browser / automated testing tools.
• Last year’s efforts were focused on SAML2Int, current goal is to expand scenarios to the other standards recommended (RAF, etc.) within the federation.
• Called for interested parties, not necessarily to “lead” but at least to help shepherd the process. Albert, Matthew E., Dave Shafer indicated intent to stay engaged.

Why do we care about SAML2Int and Entity Category adoption?

• What is SAML2Int? Overview for those that may not be familiar
  • https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.pdf
  • The working group got these documents formally adopted as kantara profiles (link above) 
  • Note that subject-id was an attempt to provide eppn/targetedid like functionality that are explicitly non-reassigned, and that don’t include “edu” naming (to hopefully encourage broader adoption)
• https://kantarainitiative.github.io/SAMLprofiles/saml2int.html
• Fills in the “gaps” in the SAML2 standard when leveraged within a multilateral federation
• Calls out the adoption of subject-id and pairwise-id identifiers
• REFEDS Entity Categories
  • Effort in progress to get SeamlessAccess to champion adoption in publisher systems.
  • Anonymous - https://refeds.org/category/anonymous
  • Pseudonymous - https://refeds.org/category/pseudonymous
  • Personalized - https://refeds.org/category/personalized
  • May be non-trivial to implement depending on how identifiers are assigned in your organization.
  • Will need to provide guidance on why both are needed.
• Originally developed by SeamlessAccess project
• Describes bundled attribute release in three common scenarios
• Supporting pseudonymous and personalized requires subject-id support
• Personalized looks a lot like R&S
• Long term goal will be to make the default identifiers subject-id (correlatable) and pairwise-id (not correlatable)

• This may take awhile … (see vendors and email addresses – or anything they think could be an email address)

Email Updates

International Update

From Heather Flanagan:

REFEDS

• REFEDS officially has two new working groups, Browser Changes and Federation (co-chaired by Judith Bush and Zacharias Törnblom) and MRPS Update (chair TBD). 
• The REFEDS Survey results community chat is being rescheduled; date TBD. On 30 March REFEDS will be an update on identity and browser changes, and in April we will discuss the possible futures for MET. May will be time to consider how to improve REFEDS' community engagement, and June of course will be the REFEDS meeting (on a FRIDAY) at TNC! 
• The REFEDS coordinators cannot make the dates work for REFEDS to be alongside TechEx in September 2023, so the SC is considering what other options they will pursue for a fall meeting. Options are EDUCAUSE or the eduGAIN Town Hall.

Conferences

• Internet Identity Workshop - several individuals are planning to continue the conversation regarding browsers and federation during IIW.
• An informal list of interesting and relevant conferences for the IAM community is under development here:  https://github.com/fedidcg/meetings/wiki/List-of-Identity-and-Related-Conferences---2023 

Browser Interactions

• Members of the R&E community will be meeting with developers from Google's Chrome Team and Mozilla's Firefox team on February 28 and March 1 to share information on how to support the expansive privacy goals of the browser vendors. Outputs of that meeting will be public.

A note about draft NIST SP 800-63-4

• Heather Flanagan had an opportunity to talk to the NIST team working on NIST SP 800-63-4 about the new equity and trusted referee guidance. They are very open to constructive feedback. As InCommon members work on offering feedback, any guidance that helps NIST find sensible lines between providing direction and over-prescribing requirements will be appreciated.

Next Call @ March 9 2023