Minutes

Attendees: Keith Wessel, Judith Bush, Joanne Boomer, Derek Eiler, Eric Goodman, Marina Krenz; Matthew Economou; Steven Premeau

Reps from other groups: David St PIerre Bantz (CTAB); Les LaCroix (CACTI)

Staff: Dave Shafer; IJ Kim; Andrew Scott

Others: 

Regrets: Heather Flanagan; Matthew Porter; Mark Rank

Scribes: Eric, Steven

Welcome Marina / Quick Introductions

Status Updates - Q&A

  • CTAB
    • received and discussed various WG updates
    • Operationalizing baseline expectations (vs “one and done”)
    • Comments on 800-63 v.4 are being submitted
  • Joint CTAB/TAC TechEx proposal has been submitted.
  • Browser Changes working group
    • Browser vendors have been doing bounce tracking mitigations (i.e., deploying changes that could affect Fed Auth), such as truncating IDs, expiring cookies, etc.
    • FF and Safari are using lists of sites to drive whether to allow state to be remembered.
    • Chrome is using “using interaction at the bounced site” to indicate that the user is “okay with” the bounced location. 
      • Chrome uses the simple (two party) model for determining allowed remembered state/cookies. 
      • Means that middle things (WAYFs, proxies) will be limited to 1 hour of rememberment, after which the state will generally be lost. 
    • Historically - and possibly forward looking - this has meant that we need to bend to make our protocols fit with their changes, rather than expecting vendors to accommodate our services. 
    • May end up creating a new “consent” layer, where the user needs to consent to the browser conveying SAML information before any interaction can take place, and then once that’s been allowed, then we can start doing our normal SAML conversations. 
    • With multiple hops, each hop (middle thing) would need to be consented to. 
    • Could end up being ignored the same way EULAs are. And the consent language in these cases are controlled by the browser, the site being consented to does not control the language.
    • Have been working with the FedID CG, but concerns more closely align with the Privacy CG.
    • Discussion of Browser vendor current work:
    • W3C “decisions” can frequently be driven more by what the three vendors are willing to agree on, as compared to incorporating community input. 
    • Discussion of how consent could impact UX


Updates from the deployment profile/entity categories adoption group

  • Group had previously determined to focus on entity categories.
  • Started with Anonymous EC – thought it might be simplest, but consumed most of the hour.
    • Lack of consistent definitions
    • Privacy concerns - e.g., just releasing the scope may be overly revealing
    • Noted that an informal poll showed that IdPs do not always follow the spec correctly even ignoring other consistencies (e.g., swapping meanings of member and affiliate)
    • And each has their own conundrums, such as only allowing a single SCHAC organization.
    • Issues: Eduperson affiliation
    • Cases where multiple different kinds of values may be being relied upon (e.g., SCHAC vs. eduperson) that create additional burden on the IdP operators.
    • Does there need to be more of a distinction between “internal” and “external” definition of affiliations?

Discussion: SAML and OIDC in federations – past, present, future

  • Discussion about OIDC vs. SAML. 
    • Some reasons: Infrastructure for supporting mesh federation in OIDC is still less mature (at least, unless you are willing to just trust “any old OIDC OP”).
    • A lot of OIDC capabilities are built assuming you are using a known, large vendor OP
    • Proxy, standalone OP that authenticates users via SAML, etc.
    • E.g., WAYF isn’t a SAML-specific issue, it’s addressing a multilateral issue
    • Lots of newer developers/deployers want to use OIDC. Why isn’t I2/IC supporting it?
    • What do people do?
    • Conflation of SAML complexity vs. multilateral complexity

Email Updates

CACTI Updates

From Steven Premeau:

At their March meeting, CACTI discussed:

  • FedCM
  • An under development Passwordless blog post
  • Verifiable Credentials and Digital Wallets


The April meeting is currently planning to discuss the following topics next Wednesday:

  • PeopleSoft WG proposal to roll back in to Software Integration WG
  • Status update on Passwordless Authentication and Password Managers blog post
  • Charter for Next-Generation Credentials WG


Next Call @ May 4, 2023


  • No labels