Minutes

Attendees:  Mark Rank, Steven Premeau, Eric Goodman, Keith Wessel, Heather Flanagan, Joanne Boomer, Derek Eiler, Judith Bush 

Reps from other groups: David Bantz (CTAB) 

Staff / SME: Albert Wu; Andrew Scott; Steve Zoppi; David Walker; Dave Shafer

Scribes: Judith, Steve

Agenda Bash + request for notable working and advisory group updates : none

Updates:

Note the invitation to participate in the InCommon Futures meeting next Friday (week) at 11:00 am EDT next Friday September 1. All TAC members are invited to this session.

Request for a forward of the invite to the TAC list (will be the full hour and a half, although we believe it will be the first item)

Celebrate Heather’s update! “News in the industry: https://idpro.org/heather-flanagan-appointed-as-acting-executive-director-for-idpro/”

Steve thinks this CACTI product is final but has not gone through the publication process, we’ll see it soon: 

Discussed and accepted the final draft report of the Linking SSO Systems Working Group.

• (As of the TAC meeting) Final report is published at the internal working group site
• (Since the meeting) Final report has been published at http://doi.org/10.26869/TI.171.1

SaaS in the Federation

“R&E Federation vs Vendor SaaS Identity, difference in approach of SAML integrations” - Eric has motivation at work for a number of reasons to discuss this in the UC system. 

1. The IdP might be a VO (Virtual Org) – this might be a central identity solution
2. The services might be a SaaS organizational support (Atlassian, file sharing, sharepoint on line)

Please see Eric’s slides. 

• (Title)

• SaaS Collaboration Vendor’s view of Identity

• InCommon Model of Identity

• Collaboration SaaS Vendor’s view of Identity

• Eric is trying to make a distinction between “instance” solutions - hosted in the cloud - and this model which pools everything. E.g., a Salesforce or ServiceNow instance does not fall into this category of SP. It’s services like Google Cloud, Azure, Atlassian, Box, Docusign, Smartsheet, etc. where the business model allows broad collaboration between users from different organizations (or organization-less individuals).

• SaaS Vendor’s view of Identity - Implications

• Assumes that IdP one to one to email domain

• Most vendors allow specifying that people not using an organizational IdP (eg some SSO) must have MFA, not necessarily all SSOs will have MFA (at least for one SaaS vendor)

• If Alex had an email from alex@example.org in a personal account, when the organization Example claims example.org, all users get aggregated into the organization account.

• At least one vendor had some weird pattern if the email is  alex@more.example.org  may or may not be affiliated (only supported claiming 2 part domains, not 3+)

• Because email is an account ID, the tenant controlled (or SSO managed?)  accounts can’t self manage emails (some will allow adding “additional emails”, but not the primary one)

This is such a different model. Maybe there’s a use for a virtual organization to manage authentication and set permissions appropriately - but using the users’ “native” vendor Identity rather than a VO-managed one (e.g., the VO knows my home-org Azure identifier, and uses some side-channel communication to grant access to my home-org ID in their Azure hosted service - or to inject custom user attributes from the IdP that would not otherwise be available to the VO-environment). This solution  – especially with the authz and or backend process to manage permissions – would be per vendor. 

(Not said during the presentation, but side note afterwards: this is part of the motivation for suggesting that IAM operators should plan to support and maintain an “official, usable-as-a-userid” email address attribute for their users.)

MARK: “Service provider domestication.”  Some vendors are driven by compliance and it frames their design decisions (and perhaps what the R&E community might call “rigidity”). InCommon Catalyst partners can help.

TAC at TechEx

Slide building underway for the Entity Categories/Deployment profile convo.

Face to Face: BTW, the TAC face to face meeting at TechEx will be Wednesday from 12:10 to 1:40 (room for 40, there will be a projector). Walk through workplan…. How to make an open meeting more engaging (and focused on constructive outcomes). David suggests asking what the pain points are (that might be solved collaboratively).   [Some discussion about scoping the conversation.]  

Email Updates

CTAB Update

From Eric G.,

There were lots of topics touched upon during this week’s CTAB meeting. These included TechEx planning, CommEx planning and work from other committees.

The main topic of discussion focused on one aspect of the ongoing “Maturing Federation” theme, and this was guidance on use of Entitlements to federation members. In this context, we’re talking about how to manage and express Entitlements/Access decisions generally (i.e., not necessarily use of the “eduPersonEntitlements” attribute specifically, though that would likely also be included).

To a large extent this discussion is still in a discovery phase, with focus on both scoping exactly what is meant by “federated entitlements support” as well as what guidance we might want to provide within whatever that scope ends up being defined. If there are people with strong opinions/ideas on what makes sense (especially from a “guidance to federation members” point of view), it might be worth reaching out to David as there are several informal discussions on the topic, in addition to the formal discussions within the CTAB meetings.

CACTI Updates

From Steven P.,

On August 16th, CACTI:

• Discussed and accepted the final draft report of the Linking SSO Systems Working Group.
• Final report is published at the internal working group site.
• There will be a formal communication to TAC (given our role in defining the working group) in the near future as the report makes its way to public availability.
• Report Out from the eduroam Advisory committee about the ongoing RADIUS security conversations.
• There is a eAC (?) working group developing / updating best practices & [eduroam] baseline expectations
• Discussed the next steps in the NIST conversation(s).
• Open discussion on the InCommon "brain drain" / "community [participation] challenge"
• Brainstorming of outreach ideas and the start of the discussion on how to conduct outreach.

International Updates

From Heather F.,

International

• News in the industry: https://idpro.org/heather-flanagan-appointed-as-acting-executive-director-for-idpro/

REFEDS

• The consultation for the REFEDS Assurance Framework v2.0 is now closed. The working group is going through the comments. Definitely a successful consultation!
• The next REFEDS meeting will be concurrent with the eduGAIN Town Hall in Stockholm October 10-11. Registration is now available: https://events.geant.org/event/1428/
• REFEDS will be represented at APAN 56 in Sri Lanka this week (21-25 August). Nicole Harris is there meeting with representatives from NRENs in the region.

Other news

• The OAuth Security Workshop (OSW) happened this week in London. The thinking coming out of that is pretty impressive. Keep an eye on their website for slides from the event: https://oauth.secworkshop.events/osw2023

Next Call @ September 7, 2023