This is an open face-to-face meeting held during TechEx 2023 in Minneapolis, MN.

Minutes

Attendees: over 30 conference attendees, including TAC members (Mark Rank, Judith Bush, Joanne Boomer, Steven Premeau, Keith Wessel, Derek Eiler, Matthew Economou 

Scribe – Mark Rank, Judith Bush

  • Intro by Keith
    • TAC members (from slides)
  • Review of workplan
  • SAML2Int Adoption plan - From slides
    •  Idp opers - most
    • SP operators - handful
    • Proxy operators - handful
    • Keith prompts for thoughts
    • Scott asks for prioritization, Albert  responds with reference to prior work, a priority of Subject Identifiers; both acknowledge the entity categories as a way to motivate adoption 
    • Scott says it would be nice to know which SPs are reading the metadata for key rollover, since we [don’t/can’t] enforce consumption of metadata
    • Judith talked about testing working group and is that a place to establish SAML2int compliance (such as with metadata consumption)
    • Albert polled group 
    • Chris Phillips asks if the federation agreement requires metadata consumption. Albert - process going on to have ongoing evaluation of  baseline compliance
    • Albert proposes “measure of success” “are you ready to interoperate well” – vs “compliance with spec” – codifying in a clear and simple way – working out a measured maturity model
    • Mark: measure of success/maturity – does it depend as well as on the size of the role in the federation?
    • Albert notes that SP commercial operators ask for how to integrate with fed. 
    • Chris Phillips calls out SAML2Int as a clear guide to HOW – teams have to have the tech skills. Contract it out if you can’t.
    • Mark “What is the clearly articulated business priority” of being in the federation vs other business priorities – 
    • Gabor - On the topic of value (business) – even a poor implementer who is in InCommon satisfies policy clearances that are valuable. Maturity model helpful (as opposed to binary compliance) because keeping “immature” implementations that have agreed to policy is still valuable.
    • Albert points on IdP standardization on attributes is a business value for SPs
  • Entity Category Adoption
    • Keith prompts for comments – 🦗
    • Matthew asks how this is different than R&S? Scott - -identifiers, yes; but also eliminates qualitative eval of “what is R&S” even though InCommon will use same policy to evaluate SPs for personalized. (Nod to affiliation and assurance attributes)
    • Albert focused on the identifiers; also a hope that this is more clear; automatic release for anonymous and pseudonymous 
    • Chris Philips asks about schacHomeOrganization validation – the scopes in metadata are validated by InCommon – no testing of whether the issuing complies with the validated metadata, big question whether SPs are checking
    • Albert emphasizes the need for clarity
  • Federation Proxies 
    • Whoops! Some discussion missed
    • AARC Blueprint for VO is a guide for the technical and with SANCTIFI is policy (for research); Organizational policy is needed when the proxy spans organizations.  InCommon needs to have a clear explanation for the actors who act in the federation as something different than explicit SP and IdP.
    • Yup, even more discussion missed.
    • Scott says if you let people keep their bugs they will keep them.(In the sense that proxies bridge failures of the ecosystem)
  • Federation Testing
    • Albert notes that government SPs need test IdPs to ensure that they are doing MFA correctly
    • Mark says needs for validate IdPs and SP
    • Matthew notes that there are tools to test your IdPs but SPs don’t have a good test space
    • Mark says focussing on SP testing is higher priority
    • Chris describes access-check.edugain.org and another one are available, but have to be in the aggregate.
    • Albert says a small group of feds are talking about shared tools that are bound to the federation. 
  • Recruiting for 2024 TAC membership
    • Would be lovely to have international participation, smaller universities colleges, and some VOs to talk to the federation proxy 
  • What should we be doing?
    • Albert points to Tom Barton discussing zero trust with US federal agencies
    • Gabor asks about Risk signaling protocol in the assertion
      • You need to know the device, the environment they are in, etc.
    • Zero trust in federated identity

Next Meeting @ October 5, 2023



  • No labels