Per-Entity Metadata Working Group - 2016-09-21
Agenda and Notes
[Etherpad used to create these notes: Agenda_and_Notes_-_2016-09-21.etherpad]
Dial in from a Phone:
Dial one of the following numbers:
Meeting URL (for VOIP and video): https://bluejeans.com/195646158
Wiki space: https://spaces.at.internet2.edu/x/T4PmBQ
- David Walker InCommon / Internet2
- Phil Pishioneri, Penn State
- Nick Roy, InCommon/Internet2
- Ian Young
- Tom Scavo, InCommon/Internet2
- Scott Koranda (LIGO)
- Michael Domingues, University of Iowa
- John Kazmerzak, University of Iowa
- Scott Cantor, tOSU
- IJ Kim, Internet2
- Rhys Smith, Jisc
- Chris Phillips, CANARIE
- Tommy Doan, Southern Methodist University
- Tom Mitchell, GENI
Agenda and Notes
- NOTE WELL: All Internet2 Activities are governed by the Internet2 Intellectual Property Framework. - http://www.internet2.edu/policies/intellectual-property-framework/
- NOTE WELL: The call is being recorded.
- Agenda bash
- No call next week (9/28/2016)
- Please come to our TechEx session, Tuesday 2:30-3:20, Bayfront A - https://meetings.internet2.edu/2016-technology-exchange/detail/10004447/
- IdP-only aggregate for SP consumption
- Status? (Tom Scavo)
- What should we say about this at TechX session?
- This is in production as of yesterday. Not announced yet, but it's not a secret. We can mention it at TechEx
- First draft of Final Report of the Per-Entity Metadata Working Group
- Chris: We should comment on adoption by commercial SAML implementations.
- Nick mentioned that Workday recently asked for per-entity metadata. They also said their security people would require TLS.
- It looks like we may get more uptake of metadata with MDQ than what we've seen with the aggregate.
- We can't really expect a lot of uptake of the signatures, though, and MDQ (being synchronous with SSO flows) is arguably weaker than the aggregates.
- A reminder: our consensus last week was that we will require TLS but leave selection of the certificate to Ops
- Messaging to the community will be critical to describe what is provided by TLS and what is not.
- This would just be to mitigate (to some extent) injection of bad metadata. Trust comes from the signing key.
- Should we recommend that InCommon add verification of metadata signatures to its baseline practices?
- We can do that, but it may not be acceptable to the community, at least at this time.
- Consensus this week was not to offer http. TLS must be used. <-- CP: sure, like Scott C said though, doesn't exclude http delivery (in the spirit of additive confidence in data)
- We can continue this discussion next week.
- We should target some vendors: Workday, Ping, Microsoft.
- Nick will do this when we have a near-final version of the report.
- Goal of first draft is to get feedback from attendees of our TechEx session.
- Please review and comment prior to the call.
- Monitoring the InCommon MDQ Service - Requirements for Ops
- Need continuous monitoring by Ops from perspective of consumers
- Monitoring information should be made transparent to federation participants - the manner of which (and details) should be left up to Ops
- Interesting example: https://status.aaf.edu.au/
- Another one: http://weathermap.canarie.ca/caf/eduroam/ (<-- not SAML but 802.1x which does live sign on/reachability tests)
- SWITCH also has internal monitoring -- ping Lukas Hammerle for a glimpse of it.
- Tom's BIG issues
- Do we need preview-main-fallback servers or is a single production server adequate?
- Preview yes, but not meet same HA and performance requirements.
- Does the server need to support HTTP Conditional GET?
- It's desirable/recommended. Leave decision to Ops.
- What is the range of permissible validUntil dates on each entity descriptor? (we discussed this briefly on today's call)
- We should continue this in email and at TechEx.
- Is there a cacheDuration on each entity descriptor, and if so, what is its value?
- What is our failover strategy?
- Post TechX plans for the working group
- Submit report to TAC
- Scott will probably not be available for calls until 11/19. David will lead 11/5 and 11/12 calls.
- Hopefully 11/19 could be our last call, but we'll want to start a couple-week community consultation at that time, so we may need to schedule another call after that.