Date: Fri, 29 Mar 2024 14:13:21 +0000 (UTC)
Message-ID: <1805059569.8077.1711721601927@ip-10-10-7-29.ec2.internal>
Subject: Exported From Confluence
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_Part_8076_323633734.1711721601925"
------=_Part_8076_323633734.1711721601925
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Location: file:///C:/exported.html
Minutes
Attending: Janemarie Duh, Mary McKee, Judith=
Bush, Heather Flanagan, Eric Goodman, Jessica Coltrin, Judith Bush, Matt B=
rookover, Michael Grady
With: Nick Roy, Dave Shafer, IJ Kim, James B=
abb, Ian Young, David Bantz
Action Items
- (AI) Nick: prepare a summary of proposed actions for adoption of OASIS =
SAML Subject Identifiers in InCommon Federation
- (AI) Mary: post to technical-discuss@incommon.org about th=
e stable identifiers challenges
- (AI) Janemarie: give update on badging subgroup on next TAC call
Intellectual Property Reminder - All Interne=
t2 activities are governed by the Internet2 Intellectual Property Framework.
Public Content Notice - TAC minutes are publ=
ic documents. Please let the TAC and note taker know if you plan to discuss=
something of a sensitive nature.
T&I Ops =
Update
- SAML 1.1 entity descriptors
- May not be useful
- Ops reach out to the IdPs and SPs (AI: Nick and Babb)
- Keep TAC updated on these
- Suggested that these should be considered by CTAB as a possible t=
hing to handle in Baseline 2.0 - David Bantz will take to CTAB for consider=
ation
- Update on FM planning/Internet2 Collab Platform integration/etc.<=
/span>
Internati=
onal Update
- 173 submissions resulting in 203 comments for RA21 comment period=
. Will be reviewing with RA21 leadership in San Diego next week.
- Eric Goodman and Nick Roy left comments
Wo=
rking Group/Collab Updates
- OIDC Deployment - meeting this week cancelled due to illness
- REFEDS 2.0 - reviewing comments from surveys, interview feedback,=
using as input to conversations in Tallinn
- IdPaaS - three calls, good participation, getting together a surv=
ey to get a sense for what the market looks like. Getting heads around =E2=
=80=98what will allow this to get the momentum it needs with people making =
purchasing decisions?=E2=80=99 Trying to figure out how to get something me=
aningful from CIO-level respondents. What is compelling to leadership?
- CACTI - possible open meeting at TechEx, eduroam advisory council=
; overlap of IdPaaS for both RADIUS and SAML, IDPro body of knowledge discussion (Heather is IDPro pr=
incipal editor).
- CTAB - Baseline 2.0 work
<=
span>Support for new SAML subject identifiers
- Very early stages of figuring out what to do about this. Deployme=
nt profile WG knew that needed to have consistent identifiers. eduPersonTar=
getedID and SAML2 persistent nameid is subject to significant security risk=
=E2=80=93 some apps handle identifiers as case-insensitive while these are=
meant to be case-sensitive. Looked at work in OIDC. Want to do something s=
imilar to OIDC so that vendors do not have to be able to use eduPerson SAML=
attributes. Nice because works better between SAML and OIDC. Also at=
tributes defined at OASIS level so these are no longer education specific. =
- Signaling mechanism -> SPs can request the type they want and =
as long as IdP can respond, it will work. Syntax defined to how to express =
the needs.
- Probably should add support for these new attributes to InCommon =
Federation Manager. But chicken & egg - IdPs aren=E2=80=99t ready yet s=
o not good if SPs are going to start asking.
- Probably need an education campaign and to get these attributes b=
aked into the out-of-the-box TAP containers.
- Thoughts?
- Just need to be thoughtful about the steps involved going forward=
: webinar, TIER packaging changes, etc. around the time we add it in to the=
Federation Manager.
- Highly unlikely that existing apps are going to want to switch. T=
arget audience for this is really new applications, new collaborations.
- Lots to untangle. Are these attributes from the deployment =
profile?
- Fundamentally, this is the thing the deployment profile recommend=
ed, but ran it separately through OASIS.
- Non-education profile out there (healthcare through Kantara) is a=
dopting the subject saml id.
- Going to take a while to get this change to percolate throughout =
the community for widespread adoption. Federation Manager change is going t=
o be the easiest part.
- Probably will need to be added to R&S too.
- Do we eventually do a Baseline 3.0 like in 2021 to require IdPs t=
o support this? Challenge of wanting to make sure that IdPs are out there t=
o respond to what the SPs are requesting.
- REFEDS schema editorial board has a workplan for this - taking Sc=
ott Cantor=E2=80=99s suggestions and incorporating them in it.
- Another challenge: on the IAM system side of things there are a l=
ot of systems out there where a stable identifier does not exist. May be so=
mething that IdPaaS supports these identifiers but that means it needs a st=
able source of person identifiers.
- Duke has a complicated use case for this: how do we create immuta=
ble identifiers for everyone and everyone that we track? Need a standard id=
entifier to handle that there are both internal and external identifiers cu=
rrently. Want to get ahead of that question.
- Surprising how many big institutions that do not have an internal=
identifier that could be used to build out the identifiers for this.
- Going forward: short written summary on what was talked about abo=
ve. AI: Nick write up draft recommendations for InCommon implementation, sh=
are with TAC.
=
TAC workpl=
an for second half of 2019
- Streamlining SP Onboarding and Attributes for Collaboration Worki=
ng Group responses - most items in-progress or complete
- Training program - in progress
- Test federation - will review in the future
- Also a working group recommendation. Likely a WG to gather requir=
ements. May need input from the badging conversation. Will follow up after =
next badging subgroup call.
- Baseline expectations - CTAB in progress
- Also badging conversation - one meeting so far. TAC subgroup. Wil=
l meet tomorrow. AI: Janemarie give update on next TAC call. David Bantz pa=
rticipating as well.
- Follow up to Deployment Profile work - September/October-ish
- Revised SAML2int is at Kantara
- Need the R&E Profile WG in the fall timeframe
- Onboarding for new TAC members
- Could be helpful to have a one-pager available before the first c=
all. Getting into the wiki before the first call and poking around was help=
ful.
- Some of this is in the call for nominations email
- Some of this is in the charter
- There are several new members on the call - would something aroun=
d this be valuable?
- Onboarding for new TAC members this year will be affected by the =
lateness of TechEx. Will discuss on the next call.
- Might be worthwhile checking with those who turned down nominatio=
ns about why. Was it just the time commitment, or other concerns that we co=
uld address with nomination materials, onboarding materials, etc? Will take=
up in next week=E2=80=99s discussion.
- Maturity model outline - fits into badging. That=E2=80=99s basica=
lly what it is. Gets rolled into badging.
- Nick OK with removing the completed items from the backlog. Sugge=
sts following up with the working groups (Streamlining SP Onboarding, Attri=
butes for Collaboration) to let them know =E2=80=9CWe heard you. Here=E2=80=
=99s what we=E2=80=99re doing.=E2=80=9D
- Two items left in parking lot
- REFEDS SP Operator WG spinning up. This may be the place for that=
.
- Eric G submitted a TechEx session on SP proxy as well. May make s=
ense to follow up on this after the session if it gets accepted. Or ACAMP s=
ession if not accepted.
- IdPaaS WG touches on at least one potential solution to this.
- Eric G got questions about ADFS and Azure as an SP recently from =
his user community.
- SAML SP frontend.
- ADFS as IdP.
Next Meeting - June 6, 2019 - 1 pm ET
=
------=_Part_8076_323633734.1711721601925--