...
Q. How do you plan on addressing the issue of auditing the way campuses are distributing the credentials?
A. Concept of having ID and access controlled on the campuses is something we're already doing, so no need to draft new policies to address this. However, we need a way to blackball ID's/users no longer associated with the campus or acting inappropriately. With limited employees, Gavin's group can't make this decision, rather campuses are better able.
Q. Any campus audit requirements?
A. Don't have a mechanism to audit at this time. Comes up in other critical ways at this time via other policies.
Q. How is Incommon establishing level of partnership?
A. The partner decides for themselves by applying for a particular level. Incommon won't be conducting audits, instead, relying on an independent auditor. Know the campuses are audited internally and by the state.
Q. Relationship with Oracle - what levels of assurance to you have they will maintain developments of Shibboleth?
A. They are committed to being standardized in this realm, but can't provide details due to NDA. They allow you to interplay with Java transaction; ADIs are one example of evidence they will meet this commitment. They want to get into higher ed market and realize fed id management requires interplay. When they identify what is important to them, they dedicate the resources. OIF is meant to integrate with many access control engines.
Q. Anyone else with Oracle experience in this realm?
A. U of Wisconsin has had the same experience with Oracle Consulting and inching along with OIF. They are going to have to overcome some of the lack of the communication leading up to the project. Their experience with sales process has been more difficult than the actual consulting.
Q. Do you think you'll be taking this federation in the same direction as the Texas or California model?
A. Looking Looking at closed federation for SUNY Universities, not exclusive to InCommon membership. Not seeing a telling reason to follow this approach, although senior management disagrees right now.
Q. Does SUNY have a document that illustrates how to create and run your own federation as best approach?
A. I don't think so, although it would make sense. There is room to make uninformed choices based on perceptions. Add this to the list of marketing materials for InCommon. There is a key study from the University of California system that talks about what they did.
University of California can see moving away from UC trust and using InCommon Silver Identity Assurance Profile. A principle of UC Trust was not to replace anything InCommon can do for us.