CACTI call of Tuesday, Feb. 4, 2020
- Tom Jordan, University of Wisc - Madison (chair)
- Jill Gemmill, Clemson (vice chair)
- Rob Carter, Duke
- Margaret Cullen, Painless Security
- Matthew Economou, InCommon TAC Representative to CACTI
- Michael Grady, Unicon
- Karen Herrington, Virginia Tech
- Les LaCroix, Carleton College
- Chris Phillips, CANARIE
- Steve Zoppi
- Nick Roy
- Jessica Coltrin
- Marina Adomeit, SUNET
- Nathan Dors, U Washington
- Christos Kanellopoulos, GEANT
- Bill Thompson, Lafayette College
- Emily Eisbruch
New Action Items
[AI] TomJ will coordinate a small group of individuals to work on a CACTI and TAC impact statement on the Chrome/other browser SameSite situation
[AI] TomJ will start an email list thread to continue the CACTI as IAM Evangelizers discussion. DONE
Chrome/other browser SameSite debacle update (Chris Phillips)
- The SameSite issue has been percolating for a few weeks.
- ChrisP plans to bring up the SameSite issue with REFEDs
- Involves browsers manipulating session cookies
- Suspension or blocking of cookies can prevent SSO from working
- There are impacts for both IdPs and Service Providers
- Shib consortium has been doing substantial cross testing with Crome and Firefox
- This issue highlights how beholden we are to Apple, Google and Firefox.
- OpenID Connect is also impacted
- Shib v4 is due to be out end of February, and will be helpful
- We need to build bridges to the rest of the community and participate
- Suggestion that CACTI should coordinate with CTAB and TAC on a community impact statement
- [AI] TomJ will coordinate a small group of individuals to work on a CACTI and TAC impact statement on the Chrome/other browser SameSite situation
Common Solutions Group (CSG) update (Nick)
- CSG web: https://www.stonesoup.org/
- CSG - research universities’ IT organizations - CIO and senior leadership team level
- Presentations from Mary McKee and Scotty Logan on passwordless authentication
- Hiring strategy, academic IT communities - resonant with larger IT programs on campuses - 4 hour discussion
- Last session - Notre Dame presented ‘cloud first’ IAM strategy to retire CAS, Grouper, Shib, etc. in favor of Okta and Cirrus federation bridge. Okta claimed that they would support HE federations, but did not deliver.
- Big questions - how does Okta group functionality compare to Grouper? It doesn’t. No group math, some provisioning but not as fine-tuned as TAP packages. Workaround is to manually manipulate group memberships.
- Survey - support for InCommon federation was not as high as some other components in survey. Still 3.9, but others were higher.
- Ann mapped ND before and after diagram to TIER reference architecture and demonstrated how each component was swappable to TAP packages. Several sites running Sailpoint as registry.
- Cloud IAM market really doesn’t have much of a backout strategy.
- Some commercial offerings get at a component of the overall architecture, but none cover all. HE problems are complex and different from enterprise market.
- Better communication and messaging to all levels of the IT org would be helpful.
2020 CACTI Workplan
- Results of the homework - to review the CACTI workplan and provide priority rank voting
- Focusing on CACTI's role as a "convener", as a "sponsor" and as a "doer"
- CACTI can carry the outward facing message on what it takes to be successful in higher ed IAM space, become an evangelizer.
- Leveraging material already in progress, including curriculum in progress for BaseCAMP
- Value Proposition, differentiators
- Countering vendor marketing and challenging assumptions
- We may want to articulate the questions the community should ask of IAM vendors
- New people who don't hold the same assumptions that the community has historically held: a benefit and a challenge
- Some of our target audiences are looking for simplification
- AI TomJ will start an email list thread to continue the CACTI as IAM Evangelizers discussion.
Next CACTI Meeting: Tuesday, February 18th, 2020