Child pages
  • InCommon and GÉANT CAMP Week 2021

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


TimeTrack 1 Session TitleTrack 1 Session AbstractTrack 2 Session TitleTrack 2 Session AbstractTrack 3 Session TitleTrack 3 Session Abstract
8:00 - 10:00 am EDT 14:00 - 16:00 CESTSocial Gathering
10:00 - 10:10 am EDT 16:00 - 16:10 CEST

Welcome to CAMP

Speaker: Kevin Morooney

10:10 - 11:00 am EDT 16:10 - 17:00 CEST

midPoint Update: Advancing AAI by Tighter Integration of IdM and Access Management


Slavek Licehammer (Evolveum)
The presentation will be split into two main parts. The first one will focus on the area from a high-level perspective - discussing benefits, use-cases, as well as challenges that tighter integration of identity management and access management can bring. The second part will expand the first part with concrete examples of how some of the use-cases might be implemented with the identity management system midPoint. It will be a combination of ideas, configuration examples and live demonstrations.

Accelerating the move to federated access for library e-resources


Ken Klingenstein (Internet2), Meshna Koren (Elsevier),  Andrew White (RPI),  Ralph Youngen (American Chemical Society)

Even though federated authentication to library e-resources has been around for over 15 years, it has always been primarily used as a backup to IP access. Nevertheless, interest in using federated authentication as the primary authentication method has been growing in the past few years. The COVID-19 pandemic has been a powerful catalyst to this development, especially for remote access and its associated heightened cybersecurity concerns. While many universities are increasingly moving to SAML based access for enterprise resources, we find that access to library e-resources are often not included in the SAML based access plans. Part of the reason is lack of appropriate coordination between central campus IT and the library. Join representatives from Elsevier, American Chemical Society and Rensselaer Polytechnic Institute for a lively discussion on developments to move to federated authentication-only to library e-resources as part of broader security and identity and access management measures. The panel discussion will touch on key findings from projects each organization has undertaken to move towards federated authentication as a primary access method to library e-resources.

GÉANT Incubator

Speaker: Niels van Djik (SUNET)

Researchers needs access to many, often distributed, resources. For this propose, many services support federated identity, which leverages the identity management of the home institution to handle authentication and provide a basic set of profile information. Next, the home institution profile needs to be complemented with information from the research community, like for example roles and group memberships. Also additional registries may needed, for example to get specific identifiers like ORCID. This flow is typically facilitated by a community AAI, where a membership management component acts as the research community registry and a proxy is used to collect and then redistribute the required profile information.

A new paradigm, Distributed Identity, tries to let user be in direct control of the profile information they share with services. In a Distributed Identity workflow, the users collect claims themselves from various sources in a so called ‘wallet’ and subsequently provide these when so requested by services. As such the user has full control over the release of attributes. The services can then check the validity of these claims.

This presentation showcases recent work in the GÉANT Trust and Identity Incubator on how Distributed Identity may be used to facilitate research access management. After describing the core concepts of Distributed Identity, the proof of concept platform that was used to test and validate the requirements will be demonstrated. The presentation concludes with an analysis of the potential benefits and challenges of using Distributed Identity for managing researcher access.

11:00 - 11:10 am EDT 17:00 - 17:10 CESTBreak

11:10 am - 12:00 pm EDT
17:10 - 18:00 CEST

InCommon Advisory Groups

Speakers: David Bantz (CTAB)
Rob Carter (CACTI)
Keith Wessel (TAC)

Representatives from InCommon's Advisory Groups will come together and highlight impotant work from the community and the focus of their respective groups.

Hosted solutions, federation adapters, evaluating cloud solutions

Speakers: Dedra Chamberlin (Cirrus Identity), Mike Grady (Unicon)

Cirrus: The InCommon Technical Advisory Committee chartered a work group to explore Identity Providers as a Service. Community members had been asking for more options for adding an Identity Provider to InCommon. Especially as many campuses pursue "cloud first" strategies, demand was growing for hosted solutions to enable membership in InCommon using existing cloud identity solutions like Microsoft Azure Active Directory. The workgroup report was recently published, and among the recommendations are that campuses consider "federation adapters" that can help bridge commercial SSO solutions like Microsoft Azure AD and Okta to the federation. This session will explain what a "federation adapter" is and why a campus might want to choose one (or not). Many federation adapter solutions can also help campuses meet upcoming InCommon baseline 2 requirement and the NIH requirements. Panelists will include staff from campuses that have implemented a federation adapter, as well as representatives from InCommon Catalyst partners who provide federation adapter solutions.

Unicon: Discuss options and considerations for InCommon and other federation members to consider when evaluating cloud/hosted solutions, and some of the options in that space.

ADFS Toolkit, Including Support for REFEDS MFA


Chris Phillips (CANARIE), Johan Peterson (SUNET), Tommy Larsson (SUNET)

Supporting R&E standards of REFEDS MFA and Assurance Profiles is key to keeping researchers connected to their critical R&E infrastructure. This session shares lessons learned on implementing and operationalizing MFA and Assurance Profiles with AD FS using ADFSToolkit. Various approaches including using Azure where possible will be covered.

12:00 - 1:00 pm EDT 18:00 - 19:00 CEST

Break and BoF (Birds of a Feather)

Take a break or join a BoF! Bring your breakfast, lunch, dinner, beverage (depending on your time zone) and join in these informal discussions on topics of interest

BoF - COVID-Based Access Management - Speaker: Anne Tambe

BoF - COmanage - Speakers: Laura Paglione + Ben Oshren

1:00 - 1:50 pm EDT
19:00 - 19:50 pm CEST

Lightning Talks

Topics + Speakers:

OIDC Device code flow based SSH access with MFA: Dominik František Bučík (Masaryk University)

Advanced use-cases for eduPersonEntitlement in the ELIXIR AAI: Pavel Břoušek (Masaryk University)

What's NEW with Shibboleth IdP UI: Charise Arrowood (Unicon, Inc.)

SeamlessAccess - Current Status and Future Direction: Heather Flanagan (Seamless Access)

Federation 2.0 working group - Tom Barton (Internet2)and Judith Bush (OCLC)

NIH and You: MFA, Identity Assurance, and Coming Requirements

Speaker: Jeff Erickson (NIH)

An update on NIH requirements for the eRA and other applications - R&S, MFA, identity assurance, and more.

Splunk and Advanced Log Analysis

Speakers: Paul Riddle (UMBC), Keith Wessel at Urbana-Champaign

UMBC: At UMBC, we struggled for some time to find a solution for getting our TAP container logs into Splunk. The first part of this talk will describe a methodology we've developed for parsing the Shibboleth IdP container log output and shipping it to Splunk in a format that Splunk can easily index. We'll discuss how this logging infrastructure has worked for us, and how it might be adapted to other TAP components.

Once our data was in Splunk, we worked with West Arete to develop a dashboard that helps us to visualize various different metrics related to the operation of our IdP, and the second part of the talk will focus on this piece. We'll talk about insights we've gained related to the operation of our IdP, and how this tool has helped to make our IdP infrastructure run more efficiently and cost-effectively.

Illinois: The global pandemic has shifted many things, one of which is the move to much more distance learning. This move has brought out many new trends and patterns in the usages of campus IT services. Thanks to the advanced log analysis and reporting functions available from services like Splunk, it's easy to see these trends and use them to grow services, security practices, and cloud architecture. It all starts, though, with how to analyze your IAM systems' logs. What services are students logging into these days, not just during the day, but in the evenings? Why might see you see load spikes on your SSO systems at 11:00 PM on a Friday night? And how do usage patterns differ now that many of us are working for institutions with students located around the globe?In this session, you'll learn about the trends that the University of Illinois found in the logs from the Urbana-Champaign campus and how they're using those to make informed decisions about their future plans.

1:50 - 2:00 pm EDT
19:50 - 20:00 pm CEST

2:00 - 2:50 pm EDT
20:00 - 20:50 CEST

Closing Plenary: Bridging the Gap: Strategies to Enable Federated Access to SAML-shy Resources and Services

Moderator: Nicole Harris (GÉANT) 

Proxies have emerged as a preferred way for providers to quickly bring new resources into a federation for access by users. Is it time we formerly formally recognize proxies’ role in the federation, make appropriate adjustments, and recommend best practices to fully support proxies in our ecosystem?

Some of the questions to ponder may include: how does a proxy express to the IdP the varying attribute/authentication needs across the resources it proxies? Are there trust and policy implications? What is the best way to implement a proxy? What changes might we make to the federation trust model to recognize and support proxy in federation?

Join us as the panelists explore these questions and set the stage for what we hope is an Advance CAMP session to continue the discussion.

2:50 - 4:50 pm EDT
20:50 - 22:50 pm CEST

Social Gathering + ACAMP Agenda Discussion