...
Regrets: Mark Rank, Joanne Boomer
Notes
- Intellectual Property Reminder - All Internet2 activities are governed by the Internet2 Intellectual Property Framework.
- Public Content Notice - TAC minutes are public documents. Please let the TAC and note taker know if you plan to discuss something of a sensitive nature.
- Call for scribe volunteers ( 2 per call) - recording / transcription available
- At least 2 so that each has the ability to talk.
- Waiting for volunteers consumed the remainder of the meeting. (It did not.)
- Agenda Bash + request for notable working and advisory group updates
Status Updates - Q&A (10 minutes)
- Heather’s via email (Multiple topics)
- Steve’s via email
- CTAB
- Developing work plan along the lines of the TAC work plan
- How can we enhance interop beyond something like a BE3?
- In the long tail of the BE2 cleanup. “Last” round of notifications went out last week. Uncovered lots of bad contact information through this process.
- InCommon / T&I Updates
- https://www.ala.org/core/member-center/sections/technology/federated-authentication-committee
- There’s also a recommendation there for the use of Seamless Access as part of discovery.
- Ann will reach out to the team to offer to assist with coordination/info/whatnot.
- In about 5 weeks I2 will be holding a leadership event.
- Needs a short (e.g. 3 item) bullet list to call out what TAC is
- All TAC members should consider what should go into that bullet list.
- Minor Federation Manager update went out last week. No changes to UI.
- American Library Association has started a federated access group.
- From Kevin
- Ops
...
Overview of emerging issues affecting federation evolution (discussion)
- Background at https://docs.google.com/document/d/1PCQ2FvBWzHUKigW-UQ2KeJ4p45svsPt10KWhAaiER94/edit
- Current doc is a “thought document”. Not requirements, not solution, more identifying concerns and asking for directions.
- The InCommon wiki has a number of recommendations developed from previous discussions.
- SaaS solutions and IAM frequently work differently than we used to consider and don’t necessarily align with previous models:
- Atlassian (IdP’s pay to federated, but once federated allow authentication to all sites via one SP)
- Zoom (Registers individual SPs per client)
- Calling out a perceived difference in how SPs and IdPs are expected to interact.
- But we want the big vendor to register if they want to provide access to the whole community
- There are different relationships and roles, and it’s probably more than just IdPO and SPO. E.g., the difference between a SaaS provider (hidden) behind a service being rolled out by a university vs. a third party like MS or LIGO that wants to directly offer services to end users from arbitrary IdPs.
- Also looking at how several SPs are themselves federations. E.g., Azure/O365, Google, Zoom, Box, Atlassian - once authenticated to the SP, cross-institution federation is not controlled at the IdP or the SP. (Once I authenticate to Box via my IdP, the owner of a Box folder outside of my org does not have any direct control over how I authenticate when accessing their service. E.g., “we want to require MFA for logins that access my folder” cannot be done at the SP level with Zoom.)
- Matthew E worked directly with Box to configure/rearchitect their SP to give them more control and make it look more like a “normal” InCommon SP.
- Do we want to spell out expectations like this and have some InCommon wide agreement/petition to have vendors support them?
- Is CASB another avenue to pursue? E.g., have CASB communicate some of the authentication information we think of sending via a SAML assertion, and then work with vendors to tie the SAML assertion info into the CASB info.
- "Cloud access security broker: A cloud access security broker (CASB) is a service that applies institutional security policies, such as authentication and authorization rules, to cloud-based resources. A CASB extends institutional information security policies and practices to the cloud-based services that the institution uses."
- https://en.wikipedia.org/wiki/Cloud_access_security_broker
- But the overall point is that these kinds of integrations may require us to rethink/expand our models for what we need/want from (especially SaaS) vendors out of federation.
- Proxy issues (of hiding/abstracting the resources behind the proxy) are related to this.
- Attribute packages (data released to the proxy is the superset of required attributes)
- How do the policies (trust, security BE, etc) get “enforced” behind the Proxy.
Email Updates
CACTI Updates
...