Versions Compared

Old Version 2

changes.mady.by.user Albert Wu (internet2.edu)

Saved on

compared with

New Version Current

changes.mady.by.user Albert Wu (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Regrets: Mark Rank, Joanne Boomer

Notes

  • Public Content Notice  - TAC minutes are public documents. Please let the TAC and note taker know if you plan to discuss something of a sensitive nature.
  • Call for scribe volunteers ( 2 per call) - recording / transcription available
      1. At least 2 so that each has the ability to talk.
      2. Waiting for volunteers consumed the remainder of the meeting. (It did not.)
  • Agenda Bash + request for notable working and advisory group updates


Status Updates - Q&A (10 minutes)

  1. Heather’s via email (Multiple topics)
  2. Steve’s via email
  3. CTAB 
    1. Developing work plan along the lines of the TAC work plan
    2. How can we enhance interop beyond something like a BE3?
    3. In the long tail of the BE2 cleanup. “Last” round of notifications went out last week. Uncovered lots of bad contact information through this process.
  4. InCommon / T&I Updates
    1. https://www.ala.org/core/member-center/sections/technology/federated-authentication-committee
    2. There’s also a recommendation there for the use of Seamless Access as part of discovery.
    3. Ann will reach out to the team to offer to assist with coordination/info/whatnot.
    1. In about 5 weeks I2 will be holding a leadership event. 
    2. Needs a short (e.g. 3 item) bullet list to call out what TAC is
    3. All TAC members should consider what should go into that bullet list.
    1. Minor Federation Manager update went out last week. No changes to UI.
    2. American Library Association has started a federated access group. 
    3. From Kevin
    4. Ops

...

 Overview of emerging issues affecting federation evolution (discussion)

  1. Background at https://docs.google.com/document/d/1PCQ2FvBWzHUKigW-UQ2KeJ4p45svsPt10KWhAaiER94/edit
  2. Current doc is a “thought document”. Not requirements, not solution, more identifying concerns and asking for directions.
  3. The InCommon wiki has a number of recommendations developed from previous discussions.
  4. SaaS solutions and IAM frequently work differently than we used to consider and don’t necessarily align with previous models:
    1. Atlassian (IdP’s pay to federated, but once federated allow authentication to all sites via one SP)
    2. Zoom (Registers individual SPs per client)
  5. Calling out a perceived difference in how SPs and IdPs are expected to interact. 
    1. But we want the big vendor to register if they want to provide access to the whole community
  6. There are different relationships and roles, and it’s probably more than just IdPO and SPO. E.g., the difference between a SaaS provider (hidden) behind a service being rolled out by a university vs. a third party like MS or LIGO that wants to directly offer services to end users from arbitrary IdPs.
  7. Also looking at how several SPs are themselves federations. E.g., Azure/O365, Google, Zoom, Box, Atlassian - once authenticated to the SP, cross-institution federation is not controlled at the IdP or the SP. (Once I authenticate to Box via my IdP, the owner of a Box folder outside of my org does not have any direct control over how I authenticate when accessing their service. E.g., “we want to require MFA for logins that access my folder” cannot be done at the SP level with Zoom.) 
  8. Matthew E worked directly with Box to configure/rearchitect their SP to give them more control and make it look more like a “normal” InCommon SP.
  9. Do we want to spell out expectations like this and have some InCommon wide agreement/petition to have vendors support them?
  10. Is CASB another avenue to pursue? E.g., have CASB communicate some of the authentication information we think of sending via a SAML assertion, and then work with vendors to tie the SAML assertion info into the CASB info.
    1. "Cloud access security broker: A cloud access security broker (CASB) is a service that applies institutional security policies, such as authentication and authorization rules, to cloud-based resources. A CASB extends institutional information security policies and practices to the cloud-based services that the institution uses."
    2. https://en.wikipedia.org/wiki/Cloud_access_security_broker
  11. But the overall point is that these kinds of integrations may require us to rethink/expand our models for what we need/want from (especially SaaS) vendors out of federation.
  12. Proxy issues (of hiding/abstracting the resources behind the proxy) are related to this. 
    1. Attribute packages (data released to the proxy is the superset of required attributes)
    2. How do the policies (trust, security BE, etc) get “enforced” behind the Proxy.

Email Updates

CACTI Updates

...