Action Items from 2011 Advance CAMP

...

Note: Follow-up is planned on several action items, as indicated in the Status column. This follow-up will take the form of gentle inquiries, as opposed to regularly scheduled calls and check-ins. 

...

COMPLETE LIST OF ACTION ITEMS FROM THE  BREAKOUT SESSION NOTES

ECP Session

ACTIVITIES GOING FORWARD / NEXT STEPS

https://wiki.shibboleth.net/confluence/display/SHIB2/ECP  is the home for Shibboleth work around ECP support

[All] Add links on the SHIB2/ECP wiki page that point to other pages where this nascent ECP interest group's activities can be described. Use those linked pages as a home on the web for ongoing discussionsunmigrated-wiki-markup

\[Roland Hedberg, Scott Koranda]  collaborate to deliver a Python ECP client module that returns a Python cookie-jar containing session cookies that allow your Python app to keep talking to the SP

Wiki Markup\[Arnie]  Refactor his HPC access via SAML solution to use the ECP approachunmigrated-wiki-markup

\[ScottK\] working with Condor group on ECP-enabled file mover.

Wiki Markup\[ScottK and all]  Suggest to InCommon that they should consider recommending that sites protect their ECP endpoint on the IdP with X.509 certs. Otherwise there will be as many varieties of protection as there are ECP endpoints.

...

• \[Friday morning "ECP Continued" discussion\|display/ACAMPIdSummit2011/ECP+the+discussion+continues\|\|\|\|\|\|\|\|\|\]: X.509 may be too limiting. Basic Auth use cases (Live@EDU) are common.
  • Multiple ECP endpoints? One for X.509 and one for Basic Auth?

REQUESTS:

• Todd Picket: Document other ECP clients & how you use them: PAM/Shib
• ECP reading list, tutorial??

Dealing with Multiple Attribute Stores and the Shib IdP

ACTIVITIES GOING FORWARD / NEXT STEPS

1. Document the use of attribute aggregation.

...

Grouper Permissions Allow/Deny 

ACTIVITIES GOING FORWARD / NEXT STEPS

- Looking at agreeing on adopting one of the simpler UI's?  - Status of maturity of API's?
- What are the use cases for this?

SPs Over-Trusting Weak Identities, What to Do?

ACTIVITIES GOING FORWARD / NEXT STEPS

- Perform or complete a classification of confidential data at the institution.

- Where possible, require a risk assessment from any unit using authentication information.

...

- Where possible, gather information after the fact about sites using authentication information.

- Have a conversation about VPN and level of assurance at the institution, come to an understanding and publish it.

- Repeat for services other than VPN.

OAUTH

ACTIVITIES GOING FORWARD / NEXT STEPS
- Look forward to CAS OAuth support.
- Look forward to finalization of OAuth 2.0 and stabilization of the OAuth protocol.
- Gain more experience using OAuth with apps

Roles Vs Groups Rematch

ACTIVITIES GOING FORWARD / NEXT STEPS

• Finding a common space where we can throw up doc from campuses that have done significant role engineering
• Campuses using Grouper should share how they are establishing/defining groups vs roles, and push towards a common ground

FIFER API

ACTIVITIES GOING FORWARD / NEXT STEPS

1. Need to figure out best way to move forward WRT preferred approach for Group Web Service aka Alternate Demo Plan Mock-ups
2. FIFER needs project player (FIFER API consumer) input, but also those in VO/CO space

Permissions Mgmt UX and UI Issues

...

ACTIVITIES GOING FORWARD / NEXT STEPS

...

Wiki Markup\[TomZ\]: Mock up a UI...unmigrated-wiki-markup\

[All\]: Bring selected UX/UI Business Analysis experts at our institutions into the ongoing conversation (SteveC: Their first question is gonna be "What are your requirements?" (knowing laughter from the audience)

Wiki Markup\[KeithH\] Create child wiki pages off the "MACE-Paccman" site. Adopt "Permissions Management UX/UI" as an ongoing Paccman work item and as a regular agenda item for Paccman conference calls. Supplement the "Canonical Use Cases with Solutions" with material from this group's work. Wiki Markup\

[KeithH\] Contact Nils about what Surfnet Conext and COIN offer and about his willingness to participate in these discussions

Wiki Markup\[All\] Email hazelton@wisc.edu if you are interested in participating in ongoing workunmigrated-wiki-markup\

[MichaelG\] Draft a mini-charter for an effort to develop something like an RFP for a Permissions Management UI/UX Package

CIC InCommon Silver Certification

ACTIVITIES GOING FORWARD / NEXT STEPS

InCommon to

• develop a list of campuses implementing InC IAPs
• create a mailing list of folks implementing InC IAPs who wish to share ideas 
• announce when a campus becomes Silver (or Bronze) compliant on the InC Participants list
• create an implementation wiki to include case studies and community-driven implementation FAQ

Buildling Partnerships between Research and IT (IdM)

ACTIVITIES GOING FORWARD / NEXT STEPS

• Sharing of U of Toronto's document.
• Sharing of the job descriptions of the Customer Relations Manager, or the central IT research support staff member

Making Services Discoverable to Users

ACTIVITIES GOING FORWARD / NEXT STEPS:

• See what Switch, others are doing to avoid duplicating effort
• Look for standards for storing information
• Needs to accommodate more than Shib, InCommon
• Service catalog type approach?

Federated  ID for Research Applications

...

• ECP work for science applications. Technical work first, then encouraging adoption by InCommon campuses.

Identify Gaps in IdM

ACTIVITIES GOING FORWARD / NEXT STEPS

• Secure environment to have discussions about vendors products
• Berkeley and FIFER work together to put some documentation out.  
• Identify people who can answer questions about different IDM systems
• Use cases, user stories more useful than features in a grid.

What Can/Should Grouper Do for Me in ReFactoring my Institution's Group Management?

ACTIVITIES GOING FORWARD / NEXT STEPS

• UBC may post information to the wiki regarding their use case -- DONE, see https://spaces.at.internet2.edu/display/Grouper/The+University+of+British+Columbia;

...

• uApprove adoption (support work already in progress on this)
• discussion of central InCommon services
• REFEDS WG

Provisioning

ACTIVITIES GOING FORWARD / NEXT STEPS

• EDUCAUSE IdM list for collaboration
• provision@internet2.edu (development)
• who is rolling your own ? UBC, Yale, Texas A&M, ?

Social Identities in R&E

ACTIVITIES GOING FORWARD / NEXT STEPS

SteveO to Migrate SocialIdent wiki space to get out from under the "OpenID" label.

GFIPM (Global Federated Identity and Privilege Management)

ACTIVITIES GOING FORWARD / NEXT STEPS

-Look at cloud initiative work on standardizing schemas and offer in put
-May not fit in this category--reports on progress/status are of interest

Web Service for IAM

ACTIVITIES GOING FORWARD / NEXT STEPS

- Continued work toward standardizing web service calls and, potentially, message formats (e.g., JSON, XML, SOAP).
- Work together to summarize the current landscape, review existing products, identify gaps.  (Where does this get done?)

LDAP Options, SubTrees, and Composite Attributes for Identity

ACTIVITIES GOING FORWARD / NEXT STEPS

Wiki Markup\[Todd Piket\] Send writeup of issue statement for "eP\[Scoped\]PAeP"unmigrated-wiki-markup

\[Roland, MichaelG, Keith\] Writeup The Options: 1) Why would you ever want to do this in LDAP? attr. options, composite attributes, sub-entries, ... Start with use cases. Bake-off.

Wiki Markup\[Keith\] Ask Rob Carter for permission to use the 389DS plugin that he & Michael Gettes wrote to handle Kerberos "the right way".

...