Draft Minutes, Assurance Implementers Call, 10-
Ann West, InCommon
Mark Rank, UCSF
Dave Langenberg, U. Chicago
Brett Bieber, Univ. of Nebraska, Lincoln
Jeff Capehart, University of Florida
Lee Trant, U of Nebraska Medical Center (UNMC)
David Walker, InCommon
Emily Eisbruch, Internet2, scribe
The Assurance and MFA Enhancements to Shibboleth Identity Provider RFP was awarded to Paul Hethmon, who has been involved in the Shibboleth project. Information on this work will be posted on the the Shibboleth wiki. This URL will be shared with the Assurance list. The goal is to have the work completed by end of 2013. The RPF has acceptance criteria that 3 campuses will test the code, and we hope to identify the 3 testing campuses within a few weeks. Most likely testing will take place in September or October. David will send out a solicitation for testing campuses. Let David know if you are interested in helping with the testing.
The AAC is working on a proposal (to be sent to InCommon Steering) to make bronze Bronze the baseline for participation in the InCommon Federation.
Brett was on the June 20 call. At U. Nebraska, the goal is to implement a system for counting failed logins by Aug. 1. , since Nebraska has a target to have achieve bronze by Aug. 1. Brett currently has an implementation counting the LDAP failed authentication attempts. This work is posted on GITHUB and Brett has shared some there is information on the wiki at https://spaces.at.internet2.edu/display/InCAssurance/Component+Implementation+Guide However for AD, Nebraska has challenges around identifying the proper event codes in Active Directory. Brett has discussed the AD event codes issues with Tamara and others at U. Chicago . Brett is interested in discussing the AD issues with other campuses and would like to confer with other institutions also. Ann suggested writing a note to the assurance list to ask if anyone can help with the AD code. The AD topic came up at the CIC IDM meetings taking place this week in Columbus. Brett may want Brett will be in touch with Ann to arrange an opportunity to talk about these the AD issues with the AD Assurance group. Brett will be in touch with Ann to arrange thisGroup. https://spaces.at.internet2.edu/display/InCAssurance/AD+Alternative+Means+-+2013
Assurance Use Case
Ann stated reported that the Business School of a large research institution recently approached InCommon with a new use case. At this institution, Central IT has stated that the Business School needs to be Bronze certified to federated internally. The Business School has an IDP, but does not need to be in InCommon metadata, it needs to conform to the bronze profile to achieve security goals. So at this institution, Central IT is outsourcing the security/ credential requirement to InCommon.
Ann has encouraged the Business School to talk with Central IT about having the institution (not the Business School) sign the assurance addendum with same signature authority as signed the InCommon POP. Further, if they want InCommon to manage the assurance re-certification every 3 years, they would need to put the Business School IDP in the InCommon metadata. This would mean the institution would need to pay for a second IDP , for the Business School.
David suggested that it would make sense for the institution to get the bronze certification instead of just the Business School. The IDPO is the institution. The institution will need to to explain to users which IDP to use for which situations.
Ann asked if InCommon Assurance should consider a reduced free for cases where there is no IDP, forcases where an institution wants a offering a service to enable institutions to get a "stamp of approval" for good practices. David suggested that this makes sense, it would be like an audit report saying "yes we agree with management's assertion that they meet the requirements for the assurance program." It was noted that without a SAML IDP IdP it is not possible to be bronze certified under 4.2.7.
Jeff Capehart stated that at University of Florida, the password policy has been revised adding some new options around associated with use of longer passwords. The new policy still complies with the entropy requirements.
Lee stated that UNMC is examining the different levels of assurance currently in use.