Welcome to the 2021 CAMP! InCommon’s annual gathering of the international identity and access management community.

Dates: October 4-8, 2021

Location: Virtual

What is CAMP? The acronym means Campus Architecture and Middleware Planning. CAMP has come to mean the series of track sessions that include case studies, organizations’ innovations in identity management, best practices, and other presentations that help move the community forward.

The CAMP program is developed by a community program committee based on community-submitted proposals. The event draws identity architects, developers, implementers, service provider operators, and other identity management professionals with any level of experience.

What is ACAMP? Advance CAMP is an unconference, with participants developing the agenda at the beginning of the event. ACAMP then continues with as many as five breakout sessions per hour to discuss issues of interest to the international research and education identity and access management community. Each ACAMP session is documented by a group scribing process.

In addition to CAMP/ACAMP, we invite you to also attend the REFEDS meeting on Thursday, September 30, 2021. REFEDS (the Research and Education FEDerations group) articulates the mutual needs of research and education identity federations worldwide. The group represents the requirements of research and education in the ever-growing space of access and identity management, working with and influencing the direction of other organizations. You can sign up for REFEDS when registering for CAMP.

Registration Information:

Pricing (includes all five days of CAMP + ACAMP programming):

InCommon Participants and Internet2 Members$275
International Constituents$275
All Others$375

CAMP + ACAMP Program

Please see below for our CAMP schedule (October 4 - 5, 2021).

The program for the Advance CAMP portion of the meeting (October 6 - 8, 2021) can be found here (this will be filled in each day as attendees determine session topics).

Monday, October 4, 2021

Please note that there are three tracks – keep on scrolling to the right to view the full schedule!

(All time ranges listed U.S. Eastern Standard Time and Central European Summer Time - please adjust accordingly for your time zone).

TimeTrack 1 Session TitleTrack 1 Session AbstractTrack 2 Session TitleTrack 2 Session AbstractTrack 3 Session TitleTrack 3 Session Abstract
8:00 - 10:00 am EDT 14:00 - 16:00 CESTSocial Gathering
10:00 - 10:10 am EDT 16:00 - 16:10 CEST

Welcome to CAMP

Speaker: Kevin Morooney

10:10 - 11:00 am EDT 16:10 - 17:00 CEST

Opening Plenary: Library Access of the Future - Four Perspectives

Moderator: Kristi Holmes (Northwestern University)

Speakers: Tim Lloyd (Liblynx), Tracy Tolliver (University of Illinois - Urbana-Champaign), Jiri Pavlik (CESNET; CzechELib), Heather Flanagan (Seamless Access)

There has been a great deal of work done around making access management to content providers easier and more secure. However, there are still gaps for many of the stakeholders in the process. Each of the panelists are involved from a library community, IT support or provider perspective and will discuss their views about the future of federated access to resources and what it takes to get there. What role do federations or other consortiums play? What gaps are important to close sooner rather than later?

11:00 - 11:10 am EDT 17:00 - 17:10 CESTBreak
11:10 am - 12:00 pm EDT 17:10 - 18:00 CEST

Shibboleth 2021 Review and Future Roadmap

Speakers: Scott Cantor (Shibboleth Consortium)

The Shibboleth Consortium will provide a brief "State of the Consortium" review and the Shibboleth Project will outline 2021 accomplishments and the software roadmap, including an update on the latest thinking about Service Provider sustainability/replacement.

West Chester University Journey To Improve Its Overall Identity Management Profile

Speakers: JT Singh (West Chester University), Kevin Partridge (West Chester University),  Lisa Disney (West Chester University), Rashed Kaber (West Chester University),  Pete Calvert (West Chester University) 

West Chester University IT leaders, infrastructure and information security experts will discuss lessons learned improving the institution identity management profile including pivots related to COVID-19. The conversation will cover how we consolidated SSO, MFA, and VPN and enhanced security controls—protecting access for students, faculty, and staff.

REFEDS Assurance and Assured Access Working Group


Brett Bieber (University of Nebraska), Jule Ziegler (LRZ/DFN)
Fredrik Domeij, (SUNET) 

This session will provide attendees with a summary of the latest work on the international standards for multi-factor authentication and identity assurance (REFEDS Assurance Framework and MFA Profile). The REFEDS Assurance Working Group will present planned changes for RAF 2.0 (identity assurance), the MFA Subgroup will share updates on making the REFEDS MFA Profile easier to understand and use, and InCommon's Assured Access Working Group will share practical implementation recommendations for IdP Operators. Join us to see how your IdP or SP can leverage these identity frameworks and assurance profiles to meet the shared responsibility for securing federated identities and services.

12:00 - 1:00 pm EDT 18:00 - 19:00 CEST

Break and BoF (Birds of a Feather)

Take a break or join a BoF! Bring your breakfast, lunch, dinner, beverage (depending on your time zone) and join in these informal discussions on topics of interest.

BoF - midPoint Review - Speaker: Keith Hazelton (Internet2) - With the increasing number and complexity of IT systems, automation is becoming more and more critical. MidPoint is reflecting that by increasing its performance and range of configuration options as well as adding additional options for identity governance, with the goal to help you automate not only IdM processes but also implement related policies. This Birds of a Feather session will gather midPoint community members to have an open discussion about the current state of midPoint and also features that would be useful for the future. Outcomes of the session will be used as input for planning further development of midPoint.

BoF - MFA Rollout - Azure and Others. Lessons Learned so you don't need to relearn them - Speaker: Etan Weintraub (Johns Hopkins University)

A group discussion about rolling MFA out to your users, and going over lessons others have learned in their rollouts. Etan Weintraub, IT Security Architect from Johns Hopkins, will be discussing the pains they had from choices they made during rollout that you can avoid by making different choices. This will mostly be an open group discussion, rather than a panel or speaker presentation.

BoF - eduroam: Enabling the Next 1,000 Subscribers - Speakers: Mike Zawacki (Internet2), Sara Jeanes (Internet2)
The eduroam service has experienced substantial growth in scope and scale, increasing its reach into new segments of the R&E community such as K12 and preparing to move to a cloud forward architecture. Join Internet2 to hear more about these changes and learn what’s next for eduroam and the community it serves.

1:00 - 1:50 pm EDT
19:00 - 19:50 pm CEST

What's New with Grouper?


Chris Hyzer (University of Pennsylvania)
Talk about new functionality in the Grouper product and the roadmap going forward.

Safer Community - A story of collaboration to help protect campuses from COVID-19


Brett Bieber (University of Nebraska), James Babb (University of Wisconsin-Madison)

The University of Illinois in Fall 2020 spun up the Safer Illinois app and mass COVID-19 testing to help protect their campus against outbreaks. The Safer Illinois app was then licensed out and purchased by the University of Nebraska as Safer Nebraska and the University of Wisconsin-Madison as Safer Badgers.

The app required OIDC, which neither Wisconsin nor Nebraska had particularly used in a production setting before. By working together with each other, we were able to introduce a production-ready app for the Spring semester in a very short amount of time including using the Shibboleth OIDC plugin and developing an API to fetch ID Card photos that retrieves your photo based on OIDC token introspection.

This session will discuss the history the Safer* apps, the success story of the collaboration, and how effective it was on campus to help protect each campus from COVID-19. The Safer* apps also make extensive use of Grouper groups at least in the Wisconsin environment to drive COVID-19 testing rule requirements along with Exemptions from testing.

Browser Changes and the Impact on Federated Identity

Speaker: Heather Flanagan (Seamless Access)

Over the last few years, we have all observed how browsers have stepped up to support user privacy. Unfortunately, that is coming at a significant cost for things like Single Sign-on and Federated Identity. In this BoF, we'll talk about the latest changes, timelines, and how individuals and organizations can learn more and prepare their services for the changing landscape

1:50 - 2:00 pm EDT
19:50 - 20:00 pm CEST


2:00 - 2:50 pm EDT
20:00 - 20:50 CEST

What's New with COmanage (Registry and Match)?


Benn Oshrin (Spherical Cow Group), Laura Paglione, (Spherical Cow Group)

In 2021, the population lifecycle management tool, COmanage Registry, released version 4.0. This major release contains many new features such as queue-based provisioning, MFA enrollment manager, identity documents for supporting identity proofing, boolean logic for nested groups, and more. In addition, we will share the latest about the long-anticipated COmanage Match system. COmanage Match can be used with Registry or independently to integrate with other campus identity systems to provide a heuristic-based system for matching identity records across multiple authoritative systems of record.

A complement to the COmanage BoF session, this session will provide an opportunity for you to get up-to-date on the latest and greatest that these tools have to offer and learn what is coming next in the development roadmap. For those just learning about COmanage, there will be a short introduction to the tools, training programs, and governance structure of this open-source project. We’ll also review details about how to stay informed as things progress over the next year.

Trusted Access Platform Success Stories


Summer Scanlan (University of California, Berkeley), James Babb (University of Wisconsin-Madison)

UC-Berkeley: We used grouper and CAS (our authentication UI) to deploy a major authentication change, most recently requiring almost every user on campus to change their passphrase. Grouper let us target users who needed a passphrase change, and parse users into manageable groups of 2k (to start) to 8k per week. Grouper let us communicate directly with each group directly via the google sync; it also let us display a different auth screen for users in the notify and block groups.

UW-Madison: Challenges discovered while rolling out midPoint to a school with an already mature Grouper environment. We will also hopefully have more applications on-boarded at that point and can talk about that experience too. We will also discuss our strategy and how our migration to AWS for Grouper went (planned Summer 2021...prep work in progress today.). Our grouper migration to AWS includes decoupling directly using Grouper's database from various downstream systems and the challenges and options there we faced.

Join the University of Wisconsin-Madison and University of California, Berkeley, to find out about how they used trusted access platforms such as MidPoint, Grouper and SSO to implement large-scale change on campus. We will discuss successes, challenges, and lessons learned.

Real SSO: Linking multiple SSO Systems for a Better User Experience

Speakers: Keith Wessel (University of Illinois - Urbana-Champaign), Rob Carter (Duke University), Shilen Patel (Duke University)

Many if not most institutions these days have multiple SSO systems, each with its own strengths and weaknesses. It's not unusual to have Microsoft ADFS and Shibboleth along with others. This leads to users having to log in more often, greatly reducing the value of SSO. It's nearly impossible in most cases to have every service talk to one SSO system. But why not link SSO systems together so that a user only has to interact with a single SSO system? In this session, the University of Illinois at Urbana-Champaign and Duke University will show two different ways that they accomplished this.

2:50 - 5:00 pm EDT
20:50 - 23:00 pm CEST

Social Gathering + ACAMP Agenda Discussion

Tuesday, October 5, 2021

Please note that there are three tracks – keep on scrolling to the right to view the full schedule!

(All time ranges listed U.S. Eastern Standard Time and Central European Summer Time - please adjust accordingly for your time zone).

TimeTrack 1 Session TitleTrack 1 Session AbstractTrack 2 Session TitleTrack 2 Session AbstractTrack 3 Session TitleTrack 3 Session Abstract
8:00 - 10:00 am EDT 14:00 - 16:00 CESTSocial Gathering
10:00 - 10:10 am EDT 16:00 - 16:10 CEST

Welcome to CAMP

Speaker: Klaas Wierenga

10:10 - 11:00 am EDT 16:10 - 17:00 CEST

Advancing AAI by tighter integration of identity management with access management and midPoint


Slavek Licehammer (Evolveum)
This session will be composed of two parts. The first one will cover recent news from midPoint development as well as the current roadmap for future updates. The second part will look at AAI from a broader perspective. We will demonstrate how tighter integration of midPoint and access management can unlock untapped potential for new features and capabilities. For example, we see the potential in license management, improving self-service flows like requesting new roles, combining just-in-case with just-in-time provisioning or privacy-preserving features.

Accelerating the move to federated access for library e-resources

Moderator: Kelechi Okere, Elsevier


Linda Van Keuren, (Georgetown University Medical Center), Meshna Koren (Elsevier),  Andrew White (RPI),  Ralph Youngen (American Chemical Society)

Even though federated authentication to library e-resources has been around for over 15 years, it has always been primarily used as a backup to IP access. Nevertheless, interest in using federated authentication as the primary authentication method has been growing in the past few years. The COVID-19 pandemic has been a powerful catalyst to this development, especially for remote access and its associated heightened cybersecurity concerns. While many universities are increasingly moving to SAML based access for enterprise resources, we find that access to library e-resources are often not included in the SAML based access plans. Part of the reason is lack of appropriate coordination between central campus IT and the library. Join representatives from Elsevier, American Chemical Society and Rensselaer Polytechnic Institute for a lively discussion on developments to move to federated authentication-only to library e-resources as part of broader security and identity and access management measures. The panel discussion will touch on key findings from projects each organization has undertaken to move towards federated authentication as a primary access method to library e-resources.

Distributed Identity for managing researcher access

Speaker: Niels van Dijk (SURF)

Researchers need access to many, often distributed, resources. For this purpose, many services support federated identity, which leverages the identity management of the home institution to handle authentication and provide a basic set of profile information. A new paradigm, Distributed Identity, tries to let users be in direct control of the profile information they share with services. This presentation showcases recent work in the GÉANT Trust and Identity Incubator on how Distributed Identity may be used to facilitate research access management. After describing the core concepts of Distributed Identity, the proof of concept platform that was used to test and validate the requirements will be demonstrated. The presentation concludes with an analysis of the potential benefits and challenges of using Distributed Identity for managing researcher access.

11:10 am - 12:00 pm EDT
17:10 - 18:00 CEST

InCommon Advisory Groups

Speakers: David Bantz (CTAB)
Rob Carter (CACTI)
Keith Wessel (TAC)

InCommon is all about the research and higher ed community. It benefits the community, and it’s the community that helps to drive it. In fact, it only works if the community gets involved. In this session, hear from the chairs of three InCommon advisory groups about what their groups have been working on this year and how you can help. The chairs of the InCommon Community Trust and Assurance Board (CTAB), the Community Architecture Committee for Trust and Identity (CACTI), and the InCommon Technical Advisory Committee (TAC) will present upcoming projects from their groups that might impact your organization. They’ll also tell you about ways that you can get involved.

Hosted solutions, federation adapters, evaluating cloud solutions

Speakers: Dedra Chamberlin (Cirrus Identity), Mike Grady (Unicon) Mary McKee, (Duke University and Co-Chair IdPaaS Workgroup)
Charise Arrowood, (Unicon) Mark Rank, (Cirrus Identity)

The InCommon TAC chartered the Identity Provider as a Service workgroup in response to community interest. The workgroup issued its final report in Jan 2021, and one key recommendation was for universities to explore "Federation Adapter" solutions. Such services fill gaps where commercial identity solutions, like Azure AD and Okta do not meet requirements for multilateral federations like InCommon and CAF. This session will feature two vendors that offer hosted Identity Provider as a Service solutions: Cirrus Identity and Unicon. You'll hear about the solutions and how customers have implemented them. We would love to hear your input as well!

ADFS Toolkit, Including Support for REFEDS MFA


Chris Phillips (CANARIE), Johan Peterson (SUNET), Tommy Larsson (Umea University)

Supporting R&E standards of REFEDS MFA and Assurance Profiles is key to keeping researchers connected to their critical R&E infrastructure. This session shares lessons learned on implementing and operationalizing MFA and Assurance Profiles with AD FS using ADFSToolkit. Various approaches including using Azure where possible will be covered.

12:00 - 1:00 pm EDT 18:00 - 19:00 CEST

Break and BoF (Birds of a Feather)

Take a break or join a BoF! Bring your breakfast, lunch, dinner, beverage (depending on your time zone) and join in these informal discussions on topics of interest

BoF - COVID-Based Access Management - Speaker: Anne Tambe
As many of us have experienced, the pandemic and the resulting lockdowns have brought about many challenges for Identity and Access Management teams. This BOF is intended as a space for members of the community to explore and exchange information related to COVID-19 remote solutions. We'd also like to touch on how these solutions will be utilized in a future after the pandemic and what long term effects (good or bad) this experience has had on the space.

BoF - COmanage - Speakers: Laura Paglione + Benn Oshrin

During 2020, COmanage has released new features, transitioned its training program to online, and refined its community engagement processes. During this COmanage Birds of a Feather session, we will have an open discussion directed by you - the current and prospective users of the tool - about the current state and future direction of the project.

1:00 - 1:50 pm EDT
19:00 - 19:50 pm CEST

Lightning Talks

Topics + Speakers:

OIDC Device code flow based SSH access with MFA: Dominik František Bučík (Masaryk University)

Advanced use-cases for eduPersonEntitlement in the ELIXIR AAI: Pavel Břoušek (Masaryk University)

What's NEW with Shibboleth IdP UI: Mike Grady (Unicon, Inc.)

OIDC Device code flow based SSH access with MFA: Heather Flanagan (Seamless Access)

Federation 2.0 working group - Tom Barton (Internet2) and Judith Bush (OCLC)

NIH and You: MFA, Identity Assurance, and Coming Requirements

Speaker: Jeff Erickson (NIH) Sumit Nanda (NIH) Sandeep Sathyaprasad (NIH)

Please join Jeff Erickson – National Institutes of Health (NIH) Center for Information Technology (CIT) Chief of Identity & Access Services – for a lively discussion on NIH’s transition to multi-factor authentication (MFA) to access NIH systems and applications. Starting September 15, 2021, NIH will begin a phased approach for enforcing MFA to access electronic Research Administration (eRA) modules. In this session, participants will learn about:
NIH’s new identity management requirements that could affect access for faculty, researcher and scientists:
-REFEDS Research and Scholarship Entity Category (R&S)
-REFEDS MFA profile
-REFEDS Assurance Framework
What institutions and technologists need to do to prepare; and
Recommendations for campuses

Splunk and Advanced Log Analysis

Speakers: Paul Riddle (UMBC), Keith Wessel, (University of Illinois at Urbana- Champaign) Eric Coleman, (University of Illinois at Urbana- Champaign) Scott Woods, (West Arete)
Anindita Bandyopadhyay, (West Arete) 

This session will show how two schools leveraged the power of Splunk to store and analyze Shibboleth IdP logs. University of Maryland Baltimore County will describe a methodology they developed for parsing the Shibboleth IdP Trusted Access Platform container log output and shipping it to Splunk in a format that Splunk can easily index. They’ll discuss how this logging infrastructure has worked for them, and how it might be adapted to other TAP components. Then, the University of Illinois at Urbana-Champaign will show how they used Shibboleth logs in Splunk to learn interesting and useful trends about service usage. Through the power of Splunk, Illinois is able to see not only the growth and spikes in single sign-on but also what populations are using what services and when. Learn how they’re using this data to better inform service decisions.
1:50 - 2:00 pm EDT
19:50 - 20:00 pm CEST

2:00 - 2:50 pm EDT
20:00 - 20:50 CEST

Closing Plenary: Bridging the Gap: Strategies to Enable Federated Access to SAML-shy Resources and Services

Moderator: Nicole Harris (GÉANT) Speakers: Jim Basney, Christos Kanellopoulos, Leif Johansson

Proxies have emerged as a preferred way for providers to quickly bring new resources into a federation for access by users. Is it time we formally recognize proxies’ role in the federation, make appropriate adjustments, and recommend best practices to fully support proxies in our ecosystem?

Some of the questions to ponder may include: how does a proxy express to the IdP the varying attribute/authentication needs across the resources it proxies? Are there trust and policy implications? What is the best way to implement a proxy? What changes might we make to the federation trust model to recognize and support proxy in federation?

Join us as the panelists explore these questions and set the stage for what we hope is an Advance CAMP session to continue the discussion.

2:50 - 4:50 pm EDT
20:50 - 22:50 pm CEST

Social Gathering + ACAMP Agenda Discussion
  • No labels