October 4-8, 2021 - Virtual
What is CAMP? The acronym means Campus Architecture and Middleware Planning. CAMP has come to mean the series of track sessions that include case studies, organizations’ innovations in identity management, best practices, and other presentations that help move the community forward.
Need to register?
Pricing information (includes all five days of programming)
| InCommon Participants and Internet2 Members | $275 |
| International Constituents | $275 |
| All Others | $375 |
Registration link
CAMP Program
The program for the Advance CAMP portion of the meeting (October 6-8) is here.
Monday, October 4, 2021
Note - there are three tracks – keep on scrolling to the right
(All times U.S. Eastern Standard Time)
| Time | Track 1 Session Title | Track 1 Session Abstract | Track 2 Session Title | Track 2 Session Abstract | Track 3 Session Title | Track 3 Session Abstract |
|---|---|---|---|---|---|---|
| 10:30 - 11:35 | CAMP Opening and Plenary | |||||
| 11:35 - 11:45 am | Break | |||||
| 11:45 - 12:35 am | Shibboleth 2021 Review and Future Roadmap Speakers: Scott Cantor, Shibboleth Consortium | The Shibboleth Consortium will provide a brief "State of the Consortium" review and the Shibboleth Project will outline 2021 accomplishments and the software roadmap, including an update on the latest thinking about Service Provider sustainability/replacement. | West Chester University Journey To Improve Its Overall Identity Management Profile | West Chester University IT leaders, infrastructure and information security experts will discuss lessons learned improving the institution identity management profile including pivots related to COVID-19. The conversation will cover how we consolidated SSO, MFA, and VPN and enhanced security controls—protecting access for students, faculty, and staff. | REFEDS Assurance and Assured Access Working Group Speakers: Brett Bieber (University of Nebraska), Jule Ziegler (LRZ/DFN) | Brett: Service providers, including the National Institutes of Health, are beginning to take an interest in identity assurance and how this is expressed through federated authentication. Members of the Assured Access Working Group (AAWG) will share recommendations on implementing the REFEDS Assurance Framework claim levels within your campus identity architecture, including best practices and pitfalls to quickly leverage existing processes. Attendees will come away with a comprehensive understanding of the REFEDS Assurance Framework, which partners across their local campus should be engaged in this effort, and how to organize a task force to begin implementation. Jule: Updates from REFEDS Assurance WG, such as eduPersonAssurance standing within R&S, potential updates of the specifications, outcomes from MFA subgroup, european projects which are addressing assurance (e.g. FIM4R) |
| 12:35 am - 1:35 pm | Break and BoF (Birds of a Feather) Take a break or join a BoF! Bring your breakfast, lunch, dinner, beverage (depending on your time zone) and join in these informal discussions on topics of interest. BoF - MFA Rollout - Azure and Others. Lessons Learned so you don't need to relearn them BoF - eduroam: Enabling the Next 1,000 Subscribers | |||||
| 1:35 - 2:25 pm | What's New with Grouper? Speakers: Chris Hyzer | Talk about new functionality in the Grouper product and the roadmap going forward. | Safer Community - A story of collaboration to help protect campuses from COVID-19 Speakers: Brett Bieber (University of Nebraska), Keith Wessel (University of Illinois), James Babb (University of Wisconsin-Madison) | The University of Illinois in Fall 2020 spun up the Safer Illinois app and mass COVID-19 testing to help protect their campus against outbreaks. The Safer Illinois app was then licensed out and purchased by the University of Nebraska as Safer Nebraska and the University of Wisconsin-Madison as Safer Badgers. The app required OIDC, which neither Wisconsin nor Nebraska had particularly used in a production setting before. By working together with each other, we were able to introduce a production-ready app for the Spring semester in a very short amount of time including using the Shibboleth OIDC plugin and developing an API to fetch ID Card photos that retrieves your photo based on OIDC token introspection. This session will discuss the history the Safer* apps, the success story of the collaboration, and how effective it was on campus to help protect each campus from COVID-19. The Safer* apps also make extensive use of Grouper groups at least in the Wisconsin environment to drive COVID-19 testing rule requirements along with Exemptions from testing. | Browser Changes and the Impact on Federated Identity Speaker: Heather Flanagan | Over the last few years, we have all observed how browsers have stepped up to support user privacy. Unfortunately, that is coming at a significant cost for things like Single Sign-on and Federated Identity. In this BoF, we'll talk about the latest changes, timelines, and how individuals and organizations can learn more and prepare their services for the changing landscape |
| 2:25 - 2:35 pm | Break | |||||
| 2:35 - 3:25 pm | What's New with COmanage (Registry and Match)? Speaker: Benn Oshrin (Spherical Cow Group) | In 2021, the population lifecycle management tool, COmanage Registry, released version 4.0. This major release contains many new features such as queue-based provisioning, MFA enrollment manager, identity documents for supporting identity proofing, boolean logic for nested groups, and more. In addition, we will share the latest about the long-anticipated COmanage Match system. COmanage Match can be used with Registry or independently to integrate with other campus identity systems to provide a heuristic-based system for matching identity records across multiple authoritative systems of record. A complement to the COmanage BoF session, this session will provide an opportunity for you to get up-to-date on the latest and greatest that these tools have to offer and learn what is coming next in the development roadmap. For those just learning about COmanage, there will be a short introduction to the tools, training programs, and governance structure of this open-source project. We’ll also review details about how to stay informed as things progress over the next year. | Trusted Access Platform Success Stories Speakers: Summer Scanlan (University of California, Berkeley), James Babb (University of Wisconsin-Madison) | UC-Berkeley: We used grouper and CAS (our authentication UI) to deploy a major authentication change, most recently requiring almost every user on campus to change their passphrase. Grouper let us target users who needed a passphrase change, and parse users into manageable groups of 2k (to start) to 8k per week. Grouper let us communicate directly with each group directly via the google sync; it also let us display a different auth screen for users in the notify and block groups. UW-Madison: Challenges discovered while rolling out midPoint to a school with an already mature Grouper environment. We will also hopefully have more applications on-boarded at that point and can talk about that experience too. We will also discuss our strategy and how our migration to AWS for Grouper went (planned Summer 2021...prep work in progress today.). Our grouper migration to AWS includes decoupling directly using Grouper's database from various downstream systems and the challenges and options there we faced. | Real SSO: Linking multiple SSO Systems for a Better User Experience Speakers: Keith Wessel and Rob Carter | Many if not most institutions these days have multiple SSO systems, each with its own strengths and weaknesses. It's not unusual to have Microsoft ADFS and Shibboleth along with others. This leads to users having to log in more often, greatly reducing the value of SSO. It's nearly impossible in most cases to have every service talk to one SSO system. But why not link SSO systems together so that a user only has to interact with a single SSO system? In this session, the University of Illinois at Urbana-Champaign and Duke University will show two different ways that they accomplished this. |
Tuesday, October 5, 2021
(All times U.S. Eastern Standard Time)
| Time | Track 1 Session Title | Track 1 Session Abstract | Track 2 Session Title | Track 2 Session Abstract | Track 3 Session Title | Track 3 Session Abstract |
|---|---|---|---|---|---|---|
| 10:30 - 9:45 am | Welcome to Tuesday | |||||
| 10:45 - 11:35 am | midPoint Update: Advancing AAI by Tighter Integration of IdM and Access Management Speakers: Slavek Licehammer (Evolveum) | The presentation will be split into two main parts. The first one will focus on the area from a high-level perspective - discussing benefits, use-cases, as well as challenges that tighter integration of identity management and access management can bring. The second part will expand the first part with concrete examples of how some of the use-cases might be implemented with the identity management system midPoint. It will be a combination of ideas, configuration examples and live demonstrations. | Accelerating the move to federated access for library e-resources Speakers: Ken Klingenstein (Internet2), Meshna Koren (Elsevier), Andrew White (RPI), Ralph Youngen (American Chemical Society) | Even though federated authentication to library e-resources has been around for over 15 years, it has always been primarily used as a backup to IP access. Nevertheless, interest in using federated authentication as the primary authentication method has been growing in the past few years. The COVID-19 pandemic has been a powerful catalyst to this development, especially for remote access and its associated heightened cybersecurity concerns. While many universities are increasingly moving to SAML based access for enterprise resources, we find that access to library e-resources are often not included in the SAML based access plans. Part of the reason is lack of appropriate coordination between central campus IT and the library. Join representatives from Elsevier, American Chemical Society and Rensselaer Polytechnic Institute for a lively discussion on developments to move to federated authentication-only to library e-resources as part of broader security and identity and access management measures. The panel discussion will touch on key findings from projects each organization has undertaken to move towards federated authentication as a primary access method to library e-resources. | GÉANT Incubator Speaker: Niels van Djik (SUNET) | What's new and coming from GÉANT |
| 11:35 - 11:45 am | Break | |||||
| 11:45 - 12:35 am | InCommon Advisory Groups Speakers: David Bantz (CTAB) | Abstract to come | Services in the Cloud Speakers: Dedra Chamberlin (Cirrus Identity), Mike Grady (Unicon) | Cirrus: The InCommon Technical Advisory Committee chartered a work group to explore Identity Providers as a Service. Community members had been asking for more options for adding an Identity Provider to InCommon. Especially as many campuses pursue "cloud first" strategies, demand was growing for hosted solutions to enable membership in InCommon using existing cloud identity solutions like Microsoft Azure Active Directory. The workgroup report was recently published, and among the recommendations are that campuses consider "federation adapters" that can help bridge commercial SSO solutions like Microsoft Azure AD and Okta to the federation. This session will explain what a "federation adapter" is and why a campus might want to choose one (or not). Many federation adapter solutions can also help campuses meet upcoming InCommon baseline 2 requirement and the NIH requirements. Panelists will include staff from campuses that have implemented a federation adapter, as well as representatives from InCommon Catalyst partners who provide federation adapter solutions. Unicon: Discuss options and considerations for InCommon and other federation members to consider when evaluating cloud/hosted solutions, and some of the options in that space. | ADFS Toolkit, Including Support for REFEDS MFA Speakers: Chris Phillips (CANARIE), Johan Peterson (SUNET), Tommy Larsson (SUNET) | Supporting R&E standards of REFEDS MFA and Assurance Profiles is key to keeping researchers connected to their critical R&E infrastructure. This session shares lessons learned on implementing and operationalizing MFA and Assurance Profiles with AD FS using ADFSToolkit. Various approaches including using Azure where possible will be covered. |
| 12:35 am - 1:35 pm | Break and BoF (Birds of a Feather) Take a break or join a BoF! Bring your breakfast, lunch, dinner, beverage (depending on your time zone) and join in these informal discussions on topics of interest BoF - COVID-Based Access Management BoF - COmanage | |||||
| 1:35 - 2:25 pm | Lightning Talks Moderator: Nicole Harris (GÉANT) | 1) Seamless Access | National Institutes of Health Speaker: Jeff Erickson (NIH) | Abstract to come. | Splunk and Advanced Log Analysis Speakers: Paul Riddle (UMBC), Keith Wessel at Urbana-Champaign | UMBC: At UMBC, we struggled for some time to find a solution for getting our TAP container logs into Splunk. The first part of this talk will describe a methodology we've developed for parsing the Shibboleth IdP container log output and shipping it to Splunk in a format that Splunk can easily index. We'll discuss how this logging infrastructure has worked for us, and how it might be adapted to other TAP components. Once our data was in Splunk, we worked with West Arete to develop a dashboard that helps us to visualize various different metrics related to the operation of our IdP, and the second part of the talk will focus on this piece. We'll talk about insights we've gained related to the operation of our IdP, and how this tool has helped to make our IdP infrastructure run more efficiently and cost-effectively. Illinois: The global pandemic has shifted many things, one of which is the move to much more distance learning. This move has brought out many new trends and patterns in the usages of campus IT services. Thanks to the advanced log analysis and reporting functions available from services like Splunk, it's easy to see these trends and use them to grow services, security practices, and cloud architecture. It all starts, though, with how to analyze your IAM systems' logs. What services are students logging into these days, not just during the day, but in the evenings? Why might see you see load spikes on your SSO systems at 11:00 PM on a Friday night? And how do usage patterns differ now that many of us are working for institutions with students located around the globe?In this session, you'll learn about the trends that the University of Illinois found in the logs from the Urbana-Champaign campus and how they're using those to make informed decisions about their future plans. |
| 2:25 - 2:35 pm | Break | |||||
| 2:35 - 3:25 pm | Closing Plenary | |||||