Welcome to the 2021 CAMP! InCommon’s annual gathering of the international identity and access management community.
Dates: October 4-8, 2021
Location: Virtual
What is CAMP? The acronym means Campus Architecture and Middleware Planning. CAMP has come to mean the series of track sessions that include case studies, organizations’ innovations in identity management, best practices, and other presentations that help move the community forward.
The CAMP program is developed by a community program committee based on community-submitted proposals. The event draws identity architects, developers, implementers, service provider operators, and other identity management professionals with any level of experience.
What is ACAMP? Advance CAMP is an unconference, with participants developing the agenda at the beginning of the event. ACAMP then continues with as many as five breakout sessions per hour to discuss issues of interest to the international research and education identity and access management community. Each ACAMP session is documented by a group scribing process.
Registration Information:
Pricing (includes all five days of CAMP + ACAMP programming):
| InCommon Participants and Internet2 Members | $275 |
| International Constituents | $275 |
| All Others | $375 |
Register Here
CAMP + ACAMP Program
Please see below for our CAMP schedule (October 4 - 5, 2021).
The program for the Advance CAMP portion of the meeting (October 6 - 8, 2021) can be found here (this will be filled in each day as attendees determine session topics).
Monday, October 4, 2021
Please note that there are three tracks – keep on scrolling to the right to view the full schedule!
(All time ranges listed U.S. Eastern Standard Time and Central European Summer Time - please adjust accordingly for your time zone).
| Time | Track 1 Session Title | Track 1 Session Abstract | Track 2 Session Title | Track 2 Session Abstract | Track 3 Session Title | Track 3 Session Abstract |
|---|---|---|---|---|---|---|
| 8:00 - 10:00 am EDT 14:00 - 16:00 CEST | Social Gathering | |||||
| 10:00 - 10:10 am EDT 16:00 - 16:10 CEST | Welcome to CAMP Speaker: Kevin Morooney | |||||
| 10:10 - 11:00 am EDT 16:10 - 17:00 CEST | Opening Plenary: Library Access of the Future - Four Perspectives Moderator: Kristi Holmes (Northwestern University) Speakers: Tim Lloyd (Liblynx), Tracy Tolliver (University of Illinois - Urbana-Champaign), Jeri Pavlik (CESNET; CzechELib), Heather Flanagan (Seamless Access) There has been a great deal of work done around making access management to content providers easier and more secure. However, there are still gaps for many of the stakeholders in the process. Each of the panelists are involved from a library community, IT support or provider perspective and will discuss their views about the future of federated access to resources and what it takes to get there. What role do federations or other consortiums play? What gaps are important to close sooner rather than later? | |||||
| 11:00 - 11:10 am EDT 17:00 - 17:10 CEST | Break | |||||
| 11:10 am - 12:00 pm EDT 17:10 - 18:00 CEST | Shibboleth 2021 Review and Future Roadmap Speakers: Scott Cantor (Shibboleth Consortium) | The Shibboleth Consortium will provide a brief "State of the Consortium" review and the Shibboleth Project will outline 2021 accomplishments and the software roadmap, including an update on the latest thinking about Service Provider sustainability/replacement. | West Chester University Journey To Improve Its Overall Identity Management Profile Speakers: JT Singh (West Chester University of Pennsylvania) | West Chester University IT leaders, infrastructure and information security experts will discuss lessons learned improving the institution identity management profile including pivots related to COVID-19. The conversation will cover how we consolidated SSO, MFA, and VPN and enhanced security controls—protecting access for students, faculty, and staff. | REFEDS Assurance and Assured Access Working Group Speakers: Brett Bieber (University of Nebraska), Jule Ziegler (LRZ/DFN) | Brett: Service providers, including the National Institutes of Health, are beginning to take an interest in identity assurance and how this is expressed through federated authentication. Members of the Assured Access Working Group (AAWG) will share recommendations on implementing the REFEDS Assurance Framework claim levels within your campus identity architecture, including best practices and pitfalls to quickly leverage existing processes. Attendees will come away with a comprehensive understanding of the REFEDS Assurance Framework, which partners across their local campus should be engaged in this effort, and how to organize a task force to begin implementation. Jule: Updates from REFEDS Assurance WG, such as eduPersonAssurance standing within R&S, potential updates of the specifications, outcomes from MFA subgroup, european projects which are addressing assurance (e.g. FIM4R) |
| 12:00 - 1:00 pm EDT 18:00 - 19:00 CEST | Break and BoF (Birds of a Feather) Take a break or join a BoF! Bring your breakfast, lunch, dinner, beverage (depending on your time zone) and join in these informal discussions on topics of interest. BoF - midPoint Review - Speaker: Keith Hazelton (Internet2) BoF - MFA Rollout - Azure and Others. Lessons Learned so you don't need to relearn them - Speaker: Etan Weintraub (Johns Hopkins University) BoF - eduroam: Enabling the Next 1,000 Subscribers - Speaker: Mike Zawacki (Internet2) | |||||
1:00 - 1:50 pm EDT | What's New with Grouper? Speakers: Chris Hyzer (University of Pennsylvania) | Talk about new functionality in the Grouper product and the roadmap going forward. | Safer Community - A story of collaboration to help protect campuses from COVID-19 Speakers: Brett Bieber (University of Nebraska), Keith Wessel (University of Illinois), James Babb (University of Wisconsin-Madison) | The University of Illinois in Fall 2020 spun up the Safer Illinois app and mass COVID-19 testing to help protect their campus against outbreaks. The Safer Illinois app was then licensed out and purchased by the University of Nebraska as Safer Nebraska and the University of Wisconsin-Madison as Safer Badgers. The app required OIDC, which neither Wisconsin nor Nebraska had particularly used in a production setting before. By working together with each other, we were able to introduce a production-ready app for the Spring semester in a very short amount of time including using the Shibboleth OIDC plugin and developing an API to fetch ID Card photos that retrieves your photo based on OIDC token introspection. This session will discuss the history the Safer* apps, the success story of the collaboration, and how effective it was on campus to help protect each campus from COVID-19. The Safer* apps also make extensive use of Grouper groups at least in the Wisconsin environment to drive COVID-19 testing rule requirements along with Exemptions from testing. | Browser Changes and the Impact on Federated Identity Speaker: Heather Flanagan (Seamless Access) | Over the last few years, we have all observed how browsers have stepped up to support user privacy. Unfortunately, that is coming at a significant cost for things like Single Sign-on and Federated Identity. In this BoF, we'll talk about the latest changes, timelines, and how individuals and organizations can learn more and prepare their services for the changing landscape |
1:50 - 2:00 pm EDT | Break | |||||
2:00 - 2:50 pm EDT | What's New with COmanage (Registry and Match)? Speaker: Benn Oshrin (Spherical Cow Group) | In 2021, the population lifecycle management tool, COmanage Registry, released version 4.0. This major release contains many new features such as queue-based provisioning, MFA enrollment manager, identity documents for supporting identity proofing, boolean logic for nested groups, and more. In addition, we will share the latest about the long-anticipated COmanage Match system. COmanage Match can be used with Registry or independently to integrate with other campus identity systems to provide a heuristic-based system for matching identity records across multiple authoritative systems of record. A complement to the COmanage BoF session, this session will provide an opportunity for you to get up-to-date on the latest and greatest that these tools have to offer and learn what is coming next in the development roadmap. For those just learning about COmanage, there will be a short introduction to the tools, training programs, and governance structure of this open-source project. We’ll also review details about how to stay informed as things progress over the next year. | Trusted Access Platform Success Stories Speakers: Summer Scanlan (University of California, Berkeley), James Babb (University of Wisconsin-Madison) | UC-Berkeley: We used grouper and CAS (our authentication UI) to deploy a major authentication change, most recently requiring almost every user on campus to change their passphrase. Grouper let us target users who needed a passphrase change, and parse users into manageable groups of 2k (to start) to 8k per week. Grouper let us communicate directly with each group directly via the google sync; it also let us display a different auth screen for users in the notify and block groups. UW-Madison: Challenges discovered while rolling out midPoint to a school with an already mature Grouper environment. We will also hopefully have more applications on-boarded at that point and can talk about that experience too. We will also discuss our strategy and how our migration to AWS for Grouper went (planned Summer 2021...prep work in progress today.). Our grouper migration to AWS includes decoupling directly using Grouper's database from various downstream systems and the challenges and options there we faced. | Real SSO: Linking multiple SSO Systems for a Better User Experience Speakers: Keith Wessel (University of Illinois - Urbana-Champaign) and Rob Carter (Duke University) | Many if not most institutions these days have multiple SSO systems, each with its own strengths and weaknesses. It's not unusual to have Microsoft ADFS and Shibboleth along with others. This leads to users having to log in more often, greatly reducing the value of SSO. It's nearly impossible in most cases to have every service talk to one SSO system. But why not link SSO systems together so that a user only has to interact with a single SSO system? In this session, the University of Illinois at Urbana-Champaign and Duke University will show two different ways that they accomplished this. |
2:50 - 4:50 pm EDT | Social Gathering + ACAMP Agenda Discussion | |||||
Tuesday, October 5, 2021
Please note that there are three tracks – keep on scrolling to the right to view the full schedule!
(All time ranges listed U.S. Eastern Standard Time and Central European Summer Time - please adjust accordingly for your time zone).
| Time | Track 1 Session Title | Track 1 Session Abstract | Track 2 Session Title | Track 2 Session Abstract | Track 3 Session Title | Track 3 Session Abstract |
|---|---|---|---|---|---|---|
| 8:00 - 10:00 am EDT 14:00 - 16:00 CEST | Social Gathering | |||||
| 10:00 - 10:10 am EDT 16:00 - 16:10 CEST | Welcome to CAMP Speaker: Kevin Morooney | |||||
| 10:10 - 11:00 am EDT 16:10 - 17:00 CEST | midPoint Update: Advancing AAI by Tighter Integration of IdM and Access Management Speakers: Slavek Licehammer (Evolveum) | The presentation will be split into two main parts. The first one will focus on the area from a high-level perspective - discussing benefits, use-cases, as well as challenges that tighter integration of identity management and access management can bring. The second part will expand the first part with concrete examples of how some of the use-cases might be implemented with the identity management system midPoint. It will be a combination of ideas, configuration examples and live demonstrations. | Accelerating the move to federated access for library e-resources Speakers: Ken Klingenstein (Internet2), Meshna Koren (Elsevier), Andrew White (RPI), Ralph Youngen (American Chemical Society) | Even though federated authentication to library e-resources has been around for over 15 years, it has always been primarily used as a backup to IP access. Nevertheless, interest in using federated authentication as the primary authentication method has been growing in the past few years. The COVID-19 pandemic has been a powerful catalyst to this development, especially for remote access and its associated heightened cybersecurity concerns. While many universities are increasingly moving to SAML based access for enterprise resources, we find that access to library e-resources are often not included in the SAML based access plans. Part of the reason is lack of appropriate coordination between central campus IT and the library. Join representatives from Elsevier, American Chemical Society and Rensselaer Polytechnic Institute for a lively discussion on developments to move to federated authentication-only to library e-resources as part of broader security and identity and access management measures. The panel discussion will touch on key findings from projects each organization has undertaken to move towards federated authentication as a primary access method to library e-resources. | GÉANT Incubator Speaker: Niels van Djik (SUNET) | Researchers needs access to many, often distributed, resources. For this propose, many services support federated identity, which leverages the identity management of the home institution to handle authentication and provide a basic set of profile information. Next, the home institution profile needs to be complemented with information from the research community, like for example roles and group memberships. Also additional registries may needed, for example to get specific identifiers like ORCID. This flow is typically facilitated by a community AAI, where a membership management component acts as the research community registry and a proxy is used to collect and then redistribute the required profile information. A new paradigm, Distributed Identity, tries to let user be in direct control of the profile information they share with services. In a Distributed Identity workflow, the users collect claims themselves from various sources in a so called ‘wallet’ and subsequently provide these when so requested by services. As such the user has full control over the release of attributes. The services can then check the validity of these claims. This presentation showcases recent work in the GÉANT Trust and Identity Incubator on how Distributed Identity may be used to facilitate research access management. After describing the core concepts of Distributed Identity, the proof of concept platform that was used to test and validate the requirements will be demonstrated. The presentation concludes with an analysis of the potential benefits and challenges of using Distributed Identity for managing researcher access. |
| 11:00 - 11:10 am EDT 17:00 - 17:10 CEST | Break | |||||
11:10 am - 12:00 pm EDT | InCommon Advisory Groups Speakers: David Bantz (CTAB) | Representatives from InCommon's Advisory Groups will come together and highlight impotant work from the community and the focus of their respective groups. | Hosted solutions, federation adapters, evaluating cloud solutions Speakers: Dedra Chamberlin (Cirrus Identity), Mike Grady (Unicon) | Cirrus: The InCommon Technical Advisory Committee chartered a work group to explore Identity Providers as a Service. Community members had been asking for more options for adding an Identity Provider to InCommon. Especially as many campuses pursue "cloud first" strategies, demand was growing for hosted solutions to enable membership in InCommon using existing cloud identity solutions like Microsoft Azure Active Directory. The workgroup report was recently published, and among the recommendations are that campuses consider "federation adapters" that can help bridge commercial SSO solutions like Microsoft Azure AD and Okta to the federation. This session will explain what a "federation adapter" is and why a campus might want to choose one (or not). Many federation adapter solutions can also help campuses meet upcoming InCommon baseline 2 requirement and the NIH requirements. Panelists will include staff from campuses that have implemented a federation adapter, as well as representatives from InCommon Catalyst partners who provide federation adapter solutions. Unicon: Discuss options and considerations for InCommon and other federation members to consider when evaluating cloud/hosted solutions, and some of the options in that space. | ADFS Toolkit, Including Support for REFEDS MFA Speakers: Chris Phillips (CANARIE), Johan Peterson (SUNET), Tommy Larsson (SUNET) | Supporting R&E standards of REFEDS MFA and Assurance Profiles is key to keeping researchers connected to their critical R&E infrastructure. This session shares lessons learned on implementing and operationalizing MFA and Assurance Profiles with AD FS using ADFSToolkit. Various approaches including using Azure where possible will be covered. |
| 12:00 - 1:00 pm EDT 18:00 - 19:00 CEST | Break and BoF (Birds of a Feather) Take a break or join a BoF! Bring your breakfast, lunch, dinner, beverage (depending on your time zone) and join in these informal discussions on topics of interest BoF - COVID-Based Access Management - Speaker: Anne Tambe BoF - COmanage - Speakers: Laura Paglione + Ben Oshren | |||||
1:00 - 1:50 pm EDT | Lightning Talks | Topics + Speakers: OIDC Device code flow based SSH access with MFA: Dominik František Bučík (Masaryk University) Advanced use-cases for eduPersonEntitlement in the ELIXIR AAI: Pavel Břoušek (Masaryk University) What's NEW with Shibboleth IdP UI: Charise Arrowood (Unicon, Inc.) SeamlessAccess - Current Status and Future Direction: Heather Flanagan (Seamless Access) Federation 2.0 working group - Tom Barton (Internet2) and Judith Bush (OCLC) | NIH and You: MFA, Identity Assurance, and Coming Requirements Speaker: Jeff Erickson (NIH) | An update on NIH requirements for the eRA and other applications - R&S, MFA, identity assurance, and more. | Splunk and Advanced Log Analysis Speakers: Paul Riddle (UMBC), Keith Wessel at Urbana-Champaign | UMBC: At UMBC, we struggled for some time to find a solution for getting our TAP container logs into Splunk. The first part of this talk will describe a methodology we've developed for parsing the Shibboleth IdP container log output and shipping it to Splunk in a format that Splunk can easily index. We'll discuss how this logging infrastructure has worked for us, and how it might be adapted to other TAP components. Once our data was in Splunk, we worked with West Arete to develop a dashboard that helps us to visualize various different metrics related to the operation of our IdP, and the second part of the talk will focus on this piece. We'll talk about insights we've gained related to the operation of our IdP, and how this tool has helped to make our IdP infrastructure run more efficiently and cost-effectively. Illinois: The global pandemic has shifted many things, one of which is the move to much more distance learning. This move has brought out many new trends and patterns in the usages of campus IT services. Thanks to the advanced log analysis and reporting functions available from services like Splunk, it's easy to see these trends and use them to grow services, security practices, and cloud architecture. It all starts, though, with how to analyze your IAM systems' logs. What services are students logging into these days, not just during the day, but in the evenings? Why might see you see load spikes on your SSO systems at 11:00 PM on a Friday night? And how do usage patterns differ now that many of us are working for institutions with students located around the globe?In this session, you'll learn about the trends that the University of Illinois found in the logs from the Urbana-Champaign campus and how they're using those to make informed decisions about their future plans. |
| 1:50 - 2:00 pm EDT 19:50 - 20:00 pm CEST | Break | |||||
2:00 - 2:50 pm EDT | Closing Plenary: Bridging the Gap: Strategies to Enable Federated Access to SAML-shy Resources and Services Moderator: Nicole Harris (GÉANT) Proxies have emerged as a preferred way for providers to quickly bring new resources into a federation for access by users. Is it time we formerly recognize proxies’ role in the federation, make appropriate adjustments, and recommend best practices to fully support proxies in our ecosystem? Some of the questions to ponder may include: how does a proxy express to the IdP the varying attribute/authentication needs across the resources it proxies? Are there trust and policy implications? What is the best way to implement a proxy? What changes might we make to the federation trust model to recognize and support proxy in federation? Join us as the panelists explore these questions and set the stage for what we hope is an Advance CAMP session to continue the discussion. | |||||
2:50 - 4:50 pm EDT | Social Gathering + ACAMP Agenda Discussion | |||||