Attending: Rob Carter (CACTI chair, facilitating, Duke University)
Etan Weintraub (Johns Hopkins)
Brian Arkills (U Washington)
Erik Coleman (U Illinois)
Erica Ohman (U Illinois)
Jeffrey Crawford (UCLA)
Jeremy Wilkerson (California State)
Keith Wessel (U Illinois)
Michael Trullinger (California State)
Marcus Mizushima (California State)
Ryan Rumbaugh (U Nebraska)
Shilen Patel (Duke University)
Steven Premeau (U Maine System)
Chris Dalansky (CMU)
* The group accepted proposed discussion ground rules without change.
* The group tentatively agreed to permit recording sessions for purposes
of note taking and validation *only*, with some reservations regarding
avoiding chilling discussion.
* The group agreed to try (in future meetings) designating two scribes at
the start of each meeting, and to require only four approvals before
making notes public (no sooner than 3 business days after they're submitted
* The group agreed to elect (co)chair(s) (probably two) electronically,
and to profer nominations to Rob (<firstname.lastname@example.org>) by COB 8-April-2022.
* Rob will collect chair nominations until COB Friday.
* Rob will collate nominations and send out a ballot next week
* The group will hope to select chairs (2) before the next meeting
The meeting started more or less on time. Rob opened with a reminder
that the group's activities fall under the auspices of the Internet2
Intellectual Property Agreement
and made note of the fact that the working group is chartered under
the sponsorship of CACTI (the Internet2 Community Architecture
Committee for Trust and Identity).
The agenda was accepted as proffered without change.
Rob asked each attendee to give the group a brief introduction noting
who they each are, where they're from, and a bit about their reason(s)
for participating in the working group. Members expressed interests
both in sharing experiences from their own campuses (multiple
participants noted that their sites were already doing something with
respect to linking SSO systems locally) and in learning from other
sites' experiences. Members mentioned a variety of SSO solutions as
relevant to their campuses -- Shibboleth, CAS, ADFS, AzureAD, and Okta
were all mentioned multiple times.
Rob then briefly reviewed the WG Charter
with the group. Points of note included:
* The WG's charter focuses on addressing needs in the community
associated with the demand for operating multiple SSO solutions
(for various reasons) within single organizations, raising the
question whether sites are really providing *single* sign on.
* The WG is required to meet at least every other week, to accept
members openly from throughout the community, and to publish its
* The WG has no fixed lifetime -- it's suggested that the work may be
completed in 3-6 months, but the charter is not time-bounded.
* Deliverables include:
+ an accounting of common use cases for linking SSO systems together
+ enumeration of the advantages/disadvantages and risks/benefits of
+ recommended recipes for implementing common patterns for SSO system linking
+ gap analysis and recommendations (if needed) for adjustments to
existing SSO system implementations to facilitate these recipes
The group then covered some initial ground rules for ongoing discussions. Rob noted that
these were derived from the ground rules under which CACTI tries to operate:
* Identify yourself when speaking (since we don't always recognize one another's
voices, at least not yet)
* Ask for and be prepared to provide clarification as needed. Try to explain
acronyms, etc. when they may not be well-understood by the whole group.
* Be willing to disagree, but be respectful in your disagreements.
* Disclose any conflicts of interest you may have during conversations.
The ground rules were accepted by the group without dissent.
The group then moved to discussing mechanics for publishing notes from
Rob outlined a few options for scribing approaches, and asked if the
group would be willing to have meetings recorded. There was general
agreement that recording meetings would be acceptable *provided* the
recordings were never made public and were used solely to facilitate
note taking and correction. Some reservations were expressed
regarding the possibility for recording to make people uncomfortable
about speaking, and it was noted that recording may or may not be
technically possible in all cases, given that the Internet2 Zoom
system may not be available for use by this WG.
Keith noted that TAC has recently had success with a model wherein
the group calls for two volunteers to scribe each meeting. The scribes
are responsible for them taking notes for one another when they're
speaking, helping to ensure good note coverage.
Rob noted that CACTI uses a policy wherein notes are published once
four approvals have been proffered by members, but said that this WG
could go so far as to require approvals from every member, or to
simply give participants a time limit for redacting/correcting notes
before they're published.
It was generally agreed that the WG will operate under a policy of
requiring four attendees to approve notes from a given meeting
before publication, but that notes will e published no sooner than
three business days after they're offered for review.
Discussion moved to the selection of chair(s) for the WG. It was
noted that there's good reason to hope for more than one chair
(either two co-chairs or a chair and vice-chair). This, Keith noted,
has worked well in other working groups and addresses cases when one
chair may be unable to make a meeting, as well as allowing the
chairs to share the workload.
Rob noted that there is a document outlining the responsibilities
(officially) of WG chairs
and that Internet2 will likely not provide a flywheel for this WG
(which means the group itself will be responsible for its own
operation). The chair(s) essentially act as the strategic leaders
for the group, overseeing the group's progress toward meeting the
goals set out in the charter, convening and facilitiating meetings,
producing and managing agendas for meetings, and acting as a contact
point for the group with Internet2, CACTI (as the group sponsor), and
There being only 5 minutes left in the hour, Rob suggested that members
send their chair nominations (including self nominations) to him, and
asked that the group respond with nominations by the end of this week
(COB Friday, 8-April-2022). Rob agreed to collate nominations and send
out a ballot next week, with an eye toward getting chair(s) elected in
time for the next meeting. The group generally agreed to this, and
Rob noted that the next meeting will either be convened and facilitated
by the new chair(s) (if they're selected in time) or by him (to introduce
the chairs for the next meeting).
The meeting adjourned slightly late (around 3:04 PM ET).
The next scheduled meeting will be from 2-3 PM ET (18:00 -19:00 UTC)
on Wednesday, 20-April-2022. Invitations and Zoom coordinates will
be sent out in advance, based on chair decisions to be made
electronically before the next call.
Highlights from the Zoom chat session during the meeting:
Brian noted during his introduction that he'd recently participated in a paper
at UW reviewing the various SSO solutions available, and noted that one of the
upshots of that was a sense that various commercial IDP solutions provide a lot
more capabilities / options than Shibboleth. He provided two links -- one to a
presentation he gave on the topic:
at the Microsoft Higher Ed conference last year, and the slide
deck associated with the presentation:
and noted that UW's assessment scored Shibboleth lowest of the
IDPs in its evaluation on support for OAuth, SCIM, centralized
policy control/access revocation for external users, and "security"
(defined as JIT detection of risky user activity, fraud detection,
Etan noted that Johns Hopkins has recently retired their ADFS
environment. Brian noted UW did so a couple months earlier.
Michael noted that some Cal State campuses are going in the
opposite direction due to InTune deployments' requiring
Brian suggested that a core tension exists between defining
utility in terms of a unified sign-in UX and in terms of
enablement of capabilities, and propsed that arguments
for unified sign-ins are weak, because everyone uses lots of
different sign-in systems anyway, and because the primary
security concerns don't involve user confusion regarding
Steven noted that browser developers seem intent on making
web-based UIs look and feel *identical* in ways that make it
virtually impossible to establish trust with an end-user in a
given user interface (since they are largely indistinguishable).
Michael noted that we need to be careful not to let
recording calls make people less comfortable speaking up during