Attending:  Rob Carter (CACTI chair, facilitating, Duke University)

    Etan Weintraub (Johns Hopkins)

    Brian Arkills (U Washington)

    Erik Coleman (U Illinois)

    Erica Ohman (U Illinois)

    Jeffrey Crawford (UCLA)

    Jeremy Wilkerson (California State)

    Keith Wessel (U Illinois)

    Michael Trullinger (California State)

    Marcus Mizushima (California State)

    Ryan Rumbaugh (U Nebraska)

    Shilen Patel (Duke University)

    Steven Premeau (U Maine System)

    Chris Dalansky (CMU)


Decisions:


* The group accepted proposed discussion ground rules without change.

* The group tentatively agreed to permit recording sessions for purposes

  of note taking and validation *only*, with some reservations regarding

  avoiding chilling discussion.

* The group agreed to try (in future meetings) designating two scribes at

  the start of each meeting, and to require only four approvals before

  making notes public (no sooner than 3 business days after they're submitted

  for approval).

* The group agreed to elect (co)chair(s) (probably two) electronically,

  and to profer nominations to Rob (<rob@duke.edu>) by COB 8-April-2022.


Action items:


       * Rob will collect chair nominations until COB Friday.

       * Rob will collate nominations and send out a ballot next week

       * The group will hope to select chairs (2) before the next meeting


Notes:


The meeting started more or less on time.  Rob opened with a reminder

that the group's activities fall under the auspices of the Internet2

Intellectual Property Agreement


( https://internet2.edu/community/about-us/policies/internet2-intellectual-property-policy/ )


and made note of the fact that the working group is chartered under

the sponsorship of CACTI (the Internet2 Community Architecture

Committee for Trust and Identity).


The agenda was accepted as proffered without change.


Rob asked each attendee to give the group a brief introduction noting

who they each are, where they're from, and a bit about their reason(s)

for participating in the working group.  Members expressed interests

both in sharing experiences from their own campuses (multiple

participants noted that their sites were already doing something with

respect to linking SSO systems locally) and in learning from other

sites' experiences.  Members mentioned a variety of SSO solutions as

relevant to their campuses -- Shibboleth, CAS, ADFS, AzureAD, and Okta

were all mentioned multiple times.


Rob then briefly reviewed the WG Charter


https://spaces.at.internet2.edu/display/TI/TI.163.1?preview=/219909804/219909816/LinkingSSOSystemsWorkingGroupCharter.pdf


with the group.  Points of note included:


     * The WG's charter focuses on addressing needs in the community

       associated with the demand for operating multiple SSO solutions

       (for various reasons) within single organizations, raising the

       question whether sites are really providing *single* sign on.


     * The WG is required to meet at least every other week, to accept

       members openly from throughout the community, and to publish its

       proceedings regularly.


     * The WG has no fixed lifetime -- it's suggested that the work may be

       completed in 3-6 months, but the charter is not time-bounded.


     * Deliverables include:


       + an accounting of common use cases for linking SSO systems together

       + enumeration of the advantages/disadvantages and risks/benefits of

         different strategies

       + recommended recipes for implementing common patterns for SSO system linking

       + gap analysis and recommendations (if needed) for adjustments to

         existing SSO system implementations to facilitate these recipes


The group then covered some initial ground rules for ongoing discussions.  Rob noted that

these were derived from the ground rules under which CACTI tries to operate:


      * Identify yourself when speaking (since we don't always recognize one another's

        voices, at least not yet)

      * Ask for and be prepared to provide clarification as needed.  Try to explain

        acronyms, etc. when they may not be well-understood by the whole group.

      * Be willing to disagree, but be respectful in your disagreements.

      * Disclose any conflicts of interest you may have during conversations.

      * Participate!


The ground rules were accepted by the group without dissent.


The group then moved to discussing mechanics for publishing notes from

meetings.


Rob outlined a few options for scribing approaches, and asked if the

group would be willing to have meetings recorded.  There was general

agreement that recording meetings would be acceptable *provided* the

recordings were never made public and were used solely to facilitate

note taking and correction.  Some reservations were expressed

regarding the possibility for recording to make people uncomfortable

about speaking, and it was noted that recording may or may not be

technically possible in all cases, given that the Internet2 Zoom

system may not be available for use by this WG.


Keith noted that TAC has recently had success with a model wherein

the group calls for two volunteers to scribe each meeting. The scribes

are responsible for them taking notes for one another when they're

speaking, helping to ensure good note coverage.


Rob noted that CACTI uses a policy wherein notes are published once

four approvals have been proffered by members, but said that this WG

could go so far as to require approvals from every member, or to

simply give participants a time limit for redacting/correcting notes

before they're published.


It was generally agreed that the WG will operate under a policy of

requiring four attendees to approve notes from a given meeting

before publication, but that notes will e published no sooner than

three business days after they're offered for review.


Discussion moved to the selection of chair(s) for the WG.  It was

noted that there's good reason to hope for more than one chair

(either two co-chairs or a chair and vice-chair). This, Keith noted,

has worked well in other working groups and addresses cases when one

chair may be unable to make a meeting, as well as allowing the

chairs to share the workload.


Rob noted that there is a document outlining the responsibilities

(officially) of WG chairs


https://spaces.at.internet2.edu/display/TI/Guidelines+for+Trust+and+Identity+Working+Group+Chairs+and+Flywheels


and that Internet2 will likely not provide a flywheel for this WG

(which means the group itself will be responsible for its own

operation).  The chair(s) essentially act as the strategic leaders

for the group, overseeing the group's progress toward meeting the

goals set out in the charter, convening and facilitiating meetings,

producing and managing agendas for meetings, and acting as a contact

point for the group with Internet2, CACTI (as the group sponsor), and

the community.


There being only 5 minutes left in the hour, Rob suggested that members

send their chair nominations (including self nominations) to him, and

asked that the group respond with nominations by the end of this week

(COB Friday, 8-April-2022).  Rob agreed to collate nominations and send

out a ballot next week, with an eye toward getting chair(s) elected in

time for the next meeting.  The group generally agreed to this, and

Rob noted that the next meeting will either be convened and facilitated

by the new chair(s) (if they're selected in time) or by him (to introduce

the chairs for the next meeting).


The meeting adjourned slightly late (around 3:04 PM ET).


The next scheduled meeting will be from 2-3 PM ET (18:00 -19:00 UTC)

on Wednesday, 20-April-2022.  Invitations and Zoom coordinates will

be sent out in advance, based on chair decisions to be made

electronically before the next call.


==========


Highlights from the Zoom chat session during the meeting:


Brian noted during his introduction that he'd recently participated in a paper

at UW reviewing the various SSO solutions available, and noted that one of the

upshots of that was a sense that various commercial IDP solutions provide a lot

more capabilities / options than Shibboleth.  He provided two links -- one to a

presentation he gave on the topic:


https://youtu.be/C1T_Vk9oFJ0


at the Microsoft Higher Ed conference  last year, and the slide

deck associated with the presentation:


https://staff.washington.edu/barkills/preferredIdpAad.pptx


and noted that UW's assessment scored Shibboleth lowest of the

IDPs in its evaluation on support for OAuth, SCIM, centralized

policy control/access revocation for external users, and "security"

(defined as JIT detection of risky user activity, fraud detection,

etc.)


Etan noted that Johns Hopkins has recently retired their ADFS

environment.  Brian noted UW did so a couple months earlier.


Michael noted that some Cal State campuses are going in the

opposite direction due to InTune deployments' requiring

WS-Trust support.


Brian suggested that a core tension exists between defining

utility in terms of a unified sign-in UX and in terms of

enablement of capabilities, and propsed that arguments

for unified sign-ins are weak, because everyone uses lots of

different sign-in systems anyway, and because the primary

security concerns don't involve user confusion regarding

sign-in pages.


Steven noted that browser developers seem intent on making

web-based UIs look and feel *identical* in ways that make it

virtually impossible to establish trust with an end-user in a

given user interface (since they are largely indistinguishable).


Michael noted that we need to be careful not to let

recording calls make people less comfortable speaking up during

meetings.



  • No labels