Attending: Rob Carter, Etan Weintraub, Brian Arkills, Jeremy

Wilkerson, Marcus Mizushima, Jeffrey C (UCLA)

[Etan/Brian/Rob started off before more members joined reviewing the

spreadsheet and addressing a question regarding whether a separate

scenario should be broken out for "ADFS federated to Shib (without

AAD)".  It was agreed there's probably sufficient reason to add

another row for that, based on a handful of mostly vendor-driven

situations that may make ADFS a requirement for sites -- at least one

Microsoft product still "requires" ADFS (and doesn't yet officially

support integration directly with AAD), and there are third-party apps

(Duke has a few) that stipulate they'll only integrate via SAML with

an ADFS provider.  Rob agreed to flesh out a row for that scenario.]

Etan: So this meeting, we're basically going over the key linked iDP

scenarios document making sure we have someone assigned to each one,

making sure we can easily discuss them (so we added a scenario

id/number to the table to make them easier to identify)...

Etan: We still need someone to take responsibility of Scenario 7 (ADFS

as login IDP with Shib proxying via the shib SAML proxy).

Marcus: No, we don't...

Brian: I don't recall where that one came from...

Rob: We may actually have brought it up as something we've all heard

of other people doing...

Etan: Jeffrey -- you're not doing this are you?

Jeremy: No -- we have an integration with Okta in the medical center

Etan: Does anyone object to marking this one that no one seems to be

doing as something no one is doing currently?

Brian: Agreed -- and anyone who objects to it will have identified

themselves as the responsible party.

Jeffrey C: Random question: Did this come from something Chris


Rob: could well be...  The ADFS Toolkit probably comes into play there

(which is something Chris did a lot of work on).

Etan: So we have everything assigned.  Rob is going to create a new

row for ADFS using Shib as the login IDP (without AAD in the picture)

-- relevant to use cases for third-party apps that depend on ADFS


Etan: Beyond just putting this together, what do we need to do as a

working group?  We decided we wouldn't go so far as to do actual

recommendations or rankings -- in fact, we'll remove the scenario IDs

before publishing this, so it doesn't appear to be a ranking (which it

isn't).  I think it probably should be sorted by linked IDP and then

by login IDP (since that's probably the way folks will search for

entries).  If

Brian: I don't think we want to get into the details of implementing

these strategies

Jeffrey C: Agreed -- we could have vendors change things out.

Brian: Can someone talk to Chris Phillips about getting hold of his


Rob: I'll check with Chris -- I have him in a meeting later this week,


Etan: I'll send something out to the mailing list about our finalizing

this at the next meeting, and going forward with the document.

Rob: I think we might want to add a bit of text on top of the

spreadsheet -- background and some material about our general

conversations on the topic...  Procedurally, the output from this WG

doesn't get published directly -- it needs to go to CACTI first, for

review/approval...  I can facilitate getting things into the CACTI

agenda (CACTI meets on the Tuesday mornings between this group's

meetings, so we can get anything you need on the CACTI agenda for the

following week).

Etan: We can try to finalize this at the next meeting, then send it to

CACTI the following week and review CACTI's response the following

week, and then hopefully go to publication with it by September.

Etan: We also need approvals for the notes from previous meetings --

they've been posted for long enough at this point to be public, but we

need enough approvals (either 3 or 4), and the pending notes only have

2 at this point.  With one additional approval (from Brian) we can

move all these forward -- Rob, can you move them to public space?

Rob: Will do.

Etan: Who wants to reach out to Majeed about the overlap between #2

and #8...  Brian , were you going to touch base with him about that?

Brian: Yeah.

Etan: We just need to figure out if there's enough difference that

these two should be separate or not.

Rob: it may be that we can merge the two and add a rider to one to

explain the selective MFA process.

Etan: Then I'll start up an overarching cover document and send it

over to Brian to kick around before we get it finalized.  Rob's going

to ask Chris Phillips about his stuff, Brian will talk to Majeed, and

Rob will fill in his row and add another row for his use case.

Adjourned:  14:32

  • No labels