Attending: Rob Carter, Etan Weintraub, Brian Arkills, Jeremy
Wilkerson, Marcus Mizushima, Jeffrey C (UCLA)
[Etan/Brian/Rob started off before more members joined reviewing the
spreadsheet and addressing a question regarding whether a separate
scenario should be broken out for "ADFS federated to Shib (without
AAD)". It was agreed there's probably sufficient reason to add
another row for that, based on a handful of mostly vendor-driven
situations that may make ADFS a requirement for sites -- at least one
Microsoft product still "requires" ADFS (and doesn't yet officially
support integration directly with AAD), and there are third-party apps
(Duke has a few) that stipulate they'll only integrate via SAML with
an ADFS provider. Rob agreed to flesh out a row for that scenario.]
Etan: So this meeting, we're basically going over the key linked iDP
scenarios document making sure we have someone assigned to each one,
making sure we can easily discuss them (so we added a scenario
id/number to the table to make them easier to identify)...
Etan: We still need someone to take responsibility of Scenario 7 (ADFS
as login IDP with Shib proxying via the shib SAML proxy).
Marcus: No, we don't...
Brian: I don't recall where that one came from...
Rob: We may actually have brought it up as something we've all heard
of other people doing...
Etan: Jeffrey -- you're not doing this are you?
Jeremy: No -- we have an integration with Okta in the medical center
Etan: Does anyone object to marking this one that no one seems to be
doing as something no one is doing currently?
Brian: Agreed -- and anyone who objects to it will have identified
themselves as the responsible party.
Jeffrey C: Random question: Did this come from something Chris
Rob: could well be... The ADFS Toolkit probably comes into play there
(which is something Chris did a lot of work on).
Etan: So we have everything assigned. Rob is going to create a new
row for ADFS using Shib as the login IDP (without AAD in the picture)
-- relevant to use cases for third-party apps that depend on ADFS
Etan: Beyond just putting this together, what do we need to do as a
working group? We decided we wouldn't go so far as to do actual
recommendations or rankings -- in fact, we'll remove the scenario IDs
before publishing this, so it doesn't appear to be a ranking (which it
isn't). I think it probably should be sorted by linked IDP and then
by login IDP (since that's probably the way folks will search for
Brian: I don't think we want to get into the details of implementing
Jeffrey C: Agreed -- we could have vendors change things out.
Brian: Can someone talk to Chris Phillips about getting hold of his
Rob: I'll check with Chris -- I have him in a meeting later this week,
Etan: I'll send something out to the mailing list about our finalizing
this at the next meeting, and going forward with the document.
Rob: I think we might want to add a bit of text on top of the
spreadsheet -- background and some material about our general
conversations on the topic... Procedurally, the output from this WG
doesn't get published directly -- it needs to go to CACTI first, for
review/approval... I can facilitate getting things into the CACTI
agenda (CACTI meets on the Tuesday mornings between this group's
meetings, so we can get anything you need on the CACTI agenda for the
Etan: We can try to finalize this at the next meeting, then send it to
CACTI the following week and review CACTI's response the following
week, and then hopefully go to publication with it by September.
Etan: We also need approvals for the notes from previous meetings --
they've been posted for long enough at this point to be public, but we
need enough approvals (either 3 or 4), and the pending notes only have
2 at this point. With one additional approval (from Brian) we can
move all these forward -- Rob, can you move them to public space?
Rob: Will do.
Etan: Who wants to reach out to Majeed about the overlap between #2
and #8... Brian , were you going to touch base with him about that?
Etan: We just need to figure out if there's enough difference that
these two should be separate or not.
Rob: it may be that we can merge the two and add a rider to one to
explain the selective MFA process.
Etan: Then I'll start up an overarching cover document and send it
over to Brian to kick around before we get it finalized. Rob's going
to ask Chris Phillips about his stuff, Brian will talk to Majeed, and
Rob will fill in his row and add another row for his use case.