Draft Minutes Assurance Implementers Call 4-Sept-2013
Ann West, InCommon/Internet2
Mary Dunker, Virginia Tech
Karen Harrington, Virginia Tech
Steve Devoti, University of Wisc.
Dave Langenberg, U. Chicago
David Walker, Independent
Mark Rank, UCSF
Kevin Dale, UCSF
Marlena Erdos, Harvard
Brett Bieber, Univ. of Nebraska, Lincoln
Jeff Capehart, University of Florida
Emily Eisbruch, Internet2, scribe
Shib IdP Enhancements Progress
David Walker reported that Paul Hethmon has been making good progress on the Shib IDP Enhancements work. Progress can be reviewed at: https://spaces.at.internet2.edu/display/InCAssurance/Shibboleth+Enhancements+-+Project+Status
Paul expects to finish coding in a week or two. The campuses who agreed to do testing will then start the testing process. Hope to have some test reports to share on the next call.
Assurance Advisory Committee Update
Mary Dunker reported that Ann West was involved in a call with the FCCX (Federal Cloud Credential Exchange). FCCX is a gateway providing translation service between federated FICAM-approved IdPs (using OpenID and SAML2) and federal agencies. FCCX plans to work with the VA and with NIST. Virginia Tech will most likely be involved in testing the gateway in the future. Ann will be organizing another call with FCCX to share more information. The AAC and InCommon will most likely suggest some agencies that we think are important for FCCX to work with, such as Dept. of Education, Dept of Energy, NIH, and NSF. Ann hopes to get FCCX to do a webinar for the community. FCCX hopes to be in production in January 2014.
Cloud Security Controls Matrix
The AAC had a call during August with Bob Brammer of the Internet2 Net+ Cloud Security Initiative. This initiative was launched to develop cloud security guidance that could be consistently applied to meet the needs of higher ed. The Net+ Cloud Security Initiative formed an alliance with the Cloud Security Alliance (CSA), a consortium of 150 largely corporate members https://cloudsecurityalliance.org . The Net+ Cloud Security Initiative is working on a cloud security controls matrix, customizing a matrix originally developed by CSA. The Net+ Cloud Security Initiative wants the AAC to help provide an identity management perspective to be explicitly covered in the controls matrix. The AAC will be scheduling another call with Bob Brammer and may be soliciting input from the community.
The AAC has some terms expiring, and will be looking for some community members to join the AAC. Stay tuned for an email from Ann on this topic.
Counting Failed Login Attempts
Information on the Counting Failed Login Attempts work is found athttps://spaces.at.internet2.edu/display/InCAssurance/Failed+Authentication+Counter+Strawman
Brett reported that University of Nebraska has a working proof of concept that's collecting the authentication failures, using Splunk as the aggregator.
They are working on excluding the authentication attempts for invalid account names. Good progress is being made.
Q: Do you have metrics on how much data you are collecting?
A: About 10 gig of data during the past month. But one single user has 6 million failure events.
AD Assurance Updatehttp://bit.ly/14CPlPu
Ann reported that the AD Assurance Group is finishing up the next iteration of the AD Cookbook. There is a plan to verify some interpretations of the assurance spec with the AAC.
Hope to be ready to talk about the next iteration of the cookbook for the October Assurance Implementers call.
Jeff noted that there is a difference between the IDP and the IDP operator (IDPO) and this is an important distinction.
Mary suggested it can be helpful to review the diagram in the Framework (IAAF), page 4:https://spaces.at.internet2.edu/download/attachments/9185/IAAF-V1.2-Feb2013.pdf?version=2&modificationDate=1361200017172
Bronze Cohort Plan
Ann is working on spinning up a Bronze Cohort group, that can help campuses to assist each other in reading the spec.
CommIT Project and Possible Digital Notary Service
CommIT is a project to streamline the identity management process for the college admissions process for K12.
CommIT is looking for pilot schools. See details on the wiki.https://spaces.at.internet2.edu/display/InCAdmissions/Home
In addition, as part of Phase 2 of the CommIT project, there may be an effort to spin up a digital notary service for the CommIT credential.
Currently in the drafting stage.
Could eventually fit in with federal agencies and provide an LOA2.
Ann reported that the InCommon TAC is investigating the SHA-256 issue. There are 3-4 campuses doing testing.
Round Robin on Assurance Work Status
U. Chicago – audit is ongoing
Harvard – awareness of assurance is building
U. Wisc.-Madison – some resource issues, though compliance is around 80%
UCSF – there is talk about assurance among the UC Trust Federation
Nebraska – goal is to be bronze ready soon, working on management assertions for Bronze, counting failed authentication attempts is part of that.
There is a small group in the CIC talking about a CIC Bronze Initiative.
It may make sense to join the CIC work with the Bronze Cohort Group that Ann is spinning up.
Virginia Tech – Have started the 1.2 documentation. Hope to submit alternative means for 1.2 soon.
Goal is to finish by end of year.