Attending
Members
- Chris Phillips, CANARIE (chair)
- Marina Adomeit, GEANT
- Tom Barton, U. Chicago
- Nathan Dors, U Washington,
- Karen Herrington, Virginia Tech
- Todd Higgins, Franklin & Marshall College
- Christos Kanellopoulos, GEANT
- Les LaCroix, Carleton College
Internet2
- Steve Zoppi
- Emily Eisbruch
Regrets
- Warren Anderson, University of Wisconsin-Milwaukee /LIGO
- Rob Carter, Duke
- Jill Gemmill, Clemson
- Tom Jordan, U Wisc - Madison
- Kevin Morooney , Internet2
- Ann West, Internet2
New Action Item
{AI] (Christos) email CACTI with the name of the open AARC list looking at scalability of trust network, etc. (DONE)
[AI] (ChrisP) follow up with Les and Christos on next steps for URN / OID registry.
DISCUSSION
CACTI membership
- Welcome to new CACTI member Marina Adomeit
eduTEAMs
- Christos is the service owner of eduTEAMS
- eduTEAMS has long history; it was a number of individual components for scientific use cases: now integrated into one bundle
- Wide target audience within research space
- Long-term plans include expanding beyond just research space to broader campus space
- May discuss eduTEAMS more on a future CACTI call, hopefully when KevinM and Klaas can be present on the call
eduPerson Transition to REFEDs
MACE URN OID Transition: https://spaces.at.internet2.edu/x/Sgi6Bw
- Les reviewed the registries transition.
- URN and OID are low use items
- URN registry delegated to other institutions
- Service that Internet2 recommends not using
- Les recommends looking at discontinuing the URN service for new URNs
- In GEANT there is a new interest in URNs
- With URL, it’s expected you can click on it and get something… this issue does not exist for URNs
- One advantage of URL versus URN is with URL, you don’t need to update contact info in a place you don’t own
- URLs are good for entityIDs but not for all use cases
- It was suggested that we should maintain the URN service even if not used much
- For a central registry there must be authority and vetting
- Current process when a new URN is requested: people make a judgment call on
- 1) if the requester institution is part of Higher Ed and
- 2) if the person requesting has authority to request for the institution
- TomB offers to be the initial intake person for CACTI
- Q: Would MACE registry be source of URNs for GEANT’s use?
- A: They mostly use the GÉANT URN namespace https://wiki.geant.org/display/URN/URN+Home
- Les recommends stronger language on the web page to recommend URLs over URNs
- Current language is here
- TomB: the more we operationalize delegation, the more URNs will have usage
- Agreed that we should maintain the URN service for existing entities, but no consensus beyond that
- [AI}ChrisP will follow up with Les and Christos on next steps for URN / OID registry.
- Thanks to Les for the research and recommendations
Emerging Federated Id Challenges with cloud stories
- Azure, Multilateral trust with federated id, and eduroam
- Google apps for education, AWS IDM - distant #2, #3?
- Q: Is there a recommendation that Internet2/InCommon/others have? Is this topic in harmony with current activities?
- ChrisP shared an email with one site’s perspective on moving to the cloud
- CAS as a component for single sign-on, but then security concerns arose
- Nathan shared via email a diagram from IDP governance discussion
- Governance decision is important
- Example Nathan shared centered on decision to use OAUTH
- Can be complicated and messy
- TomB: Global R&E Federated Access Ecosystem
- Maintain research networks and research federations,
- Must be inclusive
- Use proxies
- What about using Shib IdP in Azure as the proxy?
- Setosa is the solution being used
- Christos: moving in direction of using proxy and linked proxies, allows communities to use whatever software, but providing integration and interfaces. Connecting protocols. Offering connector service. eduGAIN as a trust network. Looking at putting IDPs in eduGAIN as the trust network.
- Discussion within AARC project . Looking a scalability, and issues coming up from real deployments
- {AI] (Christos) email CACTI with the name of the open AARC list looking at scalability of trust network, etc. (DONE)
- Les: as a small school IDP operator, using Shib for Web SSO, delegates to AD.
- It is a kind of proxy . Using Azure and Google federated with Shib. Different services tap in.
- Will also put some in cloud, primarily for redundancy. Like the diagram Nathan shared. Not sure the best solution
- Nathan: the OIDC Deployment Working Group has a few more calls this year, developing the plan for 2019.
- May recharter and reduce the scope and create practical deployment guides for using the GEANT extension or using Setosa or a proxy.
- Deployment guides could include patterns of deployment in the cloud.
Reports from the Field
2019 Internet2 Global Summit in DC
Parking lot: Suggestions from Oct 30, 2018 CACTI call
- ask RolandH to give CACTI a talk on direction of OIDC and SAML as an informational session.
- Perhaps also Davide Vaghetti (GARR)
- Suggestion to put Nathan on CACTI Agenda to give info on OIDC
Next CACTI meeting Tuesday, Dec. 11, 2018