Attending: Eric Goodman, Heather Flanagan, Matt Brookover, Keith Wessel, Mary McKee, Janemarie Duh, Mizuki Karasawa, Eric Kool-Brown, Matthew Economou
With: David Walker, Ian Young, Nick Roy, Albert Wu, Les LaCroix, David Bantz
Intellectual Property Reminder - All Internet2 activities are governed by the Internet2 Intellectual Property Framework.
Public Content Notice - TAC minutes are public documents. Please let the TAC and note taker know if you plan to discuss something of a sensitive nature.
(AI) Albert Wu - put entity category and attribute release discussion on next call agenda
InCommon operations released a major update to the Federation Manager last week. There were a couple of minor regressions, but overall everything went smoothly.
IDPro has been working on developing a higher education profile. That profile seeks to define and document which areas of IAM have aspects unique to higher education. Several members of CACTI are helping to brainstorm and figure out what needs to be on the list. There will be other profiles, including workforce/enterprise, consumer IAM, health care, and possibly others.
REFEDS has not made a determination yet on what we might do in place of this year’s face-to-face meetings, both of which are now cancelled. We do know that a full-day webinar won’t work, and we’re trying to decide if and how to conduct shorter sessions to help the community stay together.
SeamlessAccess has several different areas of effort right now.
Contract Language Working Group - InCommon probably doesn’t want to get involved with that, but it is a useful discussion to have. How do you get people to recognize an entity category, for example. This working group about getting people to put this into contracts is very useful. It motivates people to learn about the issue at hand.
This discussion kicked off with a summary of a question from Kevin Morooney, wondering what fall would look like on campus, and where the data (COVID-related) reside that would affect how schools make decisions. How will people manage access to that data? How do we get involved in those discussions to provide support?
Mary McKee - Duke has had conversations about survey tools related to reopening and COVID-19 tracking. The intention is to use Shibboleth to make sure the login experience is seamless and persistent. There is also discussion about using Grouper for managing target audiences.
Heather Flanagan - I wonder if we might be looking at disruption the wrong way. What are campus groups doing, like with WebAuthn or OAuth, that work around federation that will disrupt us? Do we need to decide how to evolve with that? Web AuthN is a big part of that - how will federations support that? What problems might people get into that they don’t know about when they do device-based authorization models?
Eric Goodman - The people I talk to about federation are mostly worried about their role as an IdP rather than an SP. For the most part, there is only one central group that cares about discovery services. Even though UCLA has hundreds or thousands of applications, people all authenticate at the UCLA IdP. The focus also is on the business apps, and the federation part is there, but it tends to look more bilateral. I’ve been refused projects related to things like improving discovery services, because centrally it isn’t high priority.
Mary McKee - The challenges with federation, and IAM team structure in general, is that you need to make the “tragedy of commons” case, where we are all stronger together and stronger with standards, that there are problems with WebAuthn when it doesn’t go through the central institutional hub. Duke has open-sourced its WebAuthn to Shibboleth code. We hope this will help get ahead of the problem and make sure people do this in a way that doesn’t undercut. We need to make sure using the IdP is the easiest and best thing to happen.
Tim McGeary, the Duke librarian, is active in the Seamless Access Entity Categories in Attribute Bundles working group. He contends that the service provider must never directly ask a user for information. All user information must go through the campus because the campus owns the relationship and the campus owns the data exchange. This was news to the publishers. Their perspective is that they have their own privacy policies and if they get called to account, they have to answer, so we have to go to the user and ask for consent.
Mary McKee - Thinking in terms of supporting reopening efforts (COVID-19) is helping people understand the difference between a system of record and IDM systems. There is a need for a comprehensive inventory of the people at your organization. That’s easy for people to understand. They likely don't know that there is already infrastructure in place that has done the de-duping and normalizing of the data. We make the case to not do things piecemeal, but make sure anything we offer goes through these enterprise IAM teams.
David Bantz - One challenge is the desire to have a “master control panel” where an institution can control all access from a single point. That's an attractive draw. But this is, in some ways, fundamentally at odds with federated access. Look at direct SSO access to academic journals or researchers finding resources. With federation, IT doesn’t have to do anything in terms of granting access. We facilitate that by having reliable trusted information about their affiliation. Some IT staff find this threatening.
Nick Roy - Storytelling is how to solve that problem. Educating CIOs so they can talk to their staff about how you folks are facilitating the mission of the university by getting out of the way. But some IT staff have been told for years to be the gatekeeper; need to update that mindset.
Mary McKee - If this helps advance academia and we’re not giving away anything proprietary or sensitive about the person, why should we be getting in the way? I’m curious about the entity categories discussions and would love if there were some entity categories like “give me if nothing sensitive is at stake.
(AI) Albert Wu - put entity category and attribute release discussion on next call agenda
There was discussion about how to present the implementation profile and deployment profile to the community. Should InCommon publicize the profiles in their entirety and also have general statements about how a participant should approach the profiles? Should we provide guidance, such as turning these into best practices, requirements, and/or recommendations? Perhaps also guidance on which statements will likely take longer to implement than others? The implementation profile, for example, is almost a perfect set of requirements for IdP as a Service. If you were starting today, these are the things you should do. If you already are in the federation, how to you maintain backward compatibility while moving to support these practices?
Communication is a key concern. People are unlikely to read a technical profile, so we need a way to give it to them in bite-sized chunks. We can provide the profile and talk about the various parts and suggest priorities. This will be a longer-term marketing/outreach campaign.
Albert's recommendation is to publicize our adoption of these two profiles and have a discussion about sequencing. Might portions of the profiles, for instance, lend themselves to badges (say for federation readiness, software deployment, etc.). Perhaps create a simple grading system to prioritize what we want people to implement first.
TAC will continue to discuss the individual items from the survey, determine what will be involved with each and who will be tasked with action items. The discussion can include which to address first. The experience with Baseline Expectations provides a consensus-building process that we might leverage.