CACTI Call July 7, 2020
Attending
Members
- Tom Jordan, University of Wisc - Madison (chair)
- Rob Carter, Duke
- Matthew Economou, InCommon TAC Representative to CACTI
- Michael Grady, Unicon
- Karen Herrington, Virginia Tech
- Les LaCroix, Carleton College
- Chris Phillips, CANARIE
- Bill Thompson, Lafayette College
Internet2
- Kevin Morooney
- Ann West
- Steve Zoppi
- Nick Roy
- Jessica Fink
- Emily Eisbruch
- Mike Zawacki
Regrets
- Jill Gemmill, Clemson (vice chair)
- Marina Adomeit, SUNET
- Nathan Dors, U Washington
- Margaret Cullen, Painless Security
- Christos Kanellopoulos, GEANT
Action Items from this call
- AI Jessica will share the glossary with CACTI when it’s ready. CACTI will discuss after BaseCAMP
Older Action item
- AI Jessica - help coordinate a quarterly update from CACTI to community on best practices, trends and directions (coordinate with other InCommon governance groups)
Intellectual Property reminder https://www.internet2.edu/policies/intellectual-property-framework/
DISCUSSION
Trust and Identity Glossary
- Jessica reported that with InCommon BaseCAMP coming up July 20-24, 2020, there is a need for an updated Trust and Identity Glossary, with common definitions for terms like IdP, SP, etc.
- There have been several glossaries developed over the years including:
- A new updated Trust and Identity Glossary is now being created
- Once developed the new glossary will need curation ongoing for consistency
- Would CACTI want to take charge of ongoing glossary curation?
- question: Where will this glossary live? Canvas? Google doc linked from Canvas? Wiki?
- answer: not sure yet, but it should be public for easy linking
- Suggestion to work with REFEDs on the glossary. Could help in connecting w IDPro and others
- It was noted that sometimes terminology is solution specific
- Midpoint, Grouper, etc. may use terms differently (privileges, permissions, groups, roles etc.)
- Makes most sense to produce an InCommon trust and identity glossary, and offer it to others
- Suggestion not to overthink this, scope the glossary to the BaseCAMP audience
- Perhaps assign an editor so there will be a person moderating
- AI Jessica will share the glossary with CACTI when it’s ready. CACTI will discuss after BaseCAMP
Update on IDPro Academic Profile work
- ChrisP: Heather Flanagan has added a section in the IDPro Body of Knowledge for Academic IAM
- https://github.com/IDPros/bok-toc/commit/e353c765e409b0b63e5a1774df7a1965f4313a9f
- Creating top level categories
- Need to determine what is meaningful to add
- Nick suggested focus on research identity (FIM4R)
- Any effort we apply to the IDPro effort will nudge things in the favor of Higher Ed
- Positive efforts but the road is long
- It was noted that Keith Hazelton is arranging a meeting around branding for Trusted Access Platform components, to address negative connotations that may exist in some quarters around adopting open source software
Packaging - CACTI / Component architects discussion on community requirements for packaging
Review of updated HE registry-aaS prospectus and next steps
- Following up on May 26, 2020 discussion with UCSD. See CACTI Public Meeting Notes of 26-May-2020
- TomJ has revised the HE registry-aaS prospectus document.
- How much is viable for US Higher Ed to do in the registry area without the framework that exists in Europe?
- Which parts can we tackle and which parts might be outside of our power?
- Identity registry for Higher Ed, can we pull this off?
- It was noted that all HE institutions have developed some identity registry inside their own spaces
- Question: what is so different / harder about a cross institutional registry?
- Comment: it’s a technical challenge and there are regulatory issues
- New legal agreement will be required for InCommon
- Europe has general citizen registry
- There are many pieces we must fill in
- Comment: future would be fraught with state level changes in privacy laws
- Les and Bill: Don’t think a cross institutional registry is feasible without significant and sustained top-down priority and funding at the national level.
- Needs serious top down priority and funding
- Outsourcing identity proofing and authentication could be a viable service in our current context.
- Yet it's a big lift given technical challenges and existing solutions at each institution
- Question: Is there a partner to engage to navigate the bigger project?
- It was noted partnering w federal govt can lead to different priorities in new administrations
- For identity proofing and authentication, we can look at hosting COmanage and CI logon as examples
- Around authentication and identity proofing, there are questions of how to track it, need references to documents, devils in details
- For authentication, aspects that are federation specific but challenging to support
- Issues with implementing SAML
- Integrations of Microsoft campuses is a challenge
- ADFS orgs cannot fully participate in federation without local modifications
- Difficult for the long tail, the group we want to attract to federation
- Suggestion that we should focus on offering services like those that proxies offer for SPs, but we might do it for IDPs
- We would contract with vendors to do the needed customization (filters, identifiers)
- This project is better “low hanging fruit”
- Each state has some different requirements
- Having something central provides standards
- Suggestion that we should focus on standards for deep and broad interoperability
- let regionals run the infrastructure to help conform to state level policies and laws
- Distributed ORCID ID
- Operating with common standards and practices
- Work for broad adoption
- Eduroam program hints this is needed at state level for K12 eduroam
- Is there a business proposition at the state level?
- Suggestion to be more participatory in the ORCID space
- ORCID already has the framework
- Comment: ORCID is a player but different from what we are talking about
- It was noted that if the framework is operated at a state level, it will be necessary to handle individuals operating in multiple states
- Matching and match algorithms will be important
- Operating a service like this is a big deal, there is crush traffic on certain days
- Verification step-up service experience showed a separate federation may be needed
- Subscriptions needed apart from InCommon membership
- How much of what UCSD requested could we achieve from identity cross matching , use a persistent identifier , less operational lift, more driven by the user, user would provide info to help with linking two or more identities
- There is the challenge of identity assurance in places where you can’t get strong legal findings to link identities.
- 25 years ago looked at directory synchronization issues.
- Attribute authority interface.
- Build tooling that lets organizations pull info about users.
- Develop interface standard.
- Here’s how we agree to format this data.
- Agree to export data in a certain format. That might be enough
- HIPPA-Like approach, make the collaboration easier
- Ann: question of what we are not doing
- Internet2 is a community asset
- Helps the community do things that are tough to do alone
- Is this the right thing to be doing?
- Suggestion that we should be looking at user interfaces
- User enrollment is hard
- Perhaps do a user interface analysis?
- Focus on the UX issue versus the data sharing
- Making the enrollment process better for scientific collaborations
- Getting users onboarded in a better way
- Concern about phishing users, need to get identifiers
- Should be simple to email someone to get them registered
- Scientists should be able to kick off the enrollment flow
- NEXT STEPS
- Look at the original problems from UCSD
- clarify the problem we are trying to solve
Parking Lot
- (From June 9, 2020 call) TomJ - Add as an agenda item for a future CACTI call: Operationalizing containers
Next CACTI Meeting: Tuesday, July 21st, 2020