Building Identity Trust Federations Conference Call

July 15, 1009

In attendance:
Rich Greenfield, University of Alaska
Charles Hedrick, Rutgers University
Chris Holsman, University of Wisconsin
Galvin Hogan, SUNY System Administration (presenter)
Matt Howard, eTech Ohio Commission
George Laskaris, NJEDge.Net (chair)
Bob Morgan, University of Washington and Internet2
Paul Schopis, Oarnet
Mark Sheible, North Carolina State University
Tim Poe, MCNC
Garret Sern, EDUCAUSE (scribe)
David Walker, University of California-Davis
Ann West, Internet2
Dean Woodbeck, Internet2

On this month's call, we heard about the developing efforts to build a system wide federation across the State Univeristy of New York.  Gavin Hogan from SUNY System Administation in Albany described the system's strategies and approaches as well as lessons learned in deploying a system-wide federation.

Strategies from SUNY (Slides)

Questions and Comments

Q. How do you plan on addressing the issue of auditing the way campuses are distributing the credentials?
A. Concept of having ID and access controlled on the campuses is something we're already doing, so no need to draft new policies to address this. However, we need a way to blackball ID's/users no longer associated with the campus or acting inappropriately. With limited employees, Gavin's group can't make this decision, rather campuses are better able.

Q. Any campus audit requirements?
A. Don't have a mechanism to audit at this time. Comes up in other critical ways at this time via other policies.

Q. How is Incommon establishing level of partnership?
A. The partner decides for themselves by applying for a particular level. Incommon won't be conducting audits, instead, relying on an independent auditor. Know the campuses are audited internally and by the state.

Q. Relationship with Oracle - what levels of assurance to you have they will maintain developments of Shibboleth?
A. They are committed to being standardized in this realm, but can't provide details due to NDA. They allow you to interplay with Java transaction;  ADIs are one example of evidence they will meet this commitment. They want to get into higher ed market and realize fed id management requires interplay. When they identify what is important to them, they dedicate the resources. OIF is meant to integrate with many access control engines.

Q. Anyone else with Oracle experience in this realm?
A. U of Wisconsin has had the same experience with Oracle Consulting and inching along with OIF. They are going to have to overcome some of the lack of the communication leading up to the project. Their experience with sales process has been more difficult than the actual consulting.

Q. Do you think you'll be taking this federation in the same direction as the Texas or California model?
A. Looking at closed federation for SUNY Universities, not exclusive to InCommon membership. Not seeing a telling reason to follow this approach, although senior management disagrees right now.

Q. Does SUNY have a document that illustrates how to create and run your own federation as best approach?
A. I don't think so, although it would make sense. There is room to make uninformed choices based on perceptions.  Add this to the list of marketing materials for InCommon. There is a key study from the University of California system that talks about what they did.

University of California can see moving away from UC trust and using InCommon Silver Identity Assurance Profile. A principle of UC Trust was not to replace anything InCommon can do for us.