Report out of the Breakout Sessions
OSS IDM
Reference implementations valuable
Oracle changed direction, SW free again?
- Next steps:
- put together a sw registry with functions and portability
- form group to talk about Sun/Oracle
- form group to work on protocol specs
- look at marketing of Open Source IdM suite
- look at the services catalog for IAM and see how it maps to needs
- design/architecture documentation -- look at mechanisms by which the various components interconnect (e.g. via framework)
- compile best practices to be included in a reference implementation
SPs and App Developers
- best practices would be valuable to document - how to make your app federation-ready - provisioning is included
- attribute creation and management
- coding for SP options, if available
- representing permissions for access control
- scaling advice
- standardized method of getting federation metadata would be useful
- don't persist anything you can get in an assertion unless you have a justifiable requirement
- Perhaps an InCommon or MACE working group, or even REFEDS, to work on documenting this...
- federations having problems in ad hoc environments, how to handle different ARPs?
- introduction problem, how to get into a collaborative environment
- Next Steps:
- Assemble volunteers to help with preparation of best practices documentation, including potentially Educause and OCLC, including both IdPs and SPs
- Work with international partners, since adoption is becoming so widespread...
- Scott will likely start by fleshing out the skeleton to kick this off, and reach out to specific people for contributions
- InCommon should define extensions for things like uApprove
IdM Project/Process Mgmt.
Agile dev being used in some schools, but some of its principals don't work well in the middleware context - e.g. frequent customer review of deliverables
- No Next Steps identified...
Loosely affiliated populations
more of a groups and LoA issue, based on a user's attributes...is it time to approach the testing boards, to run an IdP for applicants?
LoA
- no good way to do a risk assessment
- password entropy tool issues
- SAML AuthN context - not widely used?
- will be used to express InCommon Silver Profile
- RP specific
- a particular authN event may be associated with more than one profile...
- Is scope the right thing to look at? What about one domain mapped to more than one IdP?- Next Steps:
- LoA and identity assurance profiles are very different, and thus there needs to be distinction/clarification
- Assemble list of schools using LoA with e.g. NIH
- Revisit requirements for Silver, with an eye toward whether they are set too high for higher-ed
- define what types of services might require higher LoA, and listing them
- need risk assessment and better entropy tools
- develop best practices for recredentialing, e.g. auditing challenge/response questions
- define a subset of groups working on authn context to work with NIH
Grids & non-browser apps
- perhaps X.509 deserves more investigation and debate?
- Next Steps:
- support Eduroam (killer app), need national scale infrastructure
- make progress on DNS to IdP mappings, for DNS-based discovery
- Follow work in IETF on SASL and federated login
- encourage work on non-browser clients by creating a wiki space to host student projects...
Kuali Id. Mgmt. (KIM)
- Next Steps:
- Revisit defining a standard API for groups
- get Kuali governance to affirm direction for KIM, e.g. will it be a full IdM suite? Or be portable? Or support another group to make it portable?
- get Kuali more involved in Educuase IdM CG list, for increased mutual awareness
Social Networking
some schools looking at using internally, other looking at developing external presence, e.g. on FaceBook.
raises privacy issues
InCommon interoperability with common social networks, of interest to majority of the community? If so, better to enable it the right way
Next Steps:
assemble a group to think about working with Google, FaceBook, and Twitter
encourage more attendance at IIW to interact with them
Encourage wider use of OpenSocial, and further development of relevant gadgets
Groups
- Next Steps:
- investigate federated external groups in COmanage
- Google-Grouper connector - help with development?
- work on sharing GoogleDocs with external users
OpenRegistry
- No Next Steps identified
IAM Governance
- Next Steps:
- compile best practices, e.g. the way processes ought to work
- case studies of working governance groups - what they have taken on and how they function
- enable communication between interested users
- Look at the PennState documentation
SPML
- Next Steps:
- UNC is working on this, and will document on a wiki page and dedicated mailing lists