CTAB call Tuesday, April 6, 2021
Attending
- David Bantz, University of Alaska (chair)
- Brett Bieber, University of Nebraska (vice chair)
- Pål Axelsson, SUNET
- Tom Barton, University Chicago and Internet2, ex-officio
- Ercan Elibol, Florida Polytechnic University
- Richard Frovarp, North Dakota State
- Eric Goodman, UCOP - InCommon TAC Representative to CTAB
- Meshna Koren, Elsevier
- Jon Miner, University of Wisc - Madison
- Andy Morgan, Oregon State University
- John Pfeifer, University of Maryland
- Dave Robinson, Grinnell College in Iowa, InCommon Steering Rep, ex-officio
- Chris Whalen, Research Data and Communication Technologies
- Jule Ziegler, Leibniz Supercomputing Centre
- Robert Zybeck, Portland Community College
- Johnny Lasker, Internet2
- Kevin Morooney, Internet2
- Ann West, Internet2
- Albert Wu, Internet2
- Emily Eisbruch, Internet2
Regrets
- Rachana Ananthakrishnan, Globus, University of Chicago
Discussion
- Intellectual Property reminder
- Agenda Bash
Updates from Federation Operators /BEv2
- Albert is updating Baseline Expectations wiki weekly, typically on a Monday
- https://spaces.at.internet2.edu/display/be
- As we send out email notices around BEv2, we see a surge of actions and activities in response
- This tapers off after about a week or two
- This tapers off after about a week or two
- Sent another round of email notices today
- 17% of orgs meet BEv2, without endpoints being measured
- About half of entities have Error URLs
- This week we will start adding data from the endpoint scanning
- Criteria for measuring SSL scores/ TLS scores evolves over time
- With SSL scores evolving, it's hard to know how long being in compliance will last
- Note that contact info can go stale (become inaccurate) over time also
- What's the best way to handle entities that don’t meet the “A” score in SSL/TLS testing?
- Went through requirements with developers this week
- There is a plan to add info to Federation Manager dashboard to display whether an entity is in compliance w BEv2
- This will simplify email outreach, we can point to the dashboard
- Albert is updating Baseline Expectations wiki weekly, typically on a Monday
Updates from Kevin Morooney
- There was an Internet2 board meeting on Friday last week
- Kevin spoke about changes NIH is making and what InCommon is doing to facilitate those changes
- A board member brought up baseline expectations
- Kevin provides regular updates on CTAB’s work to Howard Pfiefer, Internet2 CEO
- There was an Internet2 board meeting on Friday last week
Working Group Updates
- Assured Access WG updates
- Assured Access Working Group wiki
- Progress is being made on Assured Access draft document
- Hope to finish draft within a few weeks
- Several CTAB members are participating
- Developing a great set of content for those who want to dig in
- A checklist might also be helpful
- Concrete recommendations for a campus
- Group discussed Identity assurance process that NIH needs
- There's a multi-step process
- Don’t get to NIST IAL 2 in a single step
- Kyle Lewis has made important contributions
- Chris W: Kyle also bringing helpful info back to the NIH team around identity assurance
- There’s been discussion of login.gov as the alternative
- However, login.gov is challenging for onboarding new users
- REFEDS assurance framework from an IDP is going to be much easier for scientists to use versus login.gov
- Hope to share the draft with the upcoming IAM Online
- REFEDS MFA subgroup updates
- REFEDs assurance group is spinning up a REFEDS MFA subgroup
- Time sensitive group
- Hope to get this moving by middle to end May, in time to have recommendations in time for the new eRA requirements
- REFEDs assurance group is spinning up a REFEDS MFA subgroup
- REFEDS R&S WG - Jule
- https://wiki.refeds.org/display/GROUPS/Entity+Categories+Development+Working+Group
- Eduperson assurance attribute eduPersonAssurance will be included in next version proposed for Consultation
- Assured Access WG updates
- InCommon Steering updates
- Kevin: InCommon Steering meets monthly.
- Met for two hours off cycle in January to do work plan for year
- Has decided to add a few more meetings
- Will focus on how we communicate the value of what we do in R&E Federation
- Kevin: InCommon Steering meets monthly.
- InCommon TAC Updates
- There have been Zoom certificate update discussions
- HECVAT (Higher Education Community Vendor Assessment Toolkit)
- https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit
- Common software evaluation checklist , ways of improving how it captures SAML compatibility
- Institutions share their assessments of vendors
- Making questions more specific and relevant
- There may be a subcommittee to work with HECVAT and propose changes
- Ongoing conversation around OIDC and the relevance of OIDC at Federation level
- There have been Zoom certificate update discussions
- R&S Focus Sub Group update
- The proposed new sub group is In the works
- Andy and Rachana chatted with Tom and Albert
- The proposed new sub group is In the works
- NIH community events
- April 1, 2021- Office Hour
- there were 74 attendees
- We got to the end of the questions from attendees
- Questions like “I don’t have Shibboleth”, what do I do?
- What about Azure?
- there were 74 attendees
- Upcoming IAM Online Webinar https://incommon.org/academy/webinars/
National Institutes of Health and Identity Management Requirements
Wednesday, April 14, 2021 2 pm ET | 1 pm CT | Noon MT | 11 am PT
- April 1, 2021- Office Hour
Discussion around NIH Requirements
- Shib 4.x SAML proxy has some ability to function as proxy and help Azure navigate MFA
- Does not solve problem of campuses that don’t agree to gateway product
- Should make it easier for orgs using ADFS or Azure
- REFEDs MFA subgroup work may also be helpful
- It makes sense to share what can and can’t be done, e.g. stay away from expressing preferences on what’s technically superior
- Baseline Expectations versus NIH requirements
- There's some confusion about Baseline versus NIH requirements
- Need clearer messaging
- Need clearer messaging
- Some early adopters are still using outdated approaches
- At webinar on April 14, there will be mention of baseline and also NIH work
- Perhaps use pyramid graphic Tom created comparing Baseline versus NIH
- Emphasize it’s a journey
- Albert: Baseline is foundational requirement for being part of InCommon Federation
- NIH requirements are not a federation ask; its an NIH ask, we don’t want to say that though, NIH requirements can grown larger than NIH
- Why not make NIH a new category? Have considered this
- It’s a matter of timing, right now NIH is asking for new requirements
- In the future, we can establish research collaboration standards
- That would take more time
- There's some confusion about Baseline versus NIH requirements
- NIH pubmed just published new set of FAQs
- States that by June 2021 they will favor federated credentials
- If you have federated SSO it will work fine
- With Sept 2021 deadline from eRA, it’s not a cliff you fall off of; It’s a bump
- For an InCommon organization that’s not ready for Sept 2021, researchers use login.gov but then can migrate back to federated credentials
Updates on TLS Scoring (Office Hour prep)
- Scoring components and remediation table
https://docs.google.com/spreadsheets/d/1mIIAjS7bpjKTuDDx9-vWIEKZwCnXXXyxgqj5LnS1yZk/edit#gid=0 - This table is to help people understand their SSL grade, how to remediate, and what are consequences
- DECISION: ScheduleBEv2 Office Hour at next scheduled CTAB call - Tuesday, April 20, 2021
- We will get news out in as many channels as possible
- Orchestrating communication
- clarify NIH vs BE vs R&S (2.0?) asks
Community bandwidth to digest / do work
- clarify NIH vs BE vs R&S (2.0?) asks
Next CTAB Call, Tues. April 20 will be converted to an open office hours call