27-Nov-2018

Attending

 Members

• Chris Phillips, CANARIE  (chair)  
• Marina Adomeit, GEANT 
• Tom Barton, U. Chicago   
• Nathan Dors, U Washington,    
• Karen Herrington, Virginia Tech     
• Todd Higgins, Franklin & Marshall College   
• Christos Kanellopoulos, GEANT   
• Les LaCroix, Carleton College  

Internet2 

• Steve Zoppi   
• Emily Eisbruch   

Regrets

• Warren Anderson, University of Wisconsin-Milwaukee /LIGO 
• Rob Carter, Duke  
• Jill Gemmill, Clemson  
• Tom Jordan, U Wisc - Madison 
• Kevin Morooney , Internet2
• Ann West, Internet2 

 New Action Item

{AI] (Christos) email CACTI with the name of the open AARC list looking at  scalability of trust network, etc.   (DONE)

[AI] (ChrisP) follow up with Les and Christos on next steps for URN / OID registry.

DISCUSSION

CACTI membership

• Welcome to new CACTI member Marina Adomeit  
  • Marina works for academic network of Serbia
    
  • Leading Trust and Identity services activity in GEANT
    
    • This will include development of Trust and Identity services
      
  • Hope to inform roadmaps for Internet2 and GEANT
    
  • Currently in planning period
    
  • Project phase divided into development and operations 

  •  CACTI hopes to feed input into 2019 planning process for Internet2 and GEANT.

  •  Kickoff for project planning in GEANT is in Jan. 2019

eduTEAMs  

• • Christos is the service owner of eduTEAMS
    
    • https://www.geant.org/Innovation/eduteams 
      
    • https://wiki.geant.org/display/eduTEAMS/What+is+eduTEAMS 
      
    •  eduTEAMS demo service     https://wiki.geant.org/display/eduTEAMS/Demo+Service
  • eduTEAMS has long history;  it was a number of individual components for scientific use cases: now integrated into one bundle
    
  • Wide target audience within research space
    
  • Long-term plans include expanding beyond just research space to broader campus space 
    
  • May discuss eduTEAMS more on  a future CACTI call, hopefully when KevinM and Klaas can be present on the call

eduPerson Transition to REFEDs 

• • Progressing: new list schema-discuss@lists.refeds.org & governance model recommendation @ REFEDS  below 
    
    • • Can suggests amendments
        
      • Consultation until Dec 10, 2018 https://wiki.refeds.org/display/STAN/Schema 
        

MACE URN OID Transition: https://spaces.at.internet2.edu/x/Sgi6Bw 

• • Les reviewed the registries transition.
  • URN and OID are low use items
  • Some use by TIER
    
  • URN registry delegated to other institutions
  • Service that Internet2 recommends not using 
    • https://www.internet2.edu/products-services/trust-identity/mace-registries/#service-faq
  • Les recommends looking at discontinuing the URN service for new URNs
  •  In GEANT there is a new interest in URNs
    
  • • AARC recommended URNs for groups   
      
    • https://aarc-project.eu/wp-content/uploads/2017/11/AARC-JRA1.4A-201710.pdf
    • ChrisP: Have seen URNs in eduperson entitlements 
• With URL, it’s expected  you can click on it and  get something… this issue does not exist for URNs
  
• One advantage of URL versus URN is with URL, you don’t need to update contact info in a place you don’t own
  
• URLs are good for entityIDs but not for all use cases
  
• It was suggested that  we should maintain the URN service even if not used much
• For a central registry there must be authority and vetting
• Current process when a new URN is requested: people make a judgment call on 
  • 1) if the requester institution is part of Higher Ed and
  •  2) if the person requesting has authority to request for the institution 
    
  • TomB offers to be the initial intake person for CACTI
    
  
  
• Q: Would MACE registry be source of URNs for GEANT’s use?
•  A: They mostly use the GÉANT URN namespace https://wiki.geant.org/display/URN/URN+Home 
  
  
• Les recommends stronger language on the web page to recommend URLs over URNs
  
•  Current language is here
  • https://www.internet2.edu/products-services/trust-identity/mace-registries/#service-faq
  
  
• TomB: the more we operationalize delegation, the more URNs will have usage
• Agreed that we should  maintain the URN service for existing entities, but no consensus beyond that
  
• [AI}ChrisP will follow up with Les and Christos on next steps for URN / OID registry.
  
• Thanks to Les for the research and recommendations

Emerging Federated Id Challenges with cloud stories  

1. •  Azure, Multilateral trust with federated id, and eduroam
     
   • Google apps for education, AWS IDM - distant #2, #3?
     
   • Q: Is there a recommendation that Internet2/InCommon/others have? Is this topic in harmony with current activities?
     
   • ChrisP shared an email with one site’s perspective on moving to the cloud
     
   • CAS as a component for single sign-on, but then security concerns arose
     
   • Nathan shared via email a diagram from IDP governance discussion 
     
   • Governance decision is important
     
   • Example Nathan shared centered on decision to use OAUTH
     
   • Can be complicated and messy
     
   • TomB: Global R&E Federated Access Ecosystem
     
   • Maintain research networks and research  federations, 
     
   • Must be inclusive 
     
   • Use proxies
     
   • What about using Shib IdP in Azure as the proxy?
   1. • Setosa is the solution being used
   • Christos: moving in direction of using proxy and linked proxies, allows communities to use whatever software, but providing integration and interfaces. Connecting protocols.  Offering connector service. eduGAIN as a trust network.  Looking at putting IDPs in eduGAIN as the trust network.
     
     • Discussion within AARC project . Looking a scalability, and issues coming up from real deployments
       
     •  {AI] (Christos) email CACTI with the name of the open AARC list looking at  scalability of trust network, etc.   (DONE)
       
   • Les: as a small school IDP operator, using Shib for Web SSO, delegates to AD.
     • •  It is a kind of proxy . Using Azure and Google federated with Shib. Different services tap in.  
       • Will also put some in cloud, primarily for redundancy. Like the diagram Nathan shared. Not sure the best solution
         
   • Nathan:  the OIDC Deployment Working Group has a few  more calls this year, developing the plan for 2019.  
     • • May recharter and reduce the scope and create practical deployment guides for using the GEANT extension or using Setosa or a proxy.  
       • Deployment guides could include patterns of deployment in the cloud. 
         
     
     

Reports from the Field  

• • • NSF and Internet2 to explore cloud computing to accelerate science frontiers: https://nsf.gov/news/news_summ.jsp?cntn_id=297193 
      
      • Q: Is there a role for CACTI to support this activity?
        
    • FIM4R - a bit of a hiatus during Thanksgiving week – resuming this week.
      
    • OIDC - Nov 19 kickoff meeting held: https://openid.net/wg/rande/ 
      
      

 2019 Internet2 Global Summit in DC

• March 5-8, 2019 in DC https://meetings.internet2.edu/2019-global-summit/ 
  
• How many CACTI members will be attending? ChrisP not attending.
  Decision: Likely no CACTI meeting at Global Summit 2019
  

Parking lot: Suggestions from Oct 30, 2018  CACTI  call

• • ask RolandH to give CACTI a talk on direction of OIDC and SAML as an informational session. 
    
  • Perhaps also Davide Vaghetti (GARR) 
    
  • Suggestion to put Nathan on CACTI Agenda  to give info on OIDC 
    

Next CACTI meeting  Tuesday, Dec. 11, 2018