CACTI Public Meeting Notes from 17-Sept-2019

CACTI call of Tuesday, Sept. 17, 2019

Attending

Members

• Chris Phillips, CANARIE (chair) 
  
• Rob Carter, Duke   
• Todd Higgins, Franklin & Marshall College   
• Tom Jordan, University of Wisc - Madison    
• Christos Kanellopoulos, GEANT    
• Matthew Economou, InCommon TAC Representative to CACTI 

Internet2 

• Emily Eisbruch  

Regrets

• Marina Adomeit, GEANT
• Warren Anderson, University of Wisconsin-Milwaukee /LIGO 
• Tom Barton, University of Chicago   
• Nathan Dors, U Washington  
• Jill Gemmill, Clemson  
• Karen Herrington, Virginia Tech    
• Les LaCroix, Carleton College  
• Kevin Morooney, Internet2  
• Ann West, Internet2   
• Steve Zoppi , Internet2   
• Nick Roy, Internet2 
• Jessica Coltrin , Internet2  

 DISCUSSION

•  Internet2 TI staff at a retreat this week, staff attendance is likely to be thin
• OpenID Connect Foundation Meeting and Internet Identity Workshop 
  • (week of September 30, Nick and Steve likely to miss Oct. 1 CACTI meeting)
  • Steve and Nick are attending - please let us know if there are topics you'd like brought up in either venue. 
    • Looking forward to Nordunet meeting and Hackathon. There will some activity there around OPENID Connect. 2020 CACTI Membership Process
      
      
• Christos: update from GEANT: 
  • there is ongoing work on finalizing OPENID connect model for Shibboleth.
  • Some work still required. 

CACTI Membership Recruitment  

• What should we say about CACTI in the solicitation to the community for new members?
• Members with terms ending at the end of 2019 to be contacted about desires to stand for re-nomination with reply by Sept 30.
• Determination of membership needs (types of representation sought or desired)
• Solicitation to be sent to InCommon Participants list, REFEDS list, EDUCAUSE IDM list on October 1. Nominations will close on October 15.

Continue prioritizing CACTI FIM4R recommendations

• Kevin has reported that the recent FIM4R meeting at FERMILAB was excellent. Good exchange of info https://indico.fnal.gov/event/21374/
• CACTI need to build on last CACTI call outcomes focusing on the 5 areas we highlighted with datapoints from mini-FIM4R (see pre-reads)
• infrastructure, services t'o end users, software dev, infrastructure as  a service, and outreach and education
• Focus of conversation: to identify high priority items/quick wins in the above areas.
• Already identified large scale items challenging to achieve unless building blocks in place
  
  
• What are the next 3 things to focus on? 
• How can CACTI best provide advice to Internet2 Trust and Identity and recommend top priorities out of FIM4R?

• GEANT Approach
  • Christos: GEANT is creating charter for The AARC Engagement Group for Infrastructures (AEGIS), which comes after AARC, to focus on blueprint architecture
  • GEANT has the architecture, but some of the tooling is missing, this is a gap
  • GEANT hopes to provide more solutions that can be used out of the box 
  • GEANT has funding communities that directs the right people (those providing support to researcher) to the GEANT staff  that has worked on solutions
  • Success stories in Europe : Eduteams and EGI, tools the users can use without too much difficulty https://www.geant.org/News_and_Events/Pages/GEANT-and-EGI-join-forces-to-support-science-and-innovation.aspx
  • within GEANT, there is focus on infrastructure, try to target those who help researchers do their work

• Evangelism
  • Need to do more Evangelism, we need to get in front of developers and tell them what to do
  • We need ambassadors to the bioinformatics developers conference, or Red Hat Conferences
  • SAML2INT is helpful, we need to be able to provide more guidance around SAML assertion, many developers are not doing anything with the list of groups
  • Matthew: we don’t wait for researchers to come to us, we go to the researchers
  • Researchers want to be able to gather data in a seamless friction-free way, they don’t want to hear about SAML. 
  • Best strategy is  to leverage researchers who have benefited from IAM solutions and use their stories to evangelize to the broader researcher communities.
  • Researchers need a better understanding of how to “plug into” and integrate
• Working Groups
  • Did CACTI ever work out the reporting relationships from the Working groups that CACTI oversees and how to get good info flowing to CACTI?
  • TomJ:  TIER is in maintenance mode, Campus Success Program has spun up, could be CACTI should “catch up” on the new working groups and relationships
  • CACTI does not have as good a  grip as might be desired on the state of the components.
  • SteveZ has emphasized the architectural design story is what is most important to the community, not the individual components. 
    
    
• The goal of Component Architects group is to advise with regard to Federation and InCommon members. 
• CACTI could highlight where the focus should be to help the research community (eg, IDP as a Service, or proxy as an emerging strategy).
• Software stack and also set of practices are essential.
• CACTI should be reviewing roadmaps from across international organizations, GEANT, AARC Blueprint, etc.  
  
  
• Availability of Guidance to the Community
  • How well does info flow from the websites and wikis to interested community members on what the recommendations are?
    • This is a challenge, hard to find the recommendations
    • Do we need more recommendations easily available from InCommon website and wiki on how services should run?
  • There’s a lot of support in IDP side for how to own and operate  the IDP, but less on the SP side, Harder to provide advice for Service Providers
  • Some emphasis around COmanage, Satosa, Grouper, maybe MidPoint
  • A group is trying to provide more info on the Service Provider side
  • The tools are flexible, but we need service providers to support external authorization 
  • How far should we go on guidance? Put resources towards services or towards integration layers?
    
    
• Keycloak
• Issues around Keycloak and its success https://www.keycloak.org/
• with Keycloak it is easier than Satosa to connect services, 
• Christos has experience with Keycloak  https://www.keycloak.org/
• Would be great if Keycloak could do multilateral trust
• Domestication
  • There were discussions in COmanage circles around domestication
  • There is a higher question, how to change the world so we don’t have to GO BACK and get things domesticated. 

Topics being tracked

• New chrome SameSite policy for session cookies affecting the SAML HTTP-POST binding
  Background: https://lists.refeds.org/sympa/arc/refeds/2019-07/msg00010.html
• TAC is tracking and formulating thoughts on it.
• Scott Cantor believes there is very little impact from this, but load balancers where cookies contain relay state will be a much bigger problem.
• Nick tested again on 9/11/2019 with Shib IdP, SP, Ping Federate SP, Satosa and could not reproduce any issues.
• Consider this issue "closed" for now?

• Same Site Chrome browser update cause grief (Nick or maybe Nathan?)
• ID Pro (Chris has next touch point)
  
  
• Next CACTI Call: Tuesday, October 1st, 2019