Minutes of the 17th TF-EMC2 Meeting

Transcription

1 Page 1/10 TITLE / REFERENCE 17 th TF-EMC 2 Meeting - Monday, 14 th & Tuesday, 15 th February 2011 Lyon, France. The meeting was hosted by the University of Lyon and CRU. Table of Contents 1. Welcome and Apologies Approval of Agenda Minutes of Last Meeting and Update of Action List Work items updates - All Work items (WI) leaders... 2 a. Services to the community... 2 b. Diagnostic-related Activities... 3 c. Reputation Systems... 3 d. Academic Data Mobility... 4 e. Identity Services beyond Web Single Sign-On... 4 f. Community outreach... 4 g. Alternative Forms of Expressing Identity... 5 h. Service-oriented Collaboration Infrastructures National & Community Updates... 7 i. auedupersonsharedtoken and other unique persistent identifiers... 7 j. A trio of social networking authsources for simplesamlphp... 7 k. Logins4Life... 7 l. Cloud access, storage services and other beasts... 7 m. SAML work with Microsoft SharePoint, OWA, etc n. The SPP approach at TERENA... 8 o. DIY federation management... 9 p. Expectations on edugain and next steps... 9 q. Querying, Signing and Distributing Metadata Sets... 9 r. IdM Strategy, Support + Training for the developing NREN Date of Next Meeting AOB and Close Summary of Actions Welcome and Apologies Diego Lopez welcomed everyone to the meeting and called for a round of introductions. Attendance and Apologies were recorded on the event registration page: 2. Approval of Agenda The agenda was modified as the day progressed with a final version available online: 3. Minutes of Last Meeting and Update of Action List The minutes of the last meeting held on the 22nd of September 2010 were approved without corrections and are available at:

2 Page 2/10 Reference Who Action Status Licia Circulate notes on the LoA issue from the next Done. REFEDs meeting on TF-EMC2 mailing list Victoriano Publish an updated revision of the SCHAC schema Done Brook Determine an appropriate host + venue for a 3- day combined TF-EMC2 + MNM meeting with sufficient notice for international travellers. Done. 4. Work items updates - All Work items (WI) leaders a. Services to the community Licia introduced Nicole, Leif and Milan as presenters who will give a more thorough presentation in specific areas of this work item. REFEDS Update Nicole Harris showed the 6 work packages under the REFEDS website: REF1: Raising the profile of REFEDS; REF2: Effective Federation for Service Providers; REF3: User interface and discovery; REF4: Federation harmonisation; REF5: Interfederation; REF6: Identity assurance. Further details available at: One of the by products of this is the Barriers for Service Providers which has started discussion on the REFEDS mailing list Ken asked which countries were looking at Levels of Assurance (LoA) Silver Profile compliance. David Simonsen indicated that WAYF.dk were. Ken called on the federation community to work together on convergence early rather than divergent profiles which may need to be converged in the future. Milan indicated that convergence isn t likely. Ken called for a work group (informal) to keep a watch and brief on this issue. There are a range of areas within LoA from Strong Identity and Weak Authentication through to Weak Identity Proofing + Strong Authentication. Leif referenced ISO29115 as a solution to this problem and asked the rhetorical question Why would we want to do LoA? and stated that the driver appears to allow interaction with non- R&E services/federations. Since government entities are those dealing with LoA as non- Government entities have other ways of averting risk. Ken stated that InCommon Silver would be a reality later in 2011 and couldn t wait for ISO29115 to be complete. Jacob-Stein agreed with Leif s statement and confirmed that WAYF.dk is being pushed toward higher levels of assurance by Government. The discussion returned to this topic after David Chadwick s presentation on the 2 nd day, which referenced decimal LoA values rather than integers. Ken acknowledged David s prior work, following the NIST SP LoA schema, using 3-tuple of Registration Procedure, Authentication Tokens, and Assertion protocol would offer richer information on an LoA assertion (e.g. 1,3,2) rather than simply expressing a single value (1) which is no higher than the minimum value of the tuple combination.

3 Page 3/10 PEER Leif introduced PEER (Public Endpoint Entities Registry) and stated that the inception of the project started with the question What about the Relying Parties that don t have the means (financial or political) to integrate with identity federations? While this question started the discussions which led to PEER, answering this question wasn t and isn t its goal. Andrew Cormack stated that dressing up PEER as a replacement to federations is bad for both federations + PEER and should be avoided. Leif directed people to that includes user stories that will explain how and what areas PEER would support. This project (with funding via ISOC and REFEDS) is contracting developers to create the PEER software, which is unlikely to result in only a single instance of PEER, while there is likely to be a public one, but there will also be others catering for different audiences. TACAR in the light of edupki Milan presented on TACAR in light of edupki and the eduroam Trust Profile (see: ). Ken asked about Personal Certificates, as the InCommon Certificate Service will be able to issue Personal Certificates in approximately 6 hours. The discussion led to the need to focus on Services utilising Personal Certificates. [ACTION] Brook to reserve a slot for personal certificate discussion at the next meeting. b. Diagnostic-related Activities Milroslav Milinovic gave a quick summary of diagnostic related activities and call for comments. Ken talked about the need for monitoring and a system being worked on within Internet2. [ACTION] Ken to provide information to the mailing list regarding this monitoring work. Universal federation monitoring Jaime Pérez presented on the use of JMeter to monitor federation infrastructure and how this is implemented within the SIR federation. Not only for the creation of alert monitoring and integration with their chosen monitoring tool (Nagios) but also to provide usability metrics related to the response time of the systems. Jaime posted to the EMC2 mailing list a summary of the work: (Posting to mailing list) (Presentation) (Abstract) The discussion flowed toward the applicability of test accounts within an identity federation. Many federations require accounts to be linked to a real person. Jacob-Stein said that a test account to verify functionality is a requirement when joining WAYF. They are known as test accounts and are treated as such. c. Reputation Systems Jaime Pérez presented on three (3) topics of interest to reputation systems: EQUAL Domain Reputation IPv6 migration

4 Page 4/10 Jaime posted to the mailing list and included the slides Brook stated that the EQUAL community developed a roadmap of work items to explore but without a firm timeline for their implementation. Recently NRENs have been approached by at least two vendors that are interested brokering a community-wide deal for reputation systems. Leif stated that the Domain Reputation WG quietness is due to increased activity and focus on DNSSEC and not due to lack of interest in the issue. [ACTION] Leif + Brook to forward vendor interest/information to the EQUAL mailing list for consideration. d. Academic Data Mobility Victoriano Giralt gave a verbal presentation on the work of the Academic Data Mobility (ADM), Rome Students, Standards and Systems Group (RS3G) and the Digital Student Data Portability (DSDP) collaboration. It has taken sometime to get these groups together with the first joint meeting held in Malaga on December 13-15, A follow-up to this meeting will be a coding camp in March. More information is available on the RS3G Wiki Regarding the work within the SCHAC space. The URN:SCHAC namespace proposal will be approved shortly. Diego noted that community input to SCHAC and curating is important. [ACTION] TERENA to look at mechanisms to support collaborative editing of SCHAC schema. e. Identity Services beyond Web Single Sign-On Josh Howlett was unable to attend this TF-EMC2 meeting. Update on Moonshot/ABFAB Rhys Smith provided an update on Moonshot and the ABFAB working group. The slides for this presentation are available at: The 1st half of 2010 was to bootstrap the work of the 2nd half of The group had its first official meeting at IETF 79 in China. Klaas informed the audience that Alan DeKok will be presenting on Channel Bindings at the TF- MNM meeting on Wednesday and reminded the attendees that Moonshot is a work item that is shared between TF-EMC2 and TF-MNM. Joost van Dijk said that the primary use case within the SURFnet community was for (IMAP) access to Google Apps for Education and Windows EDU services without the need to share/synchronise passwords with these services. Rhys indicated that this is probably a use case that is common across the globe. f. Community outreach Torbjörn Wiberg presented the need for community outreach in communicating value (see: ).

5 Page 5/10 SSEDIC, Victorian Giralt Victoriano Giralt summarised the Scoping the Single European Digital Identity Community (SSEDIC) that has 3 layers of membership: 1. Primary members (35 members which receive funds from the project), 2. Associate members (exact numbers to be defined), and 3. Interested parties. The group has only recently been formed. Their website has further information. WAYF's dynamic federation benefit calculator David Simonsen presented on the WAYF Butterfly diagram which uses the integration costs of joining WAYF as an Identity Provider or Service Provider and shows how the federated environment of WAYF can be used to contain the costs of further integration efforts. Ken asked how this relates to a SWAMID paper on the cost of federating vs not federating. David stated that this work could be seen as a natural progression of that work for those that had federated to assist in identifying the increased value of WAYF as the complexity (number of interactions between IdPs & SPs) of the federation grows. g. Alternative Forms of Expressing Identity Diego presented some research into alternatives to SAML such as OpenID, OAuth + Social Auth services (see: ). Ken commented that the use case is accepting social authentication into your SAML environment is initially for parents to have a read-only view of the balance of student fees and institutions don t want to offer guest accounts for all parents to accomplish this. Leif stated that SWAMID is going to pilot a service connecting Social identity providers for a specific use-case and he believes that this service will be co-opted for higher level services as soon as it is offered. Diego concluded with the REFEDS funding proposal for Remote federated proxy administration. It was broadly agreed that this work was accepted and should proceed. Niels added that the SURFnet just in time provisioning module for Apache had picked up by ARNES and used within their Adobe Connect federated environment. Bridging the SAML + PKI worlds Christopher Brown presented on the Access and Identity Management (AIM) programme, specifically the SARoNGS (Shibboleth Access to Resources on the National Grid Service) project (see: ). More information on SARoNGS can be found on the JISC Website:

6 Page 6/10 h. Service-oriented Collaboration Infrastructures Knowledge Exchange and its identity and middleware requirements Christopher Brown presented a overview of Knowledge Exchange and the work of its VRE (Virtual Research Environment Working Group) (see: ). Knowledge Exchange is a 4 country initiative started in 2005 between Germany (DFG), Denmark (DEFF), UK (JISC) and The Netherlands (SURFfoundation). They work in two areas of interest to the EMC2 community: Interoperability of Digital Repositories Virtual Research Environments (often called VOs in our sphere). Chris is new to Knowledge Exchange and questioned why there was no Access & Identity Management WG? David Simonsen stated that he purposefully wound up this group and diverted interested parties toward TERENA as work was already underway with a larger collaborative group. SURFconext Platform Niels summarised the activities on Service-Oriented Collaboration Infrastructures over the past 6 months including: EuroCAMP, European OpenSocial Summit and Project COIN (see: ). Leif questioned why OAuth + Metadata was referenced in relation to JANUS. Niels explained that JANUS is extensible and since Service Providers within SURFconext use OAuth to exchange additional data that instead of using an Out-of-Band mechanism to exchange OAuth end point information it is included in the SAML metadata managed within JANUS. Ken queried how federated provisioning, federated groups and What do we mean by domestication? relates to this body of work. Niels stated that some services use the OpenSocial API for provisioning and that a subset of what will be OpenSocial 2.0 and the CMIS REST API (similar to WebDAV) is used. Leif said that the domestication contention is whether it is attribute push or pull. If group management is part of the session management that it can be via attribute release. If it is needed outside of session management then an alternative mechanism is required. Leif asked, Where does federated social web come into this? referring to the W3C Federated Social Web Niels stated that within the SURFconext context portals are social and there is the use of 5 attributes from OpenSocial, mapping federation attributes to open social applications many of the array of OpenSocial attributes aren t useful in an R&E environment. The OpenSocial European Summit has some positive interaction between OpenSocial + W3C Federation Social Web participants that are working to reconcile the portal specs so they are interoperable. [ACTION] Niels to send CMIS references to the list. Shibboleth and Nuxeo, Olivier Salaün Olivier presented on the domestication of Nuxeo. The slides for this presentation are available at: Nuxeo is an enterprise content management (ECS) system that supports pluggable authentication and support for OSGi, which was the primary reason that it was selected by the developers. This work has been committed upstream to the main Nuxeo project.

7 Page 7/10 [ACTION] Olivier to provide details on Nuxeo to the SURFnet labs domestication wiki. Adjourn The meeting adjourned at 18:00 for the day. 5. National & Community Updates i. auedupersonsharedtoken and other unique persistent identifiers Patricia McMillan, Bradley Beddoes, Heath Marks, Terry Smith and Alex Reid joined the EMC2 meeting via videoconference. After a round of introductions to the audience, Patty presented the design and use cases covered by the auedupersonsharedtoken (see: ). The presentation generated discussion on the security, porting, use, re-use, impersonation and security of such an attribute. Alex confirmed that ARCS had a process to display the token so that it can be printed and moved to an institution when a researcher changes organisations. Andrew questioned how the attribute in an unscoped format could be protected from misuse or forgery. Bradley explained that federation policy is used to secure the use of auedupersonsharedtoken. Brook followed up on Andrews question on how this transfers to an interfederated environment? It was concluded that mechanisms for the AAF to extend this trust or provide security against misuse of this attribute in an interfederated environment is a topic that needs further exploration. j. A trio of social networking authsources for simplesamlphp Brook Schofield presented on his Christmas project on the implementation of MySpace, Windows Live ID and LinkedIn auth sources within simplesamlphp (see: web.ppt ). This functionality is available in the HEAD version of simplesaml and will be included in v1.7.1 and will be available on the TERENA SPProxy environment in the coming weeks. k. Logins4Life David Chadwick (University of Kent) presented on the Logins4Life Project (see: ) which binds a institutional account with various social login services easing the discovery problem. The account linking software (via Shintau project) will be contributed back to simplesamlphp. l. Cloud access, storage services and other beasts Andrew Cormack presented on Cloud Issues (see: and whether they are institutionally managed or user managed. Ken asked whether IaaS vs PaaS vs SaaS are distinguished in regard to EC law. Andrew simply answered No and further explained that in all models there is potential for disclosure of information even at the IaaS level as the HyperVisor (and who controls it) is also at issue because the machine which holds the security keys to any encrypted data on it can only be trusted if you know who has control of the physical hardware.

8 Page 8/10 In addition to the use of cloud services, Andrew stated that the commission is looking at the right to portability (between cloud services), which should allow switching between systems (or at least data extraction) to become easier. Privacy Preserving Federated Access to Clouds David Chadwick presented on the EC TAS 3 Project which covers a multitude of use-cases (see: ) Dyonisius asked about availability of this system and timeframe for deployment. David stated that this is on-going work and part of a large scale project with 14 partners + 10M of commission funding. At this stage the use cases and architecture have been drawn up, the first prototypes have been developed, and early software releases are now available from the TAS3 web site ( The complete software is due to be released in Dec Identity-hub: Towards the Identity in the Cloud Mikael Ates of Entr'ouvert presented on a project with similar goals to that of David s project (see: The project is aimed at moving from a user centric identity to identity centric authorisation creating a personal SSO server as an agent managing your distributed identities. The project is available at and utilises with future work aimed at developing a r er to provide privacy preserving addressing. Mikael also announced the creation of a Kantara WG (OSSIWG) on Open Source Support Initiative Work Group and encouraged participation. m. SAML work with Microsoft SharePoint, OWA, etc. Jean-Marie Thia from the Université Pierre et Marie Curie presented on SAML Microsoft (see: ). Providing references to video demonstrations, whitepapers and other resources to interoperate between Microsoft services such as SharePoint and Outlook Web Access and SAML federations. Leif asked whether Azure ACS could be used to consume metadata from a relying party for bridging to a SAML world. While this appeared achievable some experimentation would be required to confirm. Valter asked how provisioning with OWA would happen. Jan-Marie replied that account provision needs to happen separately but can be implemented in real-time (with a hook). n. The SPP approach at TERENA Dyonisius Visser presented on the TERENA Service Provider Proxy (SPProxy) environment (see: ). This work is the result of needing to simplify the 20 (and growing) bilateral federation peering agreements between TERENA and other identity providers or federations. Kristof made a point of using an SPProxy to hide services behind a single end point requires the set of attributes sent to be the maximum required for each and every service behind the SPProxy. The audience was divided (not with the TERENA instance) but with the concept of SPProxies. Diego stated that RedIRIS/SIR encouraged its use because the interaction is with a

9 Page 9/10 single party (in this example TERENA) so they are responsible for all the attribute data consumed and the SPProxy provides a single point of administration. Niels stated that trust was defined by a contract between parties and not to the discrete services that those parties operate. Thomas said that in an interfederated environment there aren t necessarily contracts to bind that trust. o. DIY federation management Jacob-Steen Madsen presented on JANUS and the goal of self service metadata management (see: ). Jacob-Steen also referred the audience to his blog which includes pointers on a demo of JANUS as well as how to interact with the service for your own testing. p. Expectations on edugain and next steps Valter Nordh summarised edugain s current status (see: ) covering edugain Policy, Data Protection, GN3 Services, coherent PR, scalability of the Discovery Service and Security. Torbjörn asked what would be the critical success factors within edugain. Valter stated that adoption by federation operators and that edugain doesn t have a single killer application to drive adoption. InCommon and edugain interfederation will happen when there is a use-case but a use-case isn t apparent at the moment. David Chadwick prompted discussion of attributes and harmonisation by arguing that the diversity should be embraced and campuses shouldn t be shoe horned into a single model when they actually need to satisfy their own use cases. q. Querying, Signing and Distributing Metadata Sets Kristof Bajnok presented the eduid.hu metadata management work (see: ). The system is based on the SWITCHaai Resource Registry and is developed by Adam Lantos with the goal of automatic metadata signing, including the integration of edugain metadata into the eduid.hu federation. [ACTION] Kristof to provide details for accessing the software on the mailing list. r. IdM Strategy, Support + Training for the developing NREN Brook Schofield make a call to arms of those with a federation to help in the development of those without (see: ). Previously there were EuroCAMP Training events that focused on Directory Management issues. These events will be retooled and revived to support the creation of pilot identity federations. The audience was polled for input, advice and guidance. The offers of support, materials and advice will be followed up in the coming months. Of note, Nicole Harris referred to an organisation, EIFL, which brokers library resources for libraries and is in need of identity management practices for library consortia.

10 Page 10/10 6. Date of Next Meeting The next TF-EMC2 meeting will be held virtually via videoconference and has been scheduled for the end of June. It was agree that the 19 th meeting is to be held in the week starting on Nov 7th, venue and exact dates to be confirmed. 7. AOB and Close The meeting closed at 17:30. (Minutes published 25 February 2011) 8. Summary of Actions Reference Who Action Status Brook Reserve a slot for personal certificate discussion at the next meeting Ken Provide information to the mailing list regarding federation diagnostic monitoring work Leif Brook Forward vendor interest and information to the EQUAL mailing list for consideration Dyonisius TERENA to look at mechanisms to support collaborative editing of SCHAC schema Niels Send CMIS references to the list Olivier Provide details on Nuxeo to the SURFnet labs domestication wiki Kristof Provide details for accessing the metadata signing software. Document History Date Comment Status 14 Feb 2011 Initial text collaboratively written in Google Docs. Internal 25 Feb 2011 Initial version published for comment. Published 26 Feb 2011 Updated with LoA clarification from David Chadwick. Published