Minutes from the VC. Written by Andreas.
I have contacted individual institusion about putting participant names on different tasks. I’ll publish a new updated work plan including names on all tasks. Comments on content of work plan requested. Is anything unclear? Do people have a feeling of what we want to do in all the work items?
Updated information on wiki
I’ve included links to the different documents.
- Metadata aggregation testing
- Simple Metadata Aggregation
- Lukas added info on signing metadata and configuring Shibboleth
- Virtual Organizations
Wrote a document about virtual organizations.
Split it in two parts:
- The Information Model
- The Data Access Protocols
Collecting use cases and including them in the document.
Ongoing discussion on the data access protocols. Andreas will post some questions about the SAML2 + affiliation approach.
Discussion on the re-use of existing tools like COmanage and Grouper. SURFnet has experience with this. They will post some experiences to the mailinglist, including links to a document. SURFnet also had a presentation at TF-EMC2 in Loughborough earlier this year.
Maybe an idea is to separate the web-interface from the group user storage? Then to standardize on using the LDAP protocol for storing group information. Then NRENs may use different tools for managing groups. Milan will post to the list some information about how groups can be represented in a directory.
UNINETT + RedIRIS will make sure there are proper support in simpleSAMLphp for the AssertionProfile to function as an Attribute Authority. Will be ready in a couple of weeks.
Metadata aggregation testing
Current included participants:
Andreas sent to the list information about how to exclude entities from your own federation.
Discussion on whether or not it is neccessary for a federation to re-distribute confederation metadata to entities or if entities may retrieve metadata from central aggregator directly.
Seems to work fine, Lukas managed to login to Feide attribute viewer.
Andreas sent link to two documents: one specification on the metadata architecture and one with testing notes from JRA3 (including links, certificates etc).
OpenID summary document. Anyone volunteers to write a table of content to initiate the document proccess? Torsten, Licia, RedIRIS?
- Candido from RedIRIS.
- Any others?
No immediate volunteers to start writing… Diego will ask Candido.
Have made several updates to the profile. Feedback from Scot Cantor and SWITCH. May go to Kantara and OASIS. Several federations already support the profile.
Attribute harmonization: Any volunteers to start working on attribute harmonization. What should we do? Make an overview of all existing federation on common attributes like identifiers and name on person and organization.
Feedback that attribute harmonization may be out of scope for a research activity, like JRA3. Will investigate. Maybe we may rephrase the goal of the attribute harmonization document, in such a way that it will become more research-oriented. If we do not do this work, then SA3 should. Because this work is crucial to make confederation work.
Single Logout. NIIF is looking into it, considering to provide SLO for their federation.
Can we create a specification list of bullet points of tests that we would like to perform on respectively:
- Metadata documents
Can people test Feide OpenIdP? The self-register module is a beginning to what can be a federation lab in the future. Andreas will post more information on the list.
Andreas away for three week vacation from next week.
Foodle sent out for deciding next VC.
The published ISDN number was wrong. Jürgen sent details with the correct numbers on the list.
Most people now have access to the wiki. Contact Licia if you have not yet an account.
Not all have yet responded to the Foodles.
Work plan for year 1
Please read through the following work plan:
The plan is to start with three work tracks for now, and start others later this year. The idea is to start with:
- Metadata distribution
- Virtual organizations
- Identity Federation Harmonization
What I need the next days/weeks is to fill the work plan with real names. I’ve already included a tentative list of NRENs on each work track, but I need names here. I’ll use the interest tracking Foodle as a basis.
Work has already started. I invited to participate in testing a metadata aggregator on the list. Need as many participants as possible on this.
The idea is to start with an independent frontend and a backend. The frontend is a WebUI for administering groups and/or VO/attributes. The backend implements access to the service and retrieval of group/attribute information.
We most likely should implement and demonstrate multiple different backends and compare, summarize our experience.
- I have forwarded a draft document from SWITCH/Chad on how to implement a VO platform backend. Please comment!
- I’ll write a different proposal on a backend using JSON and OAuth.
- And one using front channel Attribute Queries.
One task that can be started with right away is implementing Attribute Queries support in simpleSAMLphp. That will be needed as we start to play around with VOs. Please tell me if you are interested in implementing that.
Identity Federation Harmonization
The SAML 2.0 Interoperable Profile is already in a draft state and is used in 4-5 production federations. The profile needs to be polished, and pushed through standardization body like Oasis. I’ll send a request for comments on the list soon.
Another hot item to start investigating and document, is attribute harmonization accross european federations. Let me know if you want to start working with this… This is something that I would be happy if we had someone starting with right away.
User centric identity
Interest was raised to write a document summarizing our experience and current status of the use of OpenID in federations.
Tentative list of participants:
We have experienced programmers / users of both SimpleSAMLphp and Shibboleth. When we create proof of concepts we will document how it can be supported by these two products.
Question was raised of whether the eduGAIN software will be supported / maintained within Identity Federations:
- eduGAIN software components from GN2 JRA5, like registry, edugain base, PKI, etc will NOT be maintained within Identity Federaitons. The future of these components are unclear, and part of an ongoing discussion on eduGAIN. A dedicated working group will go into these details. More on that later.
- Still, much of what will be done in Identity Federations, is intended to be adopted by the edugain service activity.
Documentation formats etc.
Thanks to Ian Thomson for clearifying this:
Item 7 on the Agenda (Documentation) is, as Juergen points out, directly relevant to me as I’m the Technical Author assigned to JRA3 (and SA3, as it happens).
There is a Technical Author Wiki page that might give you information you need:
And on this page is an on-line presentation that explains our service in brief:
Ian mentioned SharePoint and workflow attached to it. In the early phase of the documents we are more free to use whatever tool / format we would like, but final documents needs to be in MS Word.
We need to find a convenient way of working with our documents in the early state. I am in favour of writing things in clear text and have support from a revision control system like
git. Please share your thoughs on this.
Two types of documents:
- Deliverables. Important.
- Other documents.
Collaboration with SA3/edugain this summer.
Workgroup with individuals from SA3 and JRA3 to discuss eduGAIN future. Metadata distribution etc.
More information share on the mailinglist.