COmanage Call 18-Feb-2011Attending Heather Flanagan, Internet2 (chair) Ken Klingenstein, Internet2 R.L. "Bob" Morgan, U. Washington Keith Hazelton, U. Wisc Michael Gettes, CMU Chris Hubing, Pennsylvania State U. Benn Oshrin, Internet2 Steve Olshansky, Internet2 Emily Eisbruch, Internet2 (scribe) New Action Items [AI] (Keith) will add to the COmanage wiki use case library the case of bridging identity using social identity credentials.https://spaces.internet2.edu/display/COmanage/Use+Case+Library [AI] (Keith) will ask Roland and Leif to clarify how social identity assertions will be handled in their system. [AI] (Benn) will update the COmanage roadmap based on recent discussions with COs. https://spaces.internet2.edu/display/COmanage/Technical+Roadmap Carry Over Action Items [AI] Heather will track on a wiki page approaches to sharing metadata between collab platforms. [AI] (Ken) will develop a one-page writeup on the differences between a VO IdMS versus an enterprise IdMS [AI] (Benn and Keith) will talk about Bamboo's requirements for person registry. [AI] (Ken) will email Bob B. regarding the possibility of speaking at ACAMP [AI] (Heather) will schedule an Internet Identity webinar for iPlant IT staff. [AI] (Ken) will contact David Groep about VOMS GUMS. [AI] (Steven) will develop a one-page write-up on attribute aggregation. [AI] (Jim) will check on whether there has been discussion on the CIC list concerning LIGO and the domesticated apps list. [AI] (Heather) will ask U. Chicago people to contribute an academic (intra-institutional) use case to the COmanage use case library. [AI] (Jim) will share ESWN call notes with the COmanage-dev list. DISCUSSION
Ken, Heather and Benn attended an IPlant Meeting at Caltech, Feb. 1-3. ScottK from LIGO also participated. The meeting went well. Notes from the iPlant meeting are found at: https://spaces.internet2.edu/display/COmanage/iPlant+mtg+notes A few highlights: - There were concerns leading up the meeting about which iPlant staff would be able to be present, due to some personal issues, however, the meeting went better than expected
- The first day of the meeting focused on the culture and environment of iPlant.
- The second day of the meeting got into more technical detail
- iPlant has a multitude of ways folks enter the system to access online materials, not one single enrollment process.
- iPlant has clearly defined roles for people to fit into (e.g. constrained user, iPlant user, steward, administrator, developer, etc.)
- The ways that the COmanage team will engage with iPlant going forward are still being clarified, follow-up is being worked on.
- Shibbolizaion and domestication of IRODS is one task of interest
- ScottK's ability to share with the iPlant staff the perspective of another VO (LIGO) was quite helpful
Meeting with LIGO in mid-February
Ben attended a two-day meeting at LIGO in mid-February. Highliights: - There was positive feedback from the face-to-face with LIGO that occured Dec 2-3, 2010
- The LIGO team had a 2-day meeting in mid-Feb to discuss their IdM plans and invited the COmanage team to participate in that conversation.
- Benn gave a presentation on COmanage.
- There was discussion of which LIGO IdM tasks and coding efforts the COmanage team could help with.
- There was discussion of the task list from the LIGO perspective, divided into tasks that the COmanage team can help with and items that are LIGO specific
- Within a few weeks, Benn will enter into JIRA items that came out of that meeting
- Detailed notes are on the LIGO wiki, to which we are getting access.
- ScottK is very enthusiastic about the LIGO engagement w COmanage.
- Scott and Benn will most likely have a follow-up conversation within a week.
Ken noted that there was an email about LIGO's interest in joining InCommon. Use cases: - Giving COmanage staff access to their wiki.
- LIGO will also be playing the role of an IdP.
Project Bamboo Update (Keith)
Keith and Heather have been in conversation with the Project Bamboo folks. Project Bamboo believes that an ideal set of tools for them would be: - Registry for carrying Bamboo profile info
- Grouper
- Multi-protocol gateway for authentication (looking at various solutions)
Q: (Bob) -- Has enough analysis of Bamboo's requirements been done regarding which multi-protocal authenication avenue to choose?
Thoughts about multi-protocol authentication: - It would be easy SAMLize many of the resources Bamboo folks need to access.
- One requirement is for an account linking mechanism in order to accept social identities, at least at first.
- Perhaps some discovery process is needed for the end user to pick their mode of authentication.
- For Bamboo's phase one, they are looking for an authenticaion solution that is ready
- Perhaps COmanage should be addressing this need for multi-protocol authentication
- However, want to avoid baking into COmanage specific gateways
- Best solution will be when an open protocol is available
- Will be good if user is not aware of any distinction between coming in via a gateway versus coming in directly
Q: For Bamboo, would coming in/authenticating via a social network identity be just an intial way to "board" and would the user then get added to the more official native identity store? Or would there be the option long-term for a user to authenticate using her/his social identity credentials? A: (Keith) It may be desirable to maintain ability to enter via social identity. One use case is that a user changes their professional home base, for example moves from one university to another and needs a "bridging identity" while between institutions. This relates to a much-discussed question of whether there be a permanent non-institutional identity attached to a person's institutional identity. [AI] (Keith) will add to the COmanage wiki use case library the case of bridging identity using social identity credentials.[https://spaces.internet2.edu/display/COmanage/Use+Case+Library|display/COmanage/Use+Case+Library||||||||||||\||] Ken noted: - that state diagrams that TomB created a while back showed the importance of triggers. Triggers can be different in the VO world. It's important to document the adaptation of the enterprise to the VO
- Regarding the gateway topic, Leif talked about the assertions coming out of Social to SAML site. It will convey the place where the authentication happened so that the relying party can assign value based on the type of authentication (i.e. Twitter or Facebook authentication = less trusted)
[AI] Keith will ask Roland or Leif the explain how social identity assertions will be handled in their registry ESWN Update (from ChrisHubing) - The ESWN COmanage site is up.
- It's an SP in InCommon
- It's linked into Drupal, and it has ldappc.
- ESWN is happy with it so far.
- Another conference call is coming up in about a week..
GENI (report from Ken) - Federated identity is getting accepted within GENI
- But the question remains of where are the attributes going to come from.
- This attributes question is driving increased interest in COmanage
- GENI program office is interested in generalizing the CIlogin GridShib (JimB is involved)
- We are becoming more involved in the GENI IdM.
UC Provisioning Design Kickoff Meeting Update (Benn) - Benn noted that work is starting up with the UC System to work on federated provisioning space for VO-like consortiums within the UC system.
- Target seems to be to get something done by end of summer
- Interest is in administrative apps right now.
- Academic applications are possibly on the backburner
Normalization of Terms - During iPlant meeting, during Benn's demo of what the COmange layout can look like
- There was confusion between the terms "Home institution identity" and "CO identity"
- Sources of confusion: home institution could be gmail. Or home institution could be the CO itself.
- So what should we call that "Home institution identity" ; how should it be labelled?
- Electronic identity provider? Personal data ecosystem? Personal information source? Identity issuer?
- No consensus reached during the call
- What about the case of COs within COs? Use COU for the technical description
Technical Roadmap Benn reported: - Current plan is to get a live version of COmanage demo up on Internet2 server (instead of on Benn’s laptop) in next few weeks
- Then Benn will do address of the LIGO requirements, perhaps enrollment workflow issues.
- Possibly we can Benn can implement some Bamboo requirements (registry and Grouper... these are on the general COmanage roadmap).
[AI] (Benn) will update the COmanage roadmap based on recent discussions with COs.[https://spaces.internet2.edu/display/COmanage/Technical+Roadmap|display/COmanage/Technical+Roadmap\||] Ken's Report Ken stated that: - Regarding the technical roadmap, Benn should talk with Jim Basney re generalization of GridShib and attributes and parameters for certificates
- There is much international acitivity around collaboration platforms.
- All of the efforts are going from a single to multiple output mechanisms
- What maters is push versus pull
- There will be a collaboration BOF at the Terena meeting on last day.
- Terena has started its own internal websites using many forms of identity
Next COmanage Call: Friday 4-March-2011
Emily Eisbruch, Technology Transfer Analyst
Internet2
office: +1-734-352-4996 | mobile +1-734-730-5749
|