Interfederation

[Jim Basney <>]

Our hot topic for next week's call is:

Can a privacy framework (Code of Conduct, etc.) help our near-term
federation use cases? Or is it too hard and we leave attribute release
to be worked out directly between IdPs and SPs (for now)?

Steven Carmody agreed to kick off our discussion next week with a review
of the current Code of Conduct work.

My summary from the call today is:

* General agreement on the InCommon SP + "foreign" IdP use case.

* Validation of ownership of entityID and scope is a requirement
  for interfederation but is it domain validation or organizational
  validation?

* Other requirements on technical and behavioral trust is an
  open question.

-Jim

-----

attending: JimB, ScottC, SteveC, SteveT, PaulC, MarcS, IanY, JohnK, TomS

PaulC: Brief description of Authentication Gateway / Proxy IdP
  At San Diego Quilt meeting, discussed authn gateway that returns
  SAML but supports many authn protocols at front-end (LDAP, database,
  CAS, WS-fed, SAML). Can be done with SimpleSAMLphp.
  Good initial step to bring small institutions into the fold.
MarkS: This is for K-12 & community colleges that might not have
  resources to run IdP directly.
  3 working groups looking at options: pilots, technical, admin/policy
  regionals leveraged to help small institutions engage with InCommon.
  discussion pilots to test this out. regionals and U Alaska system
  looking to run authentication gateways.
Use case:
  An InCommon SP (example: LIGO wiki) accepts authentication from both
  "international" IdPs (i.e., IdPs in other national federations) and
  InCommon IdPs, where:
  * The SP doesn't need to sign agreements with federations
     other than InCommon.
     The "international" IdP doesn't need to join InCommon.
  * The SP gets all IdP metadata from InCommon.
    IdP gets SP metadata from its local federation.
  * The SP registers its metadata with InCommon and doesn't
    need to separately send its metadata elsewhere.
    IdP registers its metadata with local federation.
  * This use case does not disrupt other SPs that only want to accept
    InCommon IdPs.
  Jim suggests we put the inverse use case ("international" SP with
  InCommon IdP) on the back burner at least for today.
  JohnK: change "international" to "external"?
  more portable language, but don't want to lose specificity.
  "international" is proxy for another legal jurisdiction?
  "foreign" rather than "international"? "alien"?
Columbia University publishing house and German IdP use case
  legal jurisdiction is an important consideration here
  particular privacy issues with IdP in EU
  who ends up being responsible for privacy agreements?
  federation takes care of? federation mediates agreements?
  asymmetrical: US IdPs releasing ePPN to Europe
  this is a behavioral trust issue?
Ian: interfederation can't try to resolve all trust decisions at
  higher levels for all members
technical trust:
  what do IdP and SP need before they're ready to interfederate?
  IdP/SP is truly owned by the organization? or domain validation?
  Ian: domain ownership is most important
  organization name in metadata is a federation-validated canonical name
    interesting but not required?
  domain validation more critical than organizational validation?
    need to handle outsourcing use cases; delegation of permission
  ownership verified for domains used as entityID or scope
  domain validation is a critical requirement for UK federation
  domain validation of other URLs in metadata?
    not currently in UK. worthy of discussion.
    what is the risk? assertions going to "someone else".
    UK performs "sanity checks" on "non-critical" entries
    like ACS URLs.
  if InCommon were to place a rule on ACS URLs, it'd be unlikely to
    impact many UK entities
  we agree domain validation of entityID and scope is key
  ScottC: risk of domain validation: EV versus DV certs
    validate "duly appointed representative of the organization"
  InCommon and UK do organizational validation of members
  would mechanical domain validation be sufficient?
    this is underlying assumption of PEER initiative
  some type of "sponsorship" process?
    federation member "vouching" for external entity?
how to resolve entity conflicts?
  UK has a priority list of sources (PEER would be last)
  eduGAIN has first-come first-served
behavioral trust out of scope for interfed?
  privacy policy? R&S category?
widely varying interpretations for release of PII (Columbia example)
national federations in Europe all have differing interpretations of
  privacy laws
REFEDS work item on extending Code of Conduct outside EU
  entity would self-assert a tag (like safe harbor)
SteveC will present Code of Conduct next week