Interfederation

[Jim Basney <>]

Proposed agenda for next week's call:

1. Update on LIGO SP + UK IdP pilot.
2. Baseline Federation Operational Practices (FOP) for interfederation.
3. Anything else?

Agenda item #2 is about looking at the UKFTS (Federation Technical
Specifications) that Ian sent by email and the InCommon Federation
Operating Policies and Practices [1] and looking for commonalities that
could define a level of trust ("conditions on state and behavior") that
could enable interfederation between UK and InCommon. Discussion on the
mailing list prior to the call is encouraged.

My notes from today's call are below. As always, feel free to reply with
your additions/corrections.

I added a new page to our wiki space at
https://spaces.internet2.edu/x/tIA_Ag with notes from our InCommon+UK
interfederation discussion. Feel free to edit.

Thanks,
Jim

[1] https://www.incommon.org/policies

-----
attending: JimB, ScottK, ScottC, IanY, TomS, IJK, SteveC, MarkS, JohnK

ScottK reports LIGO user ran ECP to get CILogon certificate to log in
to Linux cluster. Cardiff recently added ECP support.

Next steps for LIGO pilot:
Add UK IdPs: Sheffield, Warwick, Birmingham, Cambridge, and Glasgow.
Small but active LIGO group at Sheffield.
Ed in Sheffield writing a proposal with a group in Warwick.
Would be helpful for Sheffield / Warwick collaboration.
ScottK doesn't have inside person at Warwick for testing.
UK fed has strong contacts with Cambridge and Glasgow.
[AI] Ian will take IdP list to UK helpdesk for follow-up.
Glasgow and Cambridge may be easier than others.
Glasgow is huge LIGO experimenter group
but perhaps less able to participate in pilot.
[AI] ScottK will provide LIGO contacts to IanY for these IdPs.
     ScottK will give LIGO contacts a heads up.
ScottK hopes to have Cardiff IdP + LIGO SP working by next call.
[AI] IanY will confirm with Rhys that Cardiff IdP is releasing ePPN.
New IdPs will go in SteveC's metadata feed, so no SP-side change needed.
LIGO SP uses embedded discovery service.
Does SteveC's feed include MDUI elements? Yes, if IdP provides it.
Pilot can be good opportunity to encourage IdPs to add MDUI elements.

Roadmap for production InCommon SP + UK IdP interfederation:
See: https://spaces.internet2.edu/x/tIA_Ag
conditions on state and behavior
  verification of DNS ownership for registered entities
  refer to current draft of eduGAIN declaration
  document which metadata elements is federation authoritative for
  what is minimum? for example: REEP (no organization verification)
  ScottK requests MDUI elements. Not a requirement though.
  ScottK: ability to track entityid back to legal entity (member)
    IdP really operated by institution.
  registration info - registration authority URI in metadata
    <mdrpi:RegistrationInfo>
  UK: organizationalname element contains canonical name of member
see new draft of UK federation technical specifications.
Ian welcomes comments on the new draft. He sent email to the group.
see also https://www.incommon.org/docs/policies/incommonfopp.html
InCommon also has an internal draft doc on RA practices
REFEDS work item on this? FOP Template.
[AI] TomS will follow-up with REFEDS on status.
When SP loads metadata file, filter out IdPs that don't contain
registration authority URIs. Aggregator can do it.
Raises metadata distribution issues. Separate TAC subcommittee for this.
Expanding to smaller / newer federations will see wider variance.
InCommon & UK can set an example. Publish practices.
Example: delegated domain registrations.
Document what is minimum bar in common between InCommon & UK.
InCommon requires IdP operators to publish POP. Req'd for new members.
UK has a similar statement: IdPs should (or must) publish. Many don't.
InCommon looking at next generation for POP.
POP = Participant Operational Practices.
[AI] = Action Item.