Interfederation

["Basney, Jim" <>]

Hi,

My notes from today's call are below.

Please join our InCommon Virtual Working Group session on interfederation
this Monday (May 20) 3:00-3:20 EDT (https://spaces.internet2.edu/x/NYBHAg).

We won't have a call next week (Tuesday May 21). In preparation for our
Tuesday May 28 call, please review the recently updated eduGAIN policy
package (http://edugain.org/policy).

Following on to our good discussion today, please continue to contribute
edits to our lessons learned page (https://spaces.internet2.edu/x/QwBOAg).

-Jim

-----
attending: JimB, ScottC, ScottK, TomS, IJK, JohnK, MarkS, ChrisP, SteveC

MarkS: The Quilt effort making progress.
Regionals submitted 10 pilot proposals to explore models of doing
federation with regionals as middle layer connecting K-12 institutions
to InCommon.
Illinois project trying to get K-12s to use federated access
to InBloom data warehouse (a.k.a. shared learning consortium).
Partnering with IlliniCloud to do that. Talking about doing a proxy
IdP tying to Active Directories at school districts.
Nebraska has consortiums of regional school districts.
One consortium already has central LDAP with all students in it.
Helping other consortium to do the same thing.
Looking at multi-scoped IdP approach.
Should be good case studies coming out of this effort.
What about portability of identifiers?
Between regions and K-12 to HE?
The Quilt effort not looking at this yet.
Some states working on unique state identifier for students.
Related to InBloom project. Also CommIT project.
Pilots haven't gotten to proxy IdP details yet.
Illinois plans to use Proxy IdP (hub-and-spoke), with details TBD.
Nebraska has single directory and will break it out by scope
(multi-scope IdP).

Prep for May 20 interfed virtual working group:
https://spaces.internet2.edu/x/NYBHAg
Deliverables slide - mention reporting back to TAC in June.
Multilateral interfed a la eduGAIN "necessary but not sufficient" for
meeting trust requirements in real-world.
Chris agrees - eduGAIN is a good first step.
eduGAIN not proscriptive on how to ingest metadata.
eduGAIN gives profiles to work with.
Better than starting from scratch.

Continuing discussion of interfed lessons learned:
https://spaces.internet2.edu/x/QwBOAg
Say something about Proxy IdPs? Gateways? Hub-and-Spoke?
Proxy is a gateway masking entities behind it.
Can make it more difficult for SPs to build per-entity policies?
Does proxy force all-or-nothing (inter-)federation?
Generalize wiki page to challenges of interfederation and
Include gateway/proxy challenges. Including policy questions.
Gateway examples: ADFS, Social2SAML
Challenges section: multiple federations, gateways
Entity tag that identifies gateways?
Example: Sharepoint can contain multiple web sites but only
one ADFS URL for all the sites.
There are both IdP and SP gateways.
What is different about interfederation for gateways?
All-or-nothing policy creates a problem for interfederation?
Gateways move problems around, don't solve them.
Lessons learned section on trade-offs around gateways?
Policy challenge: can't interfederate on behalf of all systems that
gateway is representing.
Focus lessons learned doc on interfederation issues.
Does interfederation make a challenge insurmountable?
For example, crossing cultural or legal boundaries.
For I2 Spaces joining multiple federations, little legal stuff req'd.
For Shibboleth, Nicole and Chad took care of legal issues.
When joining multiple federations, also need to address technical
issues like different models for signing metadata, revoking keys.
Challenge: LIGO not a legal entity. Huge barrier to entering into
legal agreements with different federations.
Shibboleth Consortium move from JISC to JANET introduced legal
challenges for federation agreements.
Challenges for non-legal entities (like LIGO) could be a good
section.
SPs also care about security issues around metadata trust.
REEP doesn't solve this.
For joining multiple federations, would help to have standardized
documentation about how to trust metadata.
Language barriers is another challenge for interfed.
REFEDS template for baseline federation processes / management?
eduGAIN metadata requires registration policy URL.
REFEDS standardization of registration policies?
InCommon planning to support <mdrpi:PublicationInfo>.
How should we move forward with metadata aggregate that SteveC set up
that LIGO is currently consuming?
Currently metadata aggregate includes just Cardiff, not other IdPs.
InC-Ops will think about timeline for metadata aggregate.
Chris interested in helping LIGO connect with CAF IdPs.
Chris will follow-up with John and Tom on this.