Date
at 15:00 CEST
Attendees
Christopher Walen
Wolfgang Pempe
Harry Williams
Thijs Kinkhorst
Alan Buxey
Albert Wu
Alex Stuart
Anass Chabli
Casper Dreef
Chris Phillips
Davide Vaghetti
Hellen Nakawung
Jan Oppolzer
Jani Heikkinen
Jean Carlo Faustino
Jessica Coltrin
Jon Agland
Judith Bush
Jule Ziegler
Julie Menzies
Keith Wessel
Kevin Morooney
Koren, Menhna (ELS-AMS)
Mark Wiliams
Miroslav Milinovic
Pål Axelsson
Raja Visvanathan
Rhys Smith
Sami Silen
Stefan (Jisc)
Terry Smith
Tom Barton
Zbyszek (PSNC)
Brook Schofield
Tomasz Wolniewicz
Uros Stevanovic
Klaas Wierenga
John Paraskevopoulos
Mario Reale
Stephen Lovell
Goals
To discuss initial proposals for Baseline Expectations as laid out at Baseline Expectations Working Group.
Discussion items
Nicole welcomed everyone to the meeting and invited federations present to give an update on their current thinking regarding any sort of approach to changing the baseline expectations within their services.
Country | Position |
---|---|
UK | looking at following in the footsteps laid out by the InCommon baseline expectations. It is about maturity. Will look similar but haven’t worked out the details. What should eduGAIN do? Want to align with as much as possible. |
Germany | looking at AAI+ concept. Attribute release is a big area. Looking at LOA / RAF. Looking at Sirtfi and security. Quality of federation operations. Would this be a new level on top of the current basic and advanced? This is different – those are seen more as levels of assurance. we connected the output of the eduGAIN validator to our nagios. ECCS-results are part of this ah, and we're monitoring the IdP status locations (95% Shib IdPs in DFN-AAI). https://doku.tid.dfn.de/de:aai:attributes_best_practice |
Croatia | started an audit of IdPs and SPs. Looking at assurance. Have an existing baseline but would like to know. Important for Croatia: contacts need to be alive: this would suggest some sort of reaction test. This is definitely more of an annual audit approach rather than a set of rules. |
Brazil | https://docs.google.com/spreadsheets/d/1L5oI4dWE2Gk4XAgGDkvEOTgBCdhJHDKOczyqe0MXZEE/edit#gid=0 |
Australia | IdPs and SP selectively opt-in to eduGAIN but when they do they have to do R&S and Sirtfi. Boost: SP quality. 300+ services so will be a long long process. |
Italy | ECCS APIs used by GARR to improve operational. Follow up by opening a ticket automatically. Have changed the participating rules. Have pulled in incident response directly – do a short interview with self assessment. |
US | just 4 organisations that have not yet met the baseline. Contact information has been the most difficult aspect. Want to do more! Requiring Sirtfi, MDUI information. Require encrypted transport for SPs. IdPs: R&S and MFA still being discussed. |
Canada | use the UK rule sets. Supports Sirtfi. Uptick in R&S adoption. Technical interoperability matters: ADFS vs Shib etc |
please feel free to add notes for your country / federation even if you were not at the meeting / didn't get a chance to speak at the meeting. |
General Discussion
Tom: liked the work done by AAF. Process is more important than the rules. Pyramid diagram (which is in the slides on the wiki).
Start defining what we are trying to do with sentences. We want the user experience to be perfect.
Chris: do we need to start filtering out the whole edugain feed in a different way? Can we change the way we treat the edugain feed as a whole (i.e. not rejecting the whole feed). Break fix, functions good, functions best.
Most utility for eduGAIN for the most people.
Tomasz: already have stratification through entity categories so we have these groupings. eduGAIN will be proposing new ways of showing information that are currently challenging. Looking at being more nuanced with the warnings shown. https://technical.edugain.org/profile_v2.
Problems with moving forward
What’s in it for me for IdPs? Not enough reason.
Metadata handling tools are not as easy to use as they should be.
Need to explain to people that there is an interoperability problem. So not pissing off your users is a good thing.
Are we ever going to make every identity provider in the world understand why? If eduGAIN raises the bar, it’s actually easier for federations to have a “reason” to explain.
What are we creating? A baseline for entities being published into interfederation for international collaboration.
Next steps
There is enthusiasm for moving the group forward and a mailing list should be created. It may be beneficial to work on statements of what we are trying to achieve...perhaps around the Authority, Security, Compliance and Trust (plus User Experience?) areas that were identified at Baseline Expectations Working Group? The InCommon "pyramid" could be useful here.
People generally like the baseline ideas created by InCommon so start there. Note that eduGAIN already has rules on all of the baseline expectations for Federation Operators so perhaps this is covered? Do we just want to focus on baseline for entities in interfederation?
Need to think about how things are being measured and by whom.
Action items
- Nicole Harristo create a mailing list for the group.
- Nicole Harris to set up another meeting date.