REFEDS Assurance pilot telco
Monday 19th March 2018 at 14:30 CET/15:30 EET/8:30 CDT
CERN’s Vidyo portal: https://www.nikhef.nl/grid/video/?m=rawg

Jim
Sami
Jule
Timo
Daniel
Nicolas
Michael
Mikael, notes

Notes

- Changes in RAF spec after last telco

  • ID-unique property is re-defined. Old definition required that “The person and the credential they are assigned is traceable i.e. the CSP knows who they are and can contact them” That was deemed to clash with Identity Assurance component, so the replacement is “CSP can contact the person to whom the account is issued”.
  • authentication component is dropped from RAF and Cappuccino and Espresso don’t impose any more requirements on them. This was done due to concerns on deployers misunderstanding that a CSP asserting “capacity to SFA/MFA” actually means SFA/MFA has happened. REFEDS MFA and SFA continue as independent specifications parallel to RAF and deployers are encouraged to use them together (e.g. cappuccino + SFA).
  • clarification: a CSP can assert ePA-1m (or the new ePA-1d) if they don’t populate/release ePA at all (see https://en.wikipedia.org/wiki/Vacuous_truth)

 

- changes on SFA specs after last telco (modifications underway by the spec editor)

  • refining recovery OTP and recovery keys
  • discussion on common products’ support for C8 (secret hash functions) and C9 (salt length)
  • Jule and Michael have a draft of a new simpler SFA spec for Friday’s WG call. The will send it to the assurance list today.

 

- status of populating the ePA values and configuring authentication contexts to IdPs

  • test SP links and Shibboleth config examples in: https://wiki.refeds.org/display/GROUPS/Pilot+resources
  • Timo has provided nice configuration examples for Shibboleth IdP
  • Timo and Sami has tested Aalto IdP and CSC IdP against their own test SP
  • Jim has tested XCEDE IdP against CILogon and ELIXIR – works but ePAssurance not released yet.
    • Also others can easily register an ID from XCEDE IdP to give a try
  • Michal will configure the ELIXIR SP to display the ePAssurance values this week. The logs show the attributes are properly received but not mapped yet.
  • EGI SP not yet enabled for eduGAIN login

- next call

  • Tuesday 3rd April 2018 at 15:30 CEST/16:30 EEST/8:30 CDT (Exceptionally on Tuesday, Europe has started daylight savings)
  • No labels