**MACE Call 11-April-2011**

 

**Attending**

Keith Hazelton, U. Wisc. - Madison

Maarten Kremers, SURFnet

Renee Shuey, Penn State U.

Steven Carmody, Brown U.

Michael Gettes, CMU

David Wasley, independent

Benn Oshrin, Internet2

Nate Klingenstein

Tom Zeller, U. Memphis

Albert Wu, UCLA

Steve Olshansky, Internet2 (scribe)

 

NEXT CALL: 25-April-2011

 

Theme call: Federated Provisioning

 

COmanage is interested in federated provisioning, but really as a work area for others whose work they can incorporate. UCTrust (U. California system federation) has been working on this for their own needs to avoid campuses reinventing this solution for their individual needs. They are in an architecture and design phase currently.

 

The Grouper project has been working on this as well.

 

Q: Why did DODHE not take off?

A: Multiple issues, long ago, and overtaken by events since...

 

Q: Use cases for federated provisioning?

A: UCTrust has been working on some. PSTC (OASIS SPML TC) has assembled some, e.g. from Johns Hopkins.

 

Q: E.g. a campus using both GMail and WindowsLive, how is that managed?

A: Using local Grouper instance, group info is pushed out.

 

Q: What about users with their own personal e-mail accounts, how are they incorporated?

A: Varies.

 

An example use case might involve provisioning into campus LMS systems.

 

OASIS SSTC (SAML) has been looking at this as well...

 

The federated provisioning issue has many angles, depending on your perspective. Thus it is hard to define this space in a universally useful way. Where are the major pain points, now or in the near future?

 

NCSU's WebAssign service was cited as an example of a federated testing service that is doing a sort of federated provisioning.

 

In the VO context, some are interested in replicating the group tree from the campus systems to the VO. The "invitation scenario" also emerges in this context, to pre-configure the groups an invitee would be a member of if/when s/he responds to the invitation.

 

A large LMS vendor is currently working on Shib pilots with some campuses, and may be a good context in which to explore dynamic provisioning.

 

The Bamboo Project is also interested in dynamic (or JIT) provisioning.

 

Q: Is federated provisioning a solution in search of a problem? Are there current drivers for working on this?

A: This seems to be something of interest to many,

 

SURFnet is working on provisioning from many angles, including a provisioning engine that would support JIT provisioning where the apps would support this. Every institution in their federation would be able to access a central component to manage provisioning of federated services, to try to reduce reliance on individual solutions. They are seeking funding from GEANT3 for work on the architecture, and are working with their Connect platform which includes application middleware. They will be starting a de-provisioning project soon as well... Rough ETA for the current provisioning architecture work is Summer 2011, with dev work following into early 2012.

 

Q: how can we in the US follow the SURFnet work so as not to reinvent the solution or develop something that is not interoperable?

A: SURFnet reps are participating in the COmanage project. Further discussions between SURFnet and people in the US working on this would be useful. There may be a clearinghouse under the Jasig FIFER (Free IDM Framework for Education & Research) umbrella...

 

An informal BoF at the upcoming Internet2 Member Meeting is in the works...

 

The GENI project may be interested in this work in the near future, in addition to COmanage and Project Bamboo.

 

Q: Are there any deliverables planned in the near future?

A: Bamboo is working on JIT provisioning, centered around the invitation use case, ETA 3-6 months.

 

UCTrust project is motivated by the need to develop a platform used by multiple applications, and campuses. They foresee increasing demand for provisioning solutions, and are trying to get ahead of the curve. E.g. UCSB is going to start using UCLA apps, which is spurring this work in the near future.

 

In the COmanage context, the VOs they are working with haven't really pressed provisioning as a high priority, yet, but that is likely forthcoming as they get further down the road.

 

Delegating authority to create and manage groups, and metadata-driven user consent to attribute release, are 2 areas under development that may support federated provisioning systems...

 

The Internet2 Provision mailing list will be used to continue this discussion:

https://lists.internet2.edu/sympa/info/provision