MACE-Dir call February 13, 2006
*Participants*
Keith Hazelton, U. Wisconsin - Madison
(chair)
Tom Barton, U. Chicago
Scott Cantor, Ohio State U.
Todd Piket, MTU
Steven Carmody, Brown U.
Brendan Bellina, USC
Lynn Little, Internet2
Steve Olshansky, Internet2
Jessica Bibbee,
Internet2 (scribe)
New *Action Items*
[AI] {Scott and Keith} will work on the draft and pass it over to the MACE WG for review.
Carry-over *Action Items*
[AI] {Keith} will accept changes to the eduPerson draft, and pass over to {SteveO} to put on MACE-Directory site.
[AI] {Keith} will work on finalizing scoped attributes before sending out a last call on the eduPerson rev, and will then submit to the MACE Group for comments/approval.
[AI] {Walter and Tom} will collaborate on the development of a domain model.
[AI] {Steven} will write-up use cases on requirements for provisioning systems, and send to {Walter}.
[AI] {Volunteers} should contact {Roland} if they are would like to review the documentation and look at the code for the software. (5-Dec-05)
[AI] {Walter} will work on developing a domain model for Nexus. (5-Dec-05)
[AI] {Group} will contribute their own requirements for provisioning systems, and should contact {Walter}. (5-Dec-05)
[AI] {Group} will send feedback to {Brendan} for incorporation into the HEP revision 6. (21-Nov-05)
*Discussion* The Spring Internet2 Member Meeting is approaching, and the Group will think of and review topics for the Working Group session by the next call <http://events.internet2.edu/2006/spring-mm/>.
The eduPerson (200602) is nearing final stages <http://www.nmi-edit.org/eduPerson/draft-internet2-mace-dir-eduperson-latest.html>. The Group discussed topics such as user status, with format of a URN SCHAC prefix status, followed by a name specific string that would include a scoping organization and the actual value being scoped. [AI] {Scott and Keith} will work on the draft and pass it over to the MACE WG for review.
The group addressed the
X.500 and LDAP attribute profile for SAML:
<http://arch.doit.wisc.edu/keith/i2/drafts/draft-internet2-mace-dir-attribute-guidelines-01.pdf>
<http://arch.doit.wisc.edu/keith/i2/drafts/draft-internet2-mace-dir-attribute-guidelines-01.sxw>
Use cases target items on the list, such as grace period, scoping, entitlement, etc. In terms of various licenses and providing appropriate access, a suggested missing category is honorary staff – people who are not listed as staff in the directory, but still need to be listed as, say, a university ‘member’. There are certain expectations for the local provisioning system to ensure access. How are groups, affiliations entitlements, and roles managed - and furthermore, how are they provisioned? What can be expected of the vendors, or it may mean that the Identity Providers will handle these items. There does not seem to be consensus on specific attributes, such as isMemberOf, in terms of what they specifically want. The Group agreed that the entitlement attribute may be the answer for all the use cases. The use cases hope to identify a range of issues, as well as which are the most common.
It may be worthwhile to look at the relationship between affiliation and entitlement – you can look for commonalities across deployment with affiliation, but is it necessary to agree on an entitlement? {Tom} expressed concern for using affiliation for the bases of eduPerson entitlement – does affiliation need to be changed to do more of what we want it to do? One purpose is to keep it friendly-looking for usability reasons; it also seems valid to use it as a mapping.
Changing one value relays a number of effects – level of access may be changed, affiliation may be denied, etc. Logic for the internal access policy should be cooked, so as not to leave that task in the hands of vendors. Whether or not there should be a multi-value does not change whether the vendors are ready to make that happen.
Institutions map their privilege to a specific value, so that resource providers can look for values that the institution tells them. In this way, a resource provider can dictate particular entitlement values that the institution should be populating entitlement with. The vendor can provide a management interface to allow the policy authority to state what it should be; the vendor is more concerned with how many they will be managing.
There may be a set of documents coming from the Liberty and SAML Working Group in the near future, and that would be a good time to raise the status of the meta search issue.
The Group discussed subsections of the SAML attributes document, which is intended to be a working document from which eduPerson is derived. What is the set of attributes being covered, and who is producing the document? Attributes are defined by MACE-Dir (eduPerson, etc.), and the document can be shared beyond just eduPerson.
The next MACE-Dir call will be held on Monday, February 28, 2006 at 4:30pm ET.