**MACE-Dir Call 15-August-2011**
**Attending**
Keith Hazelton, U. Wisconsin - Madison (co-chair)
Brendan Bellina, USC (co-chair)
Chris Phillips, CANARIE
Mark Scheible, MCNC
David Bantz, U. Alaska - Fairbanks
Michael Pelikan, Penn State U.
Jim Leous, Penn State U.
Jimmy Vuccolo, Penn State U.
Scott Cantor, The Ohio State U.
Nate Klingenstein, Internet2
RL "Bob" Morgan, U. Washington
Derek Owens, Notre Dame
Steve Olshansky, Internet2 (scribe)
**Next call: 29-August-2011 3:00 PM EDT (GMT-4)
(NOTE: All future calls will be at 3:00 PM ET)
**New Action Items**
[AI] (Keith) will send out a last call for the eduPerson revision, with a 2-week time limit (i.e. the next MACE-Dir call).
**Carryover Action Items**
[AI] (Keith) will propose a discuss-starter on the subject of whether there should be MACE-Dir attribute specifications for Grouper objects: Role, Privilege, Subject, (others).
[AI] (All) discuss feedback or concerns about revised EPTID text on the mailing list.
[AI] (RL "Bob) will distribute information about the UW person registry web service.
[AI] (Keith) will draft a problem statement on person and organization identifiers from social IdPs related to VOs, as a discussion starter, and will refer to IPEDS for reference.
[AI] (Brendan) will distribute some reference materials related to person and organization identifiers from PESC.
[AI] (Keith) will send a discussion starter on the use of eduCourse to the mailing list.
[AI] (Keith) will develop a Bamboo use case for persistent identifiers.
[AI] (Keith) will write up the current state of the identifier discussion and apparent consensus, and associated explanatory material, for use by REFEDs.
[AI] (Keith) will edit the previous versions of the SAML Attribute Profiles documents to note that they have been superseded by a newer
version:
http://docs.oasis-open.org/security/saml/SpecDrafts-Post2.0/sstc-saml-attribute-x500-cd-01.pdf
http://middleware.internet2.edu/dir/docs/internet2-mace-dir-saml-attributes-200604.pdf
http://middleware.internet2.edu/dir/docs/draft-internet2-mace-dir-saml-attributes-20071202.pdf
http://middleware.internet2.edu/dir/docs/internet2-mace-dir-saml-attributes-200804.pdf
http://wiki.oasis-open.org/security/SstcSaml2AttributeX500Profile
http://www.oasis-open.org/committees/download.php/28042/sstc-saml-attribute-x500-cs-01.pdf
See also:
http://www.edugain.org/policy/edugain_policy_build20110124/attribute_profile_20101215.pdf
[AI] (RL "Bob") will query the REFEDs list about whether identifier reassignability is an issue for them esp. in grid environments.
[AI] (Keith) will take a first pass at revving http://middleware.internet2.edu/dir/docs/internet2-mace-dir-ldap-group-membership-200507.html in the wiki, then run it by the group for comment, with the goal of perhaps finalizing it in the near future.
[AI] (Brendan) will poll the mailing list for feedback on the use of name fields, and whether they have had the need to extend eduPerson locally with additional name fields.
**Discussion**
1. Review revised eduMember specification documents (including the new "friendly names:" eduIsMemberOf and eduHasMember attributes)
(See link on https://spaces.internet2.edu/display/macedir/MACE-Dir+Working+Group+Space)
The only real change is in the names of the attributes.
[AI] (Keith) will send out a last call for the eduPerson revision, with a 2-week time limit (i.e. the next MACE-Dir call).
2. SCIM, from directories, in SAML attribute assertions and in provisioning
(See ChrisP's mail to the list before the call today)
"
Status Update:
--------------
- Roles and entitlements are now in the published core SCIM schema due to
our advocacy for them.
- The SAML profile does not yet reflect them, but it is also a bit behind in keeping up with the other main documents.
Conversation points:
--------------
- Reviews/comments/recommendations of the data model and SAML profile are
welcome either through me to the SCIM list or directly on the list if you
like. We can discuss on the list if worthwhile or in email directly.
- Unboundid.com, one of the contributors has already created an SDK for
SCIM[1] that maps items to inetOrgPerson. Populating extensions to SCIM
schema to support eduPerson doesn't appear too difficult, but would be
beneficial to do if there was a direct benefit other than it exists.
Possible next steps / Interesting questions:
--------------
Next steps of SCIM interacting with Internet2 software products/initiatives is interesting. The utility of SCIM is formalizing and structuring the provisioning events & schema technique and writing fewer provisioning connectors. The big question is:
'Does SCIM represent enough of a value proposition to be used in the
internet2 software space, and if so, should it be integrated as a technique for publishing/managing information be it big (full persona) or small (just group memberships)?'
Other spin off questions are:
- Will OSIdM4HE efforts highlight the a gap that SCIM fills? I believe so, but would like to know more about OSIdM4HE. SCIM user scenarios map is here[2], thoughts welcome.
- What about a grouper SCIM publishing implementation to a SCIM enabled
target?
Is there enough A) value to do this, B) interest in doing this?
- There are various Just In Time/Just In Case provisioning events that go
on outside of Shibboleth & Grouper, should/could there be a purposeful
implementation of SCIM to Shibboleth for JIT/JIC in the SP for tighter
integration?
(e.g. Shibboleth SP provisioning plugin for Moodle, Drupal, Liferay,
etc...?)
[1] http://www.unboundid.com/blog/2011/07/26/the-unboundid-scim-sdk/
[2] http://www.simplecloud.info/specs/draft-scim-scenarios-04.html
"
Is SCIM mature enough to be included in the software stack, and if not, where are the gaps?
It was noted that some campuses are using groups to provision GoogleApps for their users, and access control is one of the more complex aspects -- i.e., which users have access to which services?
What role might Grouper play in the SCIM space? Groups, roles, and permissions will play a prominent role ongoing.
Will persona (person record in the cloud app) map to roles and entitlements?
Alignment (or interoperability) of provisioning models could prove to be challenging, or at least important to resolve to make this successful.
Changes in the IdM person registry at the center of campus IdM systems will need to be communicated promptly to whatever systems are managing access to the cloud services.
It was proposed that it would be useful to document the (non-messaging) use cases for the ability to determine the membership of groups.
Q: Is anyone doing provisioning to Office365, and is anyone using SAML?
A: DirSync is used in some places, but this is an ugly solution... Microsoft is apparently claiming Office365 support for SAML within 12-18 months.
3. Breaking news: OSIdM4HE Initiative; Registries Team in particular (All)
This is the follow-up activity stemming from conversations at the last ACAMP about joint effort between Internet2/InCommon, Kuali, and Jasig. A public announcement is forthcoming very soon. Public site will be (not yet populated) https://spaces.internet2.edu/display/OSIdM4HE/Home
The strong and widespread desire for a community (i.e. very open) effort to build out a more comprehensive system as an option to commercial offerings is a primary driver, and several universities are very interested in making this a success.
Kuali Rice is interested in expanding the capabilities of KIM, including a person registry, toward becoming the foundation of enterprise services. Internet2 is interested in participating and has strong things to contribute (e.g. Grouper).
Starting with a green field, how would an IdM stack for higher-ed look? Where are the gaps? Suggestions include work on registries, and provisioning; and access management (in a form TBD).