MACE-Dir Call 24-October-2011

**MACE-Dir Call 24-October-2011**

**Attending**
Keith Hazelton. U. Wisconsin-Madison (co-chair)
Michael Pelikan, Penn State
Derek Mohr, Penn State
Jim Leous, Penn State
Mark Scheible, MCNC
Chris Phillips, CANARIE
Tom Barton, U. Chicago
Bill Weems, UT-Houston
Derek Owens, Notre Dame
Michelle Decker, Notre Dame
Scott Cantor, The Ohio State U.
Heather Flanagan, Internet2
Nate Klingenstein, Internet2
Steve Olshansky, Internet2 (scribe)

**Next call: 7-November-2011 3:00 PM EDT (GMT-4)

**New Action Items**
[AI] (Keith) will write a strawman best/recommended practice document related to the use of eduPerson{Scoped}Affiliation

**Carryover Action Items**
[AI] (Keith) will propose a discuss-starter on the subject of whether there should be MACE-Dir attribute specifications for Grouper objects: Role, Privilege, Subject, (others).
[AI] (RL "Bob") will distribute information about the UW person registry web service.
[AI] (Keith) will draft a problem statement on person and organization identifiers from social IdPs related to VOs, as a discussion starter, and will refer to IPEDS for reference.
[AI] (Brendan) will distribute some reference materials related to person and organization identifiers from PESC.
[AI] (Keith) will send a discussion starter on the use of eduCourse to the mailing list.
[AI] (Keith: OBE) will develop a Bamboo use case for persistent identifiers.
[AI] (Keith: OBE) will write up the current state of the identifier discussion and apparent consensus, and associated explanatory material, for use by REFEDs.
[AI] (Keith) will edit the previous versions of the SAML Attribute Profiles documents to note that they have been superseded by a newer
version:
http://docs.oasis-open.org/security/saml/SpecDrafts-Post2.0/sstc-saml-attribute-x500-cd-01.pdf
http://middleware.internet2.edu/dir/docs/internet2-mace-dir-saml-attributes-200604.pdf
http://middleware.internet2.edu/dir/docs/draft-internet2-mace-dir-saml-attributes-20071202.pdf
http://middleware.internet2.edu/dir/docs/internet2-mace-dir-saml-attributes-200804.pdf
http://wiki.oasis-open.org/security/SstcSaml2AttributeX500Profile
http://www.oasis-open.org/committees/download.php/28042/sstc-saml-attribute-x500-cs-01.pdf
See also:
http://www.edugain.org/policy/edugain_policy_build20110124/attribute_profile_20101215.pdf
[AI] (Brendan) will poll the mailing list for feedback on the use of name fields, and whether they have had the need to extend eduPerson locally with additional name fields.

**Discussion**
1. Converting eduPerson{Scoped}Affiliation values to controlled vocabulary with an attribute resolver/attribute mapper enhancement

There are a number of problems in this space, some more easily solved than others. E.g. populating the values for "member" or "affiliate" are fairly straightforward. An attribute resolver/mapper could do this, and could also filter out values that are not in the controlled vocabulary.

Q: What other things can or should be done in this space? What is (are) the problem(s) being addressed?

A: Assuming that at least some (primarily non-campus) SPs are using these values, and evidence suggests that they are, is there enough nuisance factor in the current deviations that it ought to be addressed? Is it useful for IdPs to have these attributes populated for them without major intervention? There is a concern that we aren't getting enough leverage from these attributes due to practices in the wild.

Scott noted that using affiliation in a federated context is more work than creating a new attribute, from the perspective of the SP. Filtering is not an issue, as SPs just ignore attributes they don't use. The relationship between the values not being applied consistently is a nagging problem for the SP.

IdPs might tend not to care, assuming that this is really a problem for SPs.

This capability for this already exists in the IdP, and it can be scripted, but its use is site-specific.

It was suggested that we put out clear statements on this to relevant lists, and solicit feedback. An executive overview of eduPerson, explaining best/recommended practices for its use, would also be useful.

[AI] (Keith) will write a strawman best/recommended practice document related to the use of eduPerson{Scoped}Affiliation

2. eduCourse{Offering}: Is the time ripe for a revision of the spec?
Given how the world has evolved over the several years since this work was done, should it be revisited? Is there trouble around how courses and roles within courses are managed today, especially in light of the "softening" of campus boundaries in a federated context?

It was observed that in some/many cases, publishing of courses to endpoints is often handled through group membership.

3. Surveying the landscape of opportunity for new MACE-Dir work items
- Lots is happening in the registry and identity attribute space; which are insurmountable opportunities? Current Initiatives:
- OSIdM4HE: https://spaces.internet2.edu/display/OSIdM4HEteam/Registries+Team
- Kantara Attribute Management Disc. Group:
http://kantarainitiative.org/wordpress/groups/attribute-management-discussion-group/
- SCIM schema: http://code.google.com/p/scim/
http://www.simplecloud.info/

The MACE-Dir participants are not exhaustively representative of entire R&E community, but we seem to have enough critical mass to make a significant contribution in areas we choose to tackle.

Further work on eduPerson, e.g. adding clarifying text, is an obvious work item. Publishing

Suggestions for additional work include:
- Attributes in support of identity linking
- AdmitMe - enabling students to use a single identifier throughout the admissions process, including testing. Espressing AuthN quality, attribute aggregation, and privacy preservation are potential issues to be tackled.
https://spaces.internet2.edu/display/InCAdmissions/Home
- Helping other groups to do useful work, e.g. ODIdM4HE