*Participants*
Keith Hazelton, U. Wisconsin-Madison (chair)
Etan Weintraub, Johns Hopkins U.
Paul Hill, MIT
RL “Bob” Morgan, U. Washington
Tom Barton, U. Chicago
Brendan Bellina, USC
Mark Jones, UT Houston
Nate Klingenstein, Internet2
Ann West, EDUCAUSE/Internet2
Steve Olshansky, Internet2
Jessica Bibbee, Internet2 (scribe)

Carry-over *Action Items*
[AI] {Keith} will craft a survey question to understand what is going on within the eduCourse space in the real world, as it pertains to Section, and share with relevant mailing lists. (22-Oct-07)

*Agenda*
1. Identity Assurance Qualifiers (was LOA) in SAML assertions; Establishing Conventions for URI-based representations. * See < https://spaces.internet2.edu/x/Jhc > for a draft document on this topic
2. The official pronouncement of a new eP*Affiliation value, "library-walk-in"

*Discussion*

- Identity Assurance Qualifiers (was LOA) in SAML assertions; Establishing Conventions for URI-based representations-

{Keith} introduced his draft document on Identity Assurance Qualifiers in SAML assertions; refer to < https://spaces.internet2.edu/x/Jhc > for more details. The Group worked towards defining the exact problem space and discussed how they might make recommendations to InCommon regarding assertions. {Keith’s} document tries to clarify what it means for an Identity Provider to assert InCommon ‘bronze’ or ‘silver’ profiles. E.g., every factor going into a ‘silver’ level of assurance for a user at an Identity Provider must fit the profile of ‘silver, as defined by the profiles for identity assurance. It aims to ensure that you know that it is indeed their affiliation with the university, as well as how strongly their identity is bound to the credential.

{Bob} mentioned discussion of adoption within a clinical context, i.e., for patients getting status, etc., and doing so through InCommon. The Group also discussed situations where there is a need to distinguish between multiple credentials, e.g., x509 device. Since it is a credential in and of itself, it should assert itself, but there is some translation, i.e., a credential conversion to turn the x509 into a SAML assertion.

The Group discussed the situation of an institution that belongs to multiple federations (and thus potentially asserting multiple values); it will be a challenge to know which values are meaningful. Should the Identity Provider send values to all, i.e., should it assert at both the ‘bronze’ and ‘silver’ levels, as both requirements are met? The Group agreed that they need to consider the simplest approach for solving these issues, else a proliferation of profiles complicates an already complex space.

{Keith’s} draft document aims to identify and clarify a recommendation to NIH and NIST to solve their particular challenge. What if there is another federation? How can the scope be shrunk to specifically address the NIH issue? How general should the recommendation be, in terms of expressing authentication profile?

- The official pronouncement of a new eP*Affiliation value, "library-walk-in"-
{Scott} shared his draft proposal on MACE-Directory attribute profiles for SAML: < http://middleware.internet2.edu/dir/docs/draft-internet2-mace-dir-saml-attributes-latest.pdf > via the mailing list. {Keith} asked the Group for high-level concerns or other reactions.

{Bob} expressed a sense of urgency on the matter, particularly with NIH wanting to use Service Provider software that is unable to deal with scope as an XML attribute. He said there needs to be a separation of items addressing what to use for various paths; more and more people are showing interest in using a non-Shibboleth SAML implementation.

The Group discussed related concerns for all involved, i.e., those using SAML, Shibboleth, etc. Discussion continuing on the Working Group mailing list in advance of the next call..

The next MACE-Directory Working Group call will be held on Monday, November 19, 2007 at 4:30pm EST.