MACE-Dir Call 9-March-2009

**MACE-Dir Call 9-March-2009**

**Attending**

Brendan Bellina, USC (chair)

Etan Weintraub, Johns Hopkins U.

Nate Klingenstein, Internet2

Michael Wheeler, Pittsburg State U.

Scott Cantor, The Ohio State U.

Tom Scavo, NCSA

Ann West, Internet2

Steve Olshansky, Internet2 (scribe)

Outstanding surveys:

Test Accounts survey: <http://www.surveymonkey.com/s.aspx?sm=SlFF6wbLYPXA7rZjaerpzA_3d_3d>

Group Usage survey: <http://spaces.internet2.edu/display/macedir/Survey+on+Group+Usage>

**New Action Items**

[AI] (Etan and SteveO) will move the current LDIFs into the wiki.

[AI] (All) who will be attending the MACE-Dir session at the I2MM and have ideas for the presentation, contact Brendan

*Carryover Action Items*

[AI] (Mike) review the LocalDomainPerson survey results and the Shibboleth attribute naming documentation with an eye toward useful attributes to generalize, as a reference for naming guidelines and base attributes to propose.

http://middleware.internet2.edu/dir/localsurvey.html

http://middleware.internet2.edu/dir/docs/internet2-mace-dir-localdomainperson-200505.html

[AI] (RL "Bob") will craft a survey on use of the mail attribute and possible need for additional email attributes.

[AI] (Brendan) will poll the mailing list for feedback on the use of name fields, and whether they have had the need to extend eduPerson locally with additional name fields.

[AI] (Brendan) will coordinate with the leaders of the Educause IdM Constituent Group, toward the goal of polling that group along with MACE-Dir for feedback on the use of commercial and open-source IdM products.

**Discussion**

- (Tom Scavo) TeraGridPrincipalName discussion (see MACE-Dir thread "TeraGridPrincipalName" December 29, 2008)

Tom reviewed the issues driving this - the TeraGrid is working on leveraging SAML within their environment, which has led to discussions about TeraGridPrincipalName. Semantically this would differ from EPPN by appearing more like EPTID, and would be intended primarily for internal use within the TeraGrid. There are a number of "science gateways" in their environment which are web based front ends to TeraGrid resources, and they typically use shared/community user accounts. This leads to problems related to not knowing the end users, and thus they use SAML tokens to "decorate" the X.509 certs used in this context, to transmit the name of the end user, using TeraGridPrincipalName.

TeraGrid has recently joined InCommon, and plans to leverage its IdM infrastructure. The TeraGrid User Portal is also considering deploying Shibboleth in order to utilize InCommon IdM. They require a non-reassignable identity, akin to EPTID, since they want to do linking at the TeraGrid/InCommon boundary.

There was discussion about the benefits (or not) of creating a new attribute instead of using EPTID for now. Scott noted that EPTID was a placeholder required by SAML1 and which will be deprecated when SAML2 is in wide use.

If it is really possible to guarantee non-reassignability, perhaps it is better to express that as policy in the metadata, e.g. as EPPN with added supplements.

Since EPTID is an opaque identifier, scoped as appropriate for the service/context it is used for, this would be moot in TeraGrid since in their environment it would be represented as a single service - and registered as a single SP in InCommon. When SPs are "affiliated" they would consume the same EPTID, and in all cases they would never be reassigned. An SP can be a member of several affiliations, but would be in only one at a time for a particular transaction.

- Discussion on whether eduPerson LDIFs for older versions should remain on the website at <http://middleware.internet2.edu/dir/schema/>

There have been concerns expressed about this, related to the fact that anecdotally there apparently errors in some of them, since they are provided as a courtesy to the community and are not expressly tested or guaranteed accurate (as noted on the webpage). Anecdotally, this has led to support problems at some sites with users struggling to make these older LDIFs work.

The counter-argument is that there is historical value in having the older LDIFs available, and there are some of these still in production out in the wild and thus we need to keep these available for reference.

It was suggested that we note on the webpage that the older LDIFs have been deprecated, remove LDIF with reported and confirmed errors, or remove them all and force deployers to work from scratch in order to ensure they meet their particular needs in their environments.

Consensus on the call was that we should move these to the wiki and utilize the change tracking features, which would be an improvement over the current practice of keeping them on a static website.

[AI] (Etan and SteveO) will move the current LDIFs into the wiki.

- Internet2 Member Meeting

There will be a MACE-Dir WG session Monday 27-April 8:00 - 9:00 am.

http://events.internet2.edu/2009/spring-mm/

[AI] (All) who will be attending the MACE-Dir session at the I2MM and have ideas for the presentation, contact Brendan

- Next call will be Monday 23-March 4:40 PM EDT (GMT-4).