MACE-paccman Call 15-April-2010

Tom Barton, U. Chicago (stand-in chair)
Tom Dopirak, CMU (from a remote cell)
Keith Hazelton, U. Wisconsin
Kent Percival, University of Guelph
Paul Hill, MIT
Rob Carter, Duke
Dan Seibert, UCSD
Bob Morgan, U. Washington
Chris Hyzer, U. Penn
Mark Scheible, NCSU
Scott Cantor, The Ohio State University
Stephen Langella, The Ohio State University
Renee Frost, Internet2
Ann West, Internet2
Steve Olshansky, Internet2
Emily Eisbruch, Internet2 (scribe)

*New Action Items*

[AI] (Keith) will continue to work with ScottF to reactivate the Oracle Buddy List. (Reminder to add Tom Barton and Mark Scheible to the list).

[AI] (Rob) will attach numbers/identifiers to MACE-paccman use cases in preparation for promoting them (or pointers to them) from the wiki to the website.
https://spaces.internet2.edu/display/macepaccman/Use+Cases

[AI] (Stephen L) will share caBIG use cases on federated access management on the MACE-paccman wiki. (Rob) will help in this process.

*Carry Over Action Items*

[AI] (Keith) will check on whether UWisc is having similar problems to those being reported in other PeopleSoft implementations -- there is no way to restrict the permissions granted to a particular role to a certain instance (i.e. department) of that role.

[AI] (MichaelP) will work to polish the glossary, as a next step, until events warrant revisiting it.

[AI] (R.L. Bob) will separate “assurance” from “authentication” in the glossary.

[AI] (Rob) and (Paul) will look at Rob’s use cases and mapping to XACML. (this is on hold until CAMP in June)

**Discussion**

*Access Management Use Cases and Solutions*

It makes sense to start migrating some of the use cases and solutions from the wiki to the MACE-paccman website. As a first step, Rob will review the use cases and develop a comprehensive naming/numbering scheme.

*caBIG and Federated Access Management*

Stephen talked about the approach caBIG is taking to federated access management and the challenges being faced.

caBIG handles authorization for multiple campuses, medical centers, and companies who are using web services to share information (database, images, analystic services) with the caBIG community. PKI is used for authentication. They can issue short-term certificates and can accept Shib assertions. caBIG uses CSM for authorization. Since individual handling for each user was not manageable, caBIG looked at Grouper and Shibboleth to provide solutions. They now use Grouper to build groups, including groups at the federation level. The CSM toolkit was modified to handle authorization to external applications for those groups, and this approach has been successful.

The challenges have been:

1) Applications are too different in their procedures for providing authorization, necessitating separate groups for each application.

2) Interoperability with other web services outside caBIG federation (e.g., National Health Information Network, NHIN) is difficult. The various web services have different sets of attributes. caBIG has an academic focus, but needs to tie into the clinical environment. An issue is that SAML assertions in the medical area need to be somewhat dynamic and are highly contextual. The community has not been able to agree on the groups/attributes to use across the board.

Stephen stated that Shib is great in the web world. But when building web services (but not web applications) and you just want an assertion, Shib doesn’t deal with all aspects. Keith noted that U. Wisconsin is using the Shibboleth Attribute Resolver to package up assertions.

Stephen stated that standardization is lacking in the way to log into an IdP and build web services. Scott agreed, noting that interoperability specifications have been developed (e.g. WS-star) but are not widely agreed upon.

Stephen will share some of the caBIG use cases on the paccman wiki.
https://spaces.internet2.edu/display/macepaccman/Use+Cases

[AI] (Stephen L) will share caBIG use cases on federated access management on the MACE-paccman wiki. (Rob) will help in this process.

*Kuali News*

Dan reported that the RICE team hired Tom Bradford as lead technical architect for the RICE team.
http://kuali.org/node/289

Kuali Coeus 2.0 will be released soon.

Rice 1.02 -- a patch release -- will be available soon.

TomB noted that at Jasig, there was discussion of KIM for Apps --- which would involve defining the service interfaces for suite of Identity services and providing default implementions. Dan commented that this could fit well with the evolution of Rice. Once Rice was split out of Kuali Financial System, it was to be a more general-purpose framework, with KIM being a part of that.

*Grouper News*

Grouper 1.6 will be released in May. One highlight is that Ldappc will be replaced (though the older Ldappc will still be available). The new Ldappc will leverage the Shib attribute connector.

Chris requests feedback on the "assign permission" web service for Grouper.
https://mail.internet2.edu/wws/arc/grouper-dev/2010-04/msg00035.html

*perMIT News*

The Web UI available on RolesDB is running w perMIT.

Nightly feeds are going from the data warehouse into RolesDB and perMIT.

perMIT will be offered as a pilot for campus use.

*Advance CAMP Reminder*

Reminder to register for Advance CAMP: The Second Identity Services Summit in Raleigh, June 23-25.
https://spaces.internet2.edu/display/ACAMPIdSummit2010/Home

*Internet2 Spring Member Meeting*

The MACE-paccman Working Group Session Internet2 Spring Member Meeting will be:

Monday, April 26
3:00 – 4:30 pm
Salon A

Topics and speakers:

-MACE-paccman WG progress and direction, Tom Dopirak, CMU
-The perMIT System, Paul Hill, MIT
-VOs and SWITCH, Chad La Joie, Itumi
-SURFnet Collaboration Infrastructure Access Management, Harold Teunissen, SURFnet

http://events.internet2.edu/2010/spring-mm/agenda.cfm?go=session&id=10001166&event=910

Next MACE-paccman call after SMM: Thursday, May 13 at 1pm ET.

Emily Eisbruch, Technology Transfer Analyst
Internet2
emily@internet2.edu
office: +1-734-352-4996 | mobile +1-734-730-5749

Internet2 Spring Member Meeting
April 26-28, 2010 - Arlington, Virginia
http://events.internet2.edu/2010/spring-mm/