MACE-paccman Call 18-Feb-2010

Tom Dopirak, CMU, (chair)
Chris Hyzer, U. Penn
Tom Barton, U. Chicago
Mark Scheible, NCSU
Rob Carter, Duke
Dan Seibert, UCSD
Vijay Konda, MIT
Paul Hill, MIT
Steven Carmody, Brown University
Keith Hazelton, Wisconsin
Andy Dale, OCLC
Michael Pelikan, Pennsylvania State University
Ann West, Internet2
Steve Olshansky, Internet2
Emily Eisbruch, Internet2 (scribe)

**New Action Items**

[AI] (TomB) will add a link on the use case page of the MACE-paccman wiki to documentation on the caGrid/caBIG use case.
https://spaces.internet2.edu/display/macepaccman/Use+Cases

[AI] (Keith) will take the lead on a write up of the issues surrounding federated authentication on privilege management.
https://spaces.internet2.edu/display/macepaccman/Home

**Carry Over Action Items**

[AI] (Everyone) review use cases, especially Kuali Rice responses
https://spaces.internet2.edu/display/macepaccman/Rice+KIM+and+selected+uses+cases

[AI] (TomD) and (R. L. Bob) will set a date for MACE review of the MACE-paccman charter.

[AI] (MichaelP) will work to polish the glossary, as a next step, until events warrant revisiting it.

[AI] (R.L. Bob) will separate “assurance” from “authentication” in the glossary.

[AI] (Rob) and (Paul) will look at Rob’s use cases and mapping to XACML.

*Federation and Access Management*

Federated identity and access management has been a topic of discussion on the MACE-paccman email list.

There is a interesting SURFNET paper on federated collaborated infrastructure.
and privilege management.
http://www.surfnet.nl/Documents/indi-2009-07-020%20(Report%20Collaboration%20Infrastructure).pdf

What is the best way to domesticate applications to deal with federated authentication? Approaches include
looking at Shibboleth attributes or referring to campus authorization systems to determine access to the federated collaboration system.

When representing federated identities in the directory, person objects are needed.

Paul noted that at MIT there are two IdPs implemented: one for campus users and one that allows self-registration by non-campus users.
Those self-registrations appear in the LDAP directory.

A challenge within Grouper is when new people log in from federated sources and
all that’s known about them is their attributes from Shib affiliations.
How to dynamically assign them to a group? Using a web service is one promising approach.

TomB noted that the caGrid project has used Grouper to tackle the situation of people logging in from various
sources where the groups they belong to are not known in advance. To read more about this, see
http://bmi.osu.edu/resources/publications/1134langella-jamia-M2662-final.pdf

[AI] (Keith) will take the lead on a write-up of the issues surrounding federated authentication on privilege management.
https://spaces.internet2.edu/display/macepaccman/Home

Paul and Tom offered to help Keith with this write-up.

*OCLC Use Case*

Andy Dale has joined the MACE-paccman group and hopes to participate regularly.
He is doing work with SAML and RBAC to solve some of the access management issues at OCLC.

At OCLC there are a lot of consumer-facing services and products available through web browsers.
Some, but not all, of the services have some customized Shib integration. Some services
require a username and password for each individual.

The solution planned involves all applications using SAML 2.0 and having single sign-on
to a central IdP maintained by OCLC. The user will get mapped to a set of roles/permissions
based on their group membership or institutional affiliation. A response is built in
the central IdP or Meta IdP that carries an internal unique identifier for the individual
and the roles they should have.

There are many legal/regulatory constraints that must be handled.

One issue with RBAC is its weakness in handling resource specificity. RBAC can’t handle
the use case of giving medical record access to a doctor who will give the 2nd opinion for one
patient. There is a challenge dealing with someone from an IdP that we’ve never interacted with before.

There will be a chance to talk more about the OCLC case on future calls and also at the
SMM. Andy will be a co-presenter at an April 27 session on "Libraries on the Front Lines of Federated Access"
http://events.internet2.edu/2010/spring-mm/agenda.cfm?go=session&id=10001095&event=910

*CAMP and Advance CAMP in Raleigh, June 23-25, 2010*

Ann reported that the Advance CAMP, called “The Second Identity Services Summit” to be held in
Raleigh June 23-25 will continue the good work started last year at Advanced CAMP.

https://spaces.internet2.edu/display/ACAMPIdSummit2010/Home

There will be a review of action items from last year’s Advanced CAMP.
https://spaces.internet2.edu/display/ACAMPIdSummit/Action+Items+from+Advanced+CAMP

The group will decide the agenda for Thursday, which will have
an "unconference" aspect.

In addition to open source projects there will be some focus on developer frameworks
(like Spring and Django, etc.) and their support for identity service as well.
More de facto standards are needed.

*Updates from Open Source Projects*

Input to the Grouper Roadmap is welcome:
https://spaces.internet2.edu/display/GrouperWG/Grouper+Product+Roadmap

Next Meeting: Thursday, 4-Mar -2010, 1pm ET