MACE-paccman Call 18-Nov-2010

Attending

Keith Hazelton, U. Wisconsin (co-chair)
Tom Dopirak, CMU (co-chair)
Rob Carter, Duke
Benn Oshrin, Internet2
Chris Hyzer, U. Penn.
Billy Cook, Clemson
Mike Gossett , Clemson
Renee Frost, Internet2
Steve Olshansky, Internet2
Emily Eisbruch, Internet2 (scribe)

New Action Items

[AI] (Keith) will email Clemson colleagues to discuss solving paccman use cases in XACML.

[AI] (Keith and SteveO) will work on making Adobe Connect available for a future MACE-paccman call.

Carry Over Items

[AI] (Roland) will develop a write up on rules ontology and mapping to a UI.

[AI] (Keith) will work on swimlane diagrams and a business process model for MACE-paccman use cases

[AI] (Rob) will continue to work towards adding caBIG use cases to the MACE-paccman wiki.

[AI] (TomD) will continue to work on IP issue regarding use cases to potentially add to the MACE-paccman use case library.

[AI] (TomD) will email Charlotte at Penn State to discuss her interest in XACML

Discussion

Round Robin -- People on Call Review what they're Working on Related to MACE-paccman

-TomD is involved in selecting an HR System at CMU. This allows him to look at ways to impact identity systems and integrate with middleware, etc.

- Keith got the SpocP server up and running with help from Roland. Keith is implementing the Course Deadline Extended use case in SpocP.

https://spaces.internet2.edu/display/macepaccman/Spocp+and+selected+use+cases

- Keith downloaded and is investigating the Axiomatics policy server.

http://www.axiomatics.com/products/axiomatics-policy-server.html

- Keith hopes the Clemson folks will provide a XACML solution to selected use cases out on the MACE-paccman site.

[AI] (Keith) will email Clemson colleagues to discuss solving paccman use cases in XACML.

- Rob had conversations during and after FMM with Tom Zeller regarding SPML and provisioning. Tom Z wants the code for the work Duke did with Grouper and Active Directory, especially for interfacing AD ACLs with Grouper. Rob needs to do some cleanup on the code before giving it to TomZ.

- Rob hopes to be involved with the Provisioning working group that Tom Zeller is looking into establishing.

- Rob continues to work on the caBIG use cases, getting them documented on the MACE-paccman wiki.

- Rob talked with Heather Flanagan, chair of the COmanage Working Group, about sharing the MACE-paccman use cases and glossary with the COmanage effort. Keith stated talked with Benn and Heather about the Project Bamboo use cases.

- Benn has been working on the OSS-IdM ACAMP Action Item initiative, focusing on promotion of open source IdM in higher ed. The group is looking at existing gaps (e.g. in the areas of provisioning and access management) and also looking at service contracts. There were discussions at FMM with Keith, EricW and Benn. The group had a first conference call this week, which included representatives from Kuali, Sakai, and Grouper. The group decided that as a first step, to tackle the issue of writing group data to an API. Several projects need this capability to be in place by next spring. The OSS-IdM group will have another call the 2nd week of December. Email Benn if you want to get involved. https://spaces.internet2.edu/display/ACAMPActionItems/ACAMP2010-PromotingOpenSourceProducts

- Chris participated in the recent call of the OSS-IdM group, and wants to be involved with the groups service call work Benn described.

- Chris is wrapping up the Grouper work on storing and managing external subjects and assigning those to groups. He is also working on his other ACAMP action item of synching two Groupers.

https://spaces.internet2.edu/display/ACAMPActionItems/ACAMP2010+-+Federated+Group+Management+in+Grouper

- Chris stated that a use case from UK was added by Rob Hebron, involving external users self registering and getting credentials too. Protect Network does that. But not in scope for Grouper. https://lists.internet2.edu/sympa/arc/grouper-dev/2010-11/msg00011.html

- Chris stated that if anyone has use cases for handling external subjects, please email the Grouper-dev list.

Overview from Clemson

Slides from the Clemson presentation at FMM: http://www.internet2.edu/presentations/fall10/20101102-central-clemson-story-cook.pdf

MikeG would like to provide an overview on a future MACE-paccman call using Adobe Connect to enable document sharing.

For this call, Mike provided a verbal update.

Clemson is working on policy enforcement point, and the structure is in place for it.
XACML offers 280 functions for policy enforcement. The Clemson system support XACML versions 1.0 to 3.0.
Policies in XACML are too complicated for people/administrators to deal with. So Clemson is developing policy admin points that provide choices and will work well within the environment. For example, instead of being required to write XACML policy docs for everything, the system will also allow controling of policies/rules with role based approaches or access list and rights via admin tools, or using something like Grouper to produce policies.
The Clemson system has an interface in place for adding finders to the policy enforcement point. This allows plugging in other ways of getting additional info into for policy decisions. They are working on a SAML interface, an LDAP interface, and also an interface to a flat file containing attribute info for policies. There may be a Grouper interface in the future. (Example: For an access request to the XACML engine, if it's a user ID name, use the LDAP server to verify against the Clemson info, but if it has an @ sign, go to SAML server to verify with federation.)
Ideally, the way XACML works, at any point in application, if there's a question "should this subject get access to this resource?", then ask XACML that question instead of needing multiple IF statements within the application. The big challenge is to get applications to have policy enforcements points handled thru a standard API
For a SAML request, the SAML to XACML profile can be used. http://docs.oasis-open.org/xacml/3.0/xacml-profile-saml2.0-v2-spec-cd-1-en.html
Updates from Other Efforts

- COmanage

COmanage has a new technical roadmap, which includes many Jira items:

https://bugs.internet2.edu/jira/browse/CO#selectedTab=com.atlassian.jira.plugin.system.project%3Aroadmap-panel

Benn and Heather will meeting with LIGO at CalTech the 1st week of Dec and that meeting will determine some requirements for next couple of months.

- Project Bamboo Projectbamboo.org

Keith is involved in developing the collaboration platform use case for Project Bamboo

Next Call: Thursday, 2- Dec-2010 at 1pm ET