MACE-paccman Call 20-Jan-2011
Attending
Keith Hazelton, U. Wisconsin (co-chair)
Michael Gettes, CMU
Benn Oshrin, Internet2
Chris Hyzer, U. Penn.
Tom Zeller, U. Memphis
Rob Carter, Duke
Chris Hyzer, U. Penn
Emily Eisbruch, Internet2 (scribe)
New Action Items
[AI] (Keith) will develop a business case for funding the cost of the Axiomatics product for a period of investigation.
[AI] (Keith) will put create a wiki page with questions related to SAML and real time attribute queries by PDP.
https://spaces.internet2.edu/display/macepaccman/SAML+and+real+time+attribute+queries+by+Policy+Decision+Points
Carry Over Action Items
[AI] (TomZ) will talk to JimF about joining a future MACE-paccman call regarding provisioning and handling authorization with Windows Live and gmail. (update: TomZ has pinged JimF once and will ping him again)
[AI] (Roland) will develop a write up on rules ontology and mapping to a UI. (update: Roland will bring this to Spring Member Meeting)
[AI] (Keith) will work on swimlane diagrams and a business process model for MACE-paccman use cases
[AI] (Rob) will continue to work towards adding caBIG use cases to the MACE-paccman wiki.
DISCUSSION
Possibility of Obtaining Axiomatics Policy Server for Investigation
http://www.axiomatics.com/products/axiomatics-policy-server.html
The Axiomatics vendor proposes to charge $5K for support costs for a period of investigation of the policy server. Keith is interested in this and asked if others on the call were. Rob expressed possible interest. Keith will most likely send an email to the list for other statements of interest.
[AI] (Keith) will develop a business case for funding the cost of the Axiomatics product for a period of investigation.
Push vs. Pull Discussion
Background is to read the "Emerging Architecture of Identity Management " paper by Bob Blakely:
http://mms.businesswire.com/bwapps/mediaserver/ViewMedia?mgid=237020&vid=1
or view the archived webinar:
http://www.itbriefingcenter.com/programs/gartner_1025_radiantlogic.html
D. Bantz calls push "Just in Case" and pull "Just in Time" provisioning.
What is the real world usefulness of the push vs pull distinction that Blakley talked about?
TomZ remarked that the push ( "just in case" ) model is the model on which he has been basing his provisioning work, and it's the model most folks are using. However as a higher ed institution's user information is potentially worth money -- because of high LOA value -- then perhaps using the push model is not being a good stewart of this data.
The Bob Blakley model has a virtual federated entity in the center. Could the InCommon Fedeation be this virtual federated entity in the center?
Rob agreed that the enterprise must be careful about feeding info about users to the non-enterprise. The two entities may not have the same value for those identiy assertions.
Rob wonders, how does a pull model work when access to a valuable resource is being requested, and there is a need to take credentials from a lower-level LOA entitiy?
Blakley glosses over the trust problem. How do we resolve some of the trust issues?
Problem use case: if two trusted identity providers make statements about a person, and that person says that one of those providers does not have a relationship with him, how do we encode and handle this?
Wonder if the upstream process makes more sense with a push model and downstream model works better with pull, at least for security
where
Upstream = when use case is to increase the level of an identity between the originator and the target (e.g., a Facebook identity is used to access an enterprise resources )
Downstream = an enterprise identity is used to access a Facebook resource
Different set of worries between upstream and downstream.
Keith does not see traction in the idea of a market of identity info. Looking for cheapest soruce of identity info does NOT seem realistic. As a service provider, I‘d like to say, whatever I’m relying on, I would like it to be silver level. For this to work, each IdP would have to advertise their level of assurance and back that up somehow (as with a federation level of certification).
Blakley talks about a virtual directory (a new beast) as a thing that abstracts over all the IdPs. What about the shib attribute resolver as a handy tool for doing that virtualization work? Is there support for attribute aggregation in the Shib IdP?
https://spaces.internet2.edu/display/SHIB2/NativeSPAttributeResolver
Keith: Maybe Blakley is working from a real world implemented solution. He talks about Microsoft Azure in good terms. Could that be Blakley's model for the future architecture? Maybe MACE-paccman needs someone to learn about Microsoft products and report back.
Q: ChrisH: When Blakley talks about pull, is he talking about SAML assertions? Or is he talking about opening up access to your local directory for lookups?
Keith: Don't know. What does he mean in protocol terms?
Blakley thinks that SAML-based federation is side-stepping the real issues, that it abstracts the push instead of resolving the need for pull. Rob does not agree with Blakley on that.
[AI] (Keith) will put create a wiki page with questions related to SAML and real time attribute queries by PDP.
https://spaces.internet2.edu/display/macepaccman/SAML+and+real+time+attribute+queries+by+Policy+Decision+Points
Examples of questions:
Q: Blakley talked about the PDP sending out pull requests for identity info and then plugging in all the variables in the policy statement with facts about the authenticated user and sending back the allow or deny access decision. Can SAML perform these kinds of operations?
Q: Can SAML behave the way a PDP could behave in initiating queries against an IdP? This is a question to take back to Shib-dev
Q: What are the issues around SP knowing what the policy is and what attributes the PDP requires?
Q: What about situations where you don't know up front what attributes you need? (such as with the use case Blakley presents for a loan issuer. )
Keith suggested that TomZ should continue to work with the push model, since it will surely be around for awhile.
Keith: At U-Wisc, there is an intercept filter in the IdP for users going off to Google. It's a hybrid, a just in time push.
TomZ: the SAML Change Notify feature is similar, exchanging provisioing data over SAML, but it requires SLAs, so you must know all the poeple on the front end.
IAM Online 9-Feb-2011
TomZ will present, with Nathan Dors from U-Washington, on the IAM Online on Feb 9. Topic is Group Provisioning for Federated Educational Applications.
http://www.incommon.org/iamonline/
Updates from Other Projects
- Grouper:
Chris reported that he has finished adding to Grouper the ability to syncing between two Groupers. It is possible to add a member to a group in one Grouper instance, and it’s batch synched to another Grouper instance.
https://spaces.internet2.edu/display/Grouper/Syncing+groups+on+demo+server
- Standard Groups API
The standard groups API is being developed under the context of FIFER (Benn and Chris are involved)
https://wiki.jasig.org/display/FIFER/API
- MACE-Directories Working Group
The IAM online of 12-Jan-2011 dealt with persistant Identifiers
http://www.incommon.org/iamonline/
Next Call: Thursday, 3-Feb-2011, 1pm ET
Reminder: Next MACE-paccman call: discuss enhancing the MACE-paccman web site. http://middleware.internet2.edu/paccman/