Kantara FIWG Teleconference
Table of Contents | ||||||||
---|---|---|---|---|---|---|---|---|
|
Date and Time
- Date: 10, January, 2013
- Time: 13:00 PT |16:00 ET
Attendees
- John Bradley, Ping Identity
- Nate Klingstein, Internet 2
- Scott Cantor, Internet 2
- Rainer Hoerbe, KisMed Austria
- Matt Tebo, Protiviti
- Colin Wallis, Internal Affairs Dept, NZ Government
- Rich Furr, Verizon
Apologies
Agenda
...
- Administrative - roll call : Minutes from Dec 20 ;Election of Chair (We should have done this in Dec but forgot.)
- FEDLab SAML tests update
- UK Gov Profile
- eGov 2 Profile - Leif & Colin report on conversation with Anil John?
- SAML 2 Int Profile (Profile updates, wiki Wiki page)AOB
- Kantara, OIX and other meta-data aggregator projects.
- Your agenda items
Minutes
1. Administrative - roll call
Summary:
- Quorate callNo previous minutes to approve
- Dec 20 Minutes: Moved Rainer, Seconded Nate
- Unanimous agreement to new elections for Officers; Heather to put call for nominations
2. FEDLab SAML tests update
...
- This topic opened with Rainer presenting his paper... http://kantarainitiative.org/confluence/download/attachments/41649836/SAML+ProfTest+Concept.pdf . The objective is to create a common super set of (web accessible ) tests, whereby each deployer adds tests to a common repository, and work with FedLab to fill test 'gaps'. The actual test harness itself would restrict access to 'signed up' deployers. All test cases covered: Request/Response, Metadata etc.
- [JB: Notes that some vendor products do not automatically import metadata, so have to manually import and refresh. Also that Ping has done work with Box for a connection for SaaS providers, which offers a metadata applet for SP/IDPs supporting Ping Federate].
- Austria wants to start with SP/RP's first since it has many SPs with many client apps and only 3 or 4 vendor products covering the 30 or so IDPs.
- [SC: As an InCommon IDP all I care about is if they consume InCommon's metatada].[JB: SP piece will take a while to build]. General difficulty with metadata tests is testing 'consumption' - each product will behave differently.
- [JB: OID Connect tests if the overall exchange works or nor, rather than if it is conformant].
- Metadata supplied by SP must be validated/pre-checked as OK before submission to the test harness.
- [SC: We must have a test for the XML DSig wrapping attack (since SAML Pummel predates it).
- Austria trying to find funding for this, since it will take hard work to automate.
- Leif: We need to separate the hosting test service from the creating and updating' test case 'repository/database' (as automated as we can get it, so needs to be more than a Wiki.
- Next call consideration: Maybe do a discussion paper to lay out a kind of project plan
- Action: Put Rainer's 'SAML Profile Test Concept' draft paper on the wiki for easier reference (completed on 20th Dec?).
- Action: Put this topic on the list for discussion at the European IIW Vienna meeting, Feb 12/13th
3. UK Gov Profile
Summary: Stephen Dunn agreed to the sharing of the latest draft (still says Dec 2011 but content may have changed?). With some issues noted by FIWG members in the the draft, and actual pilots still ahead that may prove or otherwise the conformance and performance of the draft, attendees generally felt that it was less mature than the other government and SAML2INT profiles, so at this stage FIWG will move ahead without it.
4. eGov 2 SAML Profile
- Leif and Colin to reach out to Anil John (GSA) to clarify requirements outlined in recent emails
5. SAML 2 Int Profile
...
- -
- JB suggested RH check with Rainer for the FEDLab test strategy latest update.
- Since the last call RH has discussed JB's issues with Roland H. A conflict of objectives perhaps?
- The current proposal is to structure the test using Python in order to extend use cases and parameterization, and thus not necessary to to configure things intot he test cases.
- JB: Andrews?? has additional requirements - was RH aware?
- RH: Yes, need more than True/False responses when doing SP Authn, but didn't happen. Need to turn off (T/F only?) and exchange fault reporting meta data.
- JB: Need to decide if we want to download a pre-configured IDP vs Joni's notion of a per-configured test harness hosted by Kantara.
- RH: Austria currently run SPs through a set of tests, expecting SPs to download and run. RH can't see how it can be done from a centralized repository.
- JB: OpenIDConnect does both but primarily use the centralized.
- MT: Test SPs now a realistic option over the internet.
- ??: If it is financed by GEANT as an EU project then is it appropriate for KI to run a service and claim some kind of IPR?
- SC: It may be OK for KI to run it under a 'right to use' license, but the code remains opensource.
- MT: Both approaches would get market traction in his opinion.
- JB: So a scenario could be that there is a free download for anyone wanting to use, or a KI one that has some more services and features but notably ends up with certification and a Trustmark. Or an extension of that scenario where KI offers a deployment profile test, for, say SP or IDP to run a test to see if it conforms to FICAM. And the free one is used as a precursor to conformance test, and subsequent certification.
- MT: The added value is for the KI community to share test cases.
- JB: There's value in the test cases themselves, but they are completely separate from the test harness itself.
- JB: What is the next step?
- RH: Roland H needs a month to build a proof of concept.
- MT: The KI community should contribute use cases to a centralized (cloud based) site.
3. UK Gov Profile
Summary: UK Govt is novating the contract with IdPs for Authentication. Unclear what the substitute contract will contain. RF says discussions continuing with vendors.
4. eGov 2 SAML Profile
- MT: FICAM looking to exit the 'profile business' and wants to adopt/extend an existing profile.
- JB: Is that to be a deployment profile of the eGov 2.0 SAML conformance profile, along the lines of SAML2Int? - a fairly small delta from FICAM???
- MT: Never going to be 100% alignment between eGov 2.0 SAML conformance profile and FICAM - the 800-63 'problem'.
- SC: Agreed re the 'problem' but more than that...privacy stuff sandwiched into technical profiles.
- MT: 'adopt/extend an existing profile' might have the effect of reducing FICAM from 40 pages to 3 maybe...
- MT: FICAM is ...considering?? (notes indecipherable) .... SAML2Int, maybe with HoK.
- JB: Should not include BAE and PKI bridge stuff either.
- CW: Should I get permission from Leif and Anil to circulate their email thread at the time Leif and Colin reached out? Agreed as an action.
5. SAML 2 Int Profile
Discussion: Combined with (4) above.
6. Kantara, OIX and other meta-data aggregator projects
Leif introduced and explained a little about the the Kantara registry effort: http://kantarainitiative.org/trust-registry/ and that it was similar to the OIX one in structure. The LOA3 IdP/RP 'market' was small enough globally to use USB tokens for access.
...
Discussion: JB meeting Leif re the possible ISOC and R&E peering between OIX and Kantara aggregators. Ping has a pilot in play for SPs using Ping Federate clients (repeated from last call..?). The pilot is in 2 Parts: First, getting meta data into same IdP, and Second, how to manage the ...accumulation?... (notes indecipherable).. of 3rd parties' attributes as federations grow. Non R&E feds wil have to use R&E methods before long.
7. Your Agenda items
None raised..and no more call time left.
Next Meeting
- Date: Thurs 24th, January, 2013
- Time: 13:00 PT | 16:00 ET | (Time Chart)
- Dial-In: +1-218-862-7200
- Code:
...