FIM4R Requirements April 2018
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

Comment only
 
ABCDEFGHIJKLMNOPQRSTUVWXYZAAABACADAEAF
1
To be addressed by
2
RCs"Group"RequirementRequirement - more details IdPsFederations/eduGainIdP/SP ProxiesProxied Research SPsSoftware DevelopersStandards bodiesNew solution needed?
Comments
3
LSST, PaN, DARIAH, ELIXIR, ESA, ORCIDIdentity lifecycle & linkingAccount LinkingThe ability, for one entity, to link credentials from multiple IdPs to one account on an SP. More generically, the ability for a researcher to link multiple identities together, whether held in parallel or succession. The ability to accurately link accounts depends strongly upon the release of an appropriately unique and persistent identifier.XX
4
WLCG, PaN, DARIAH, ELIXIR, ORCIDORCIDORCIDs have become a common requirement. There are several ways by which they can arrive at Research SP: from the home org IdP, integrated by a proxy, user login at ORCID IdP, or provided manually by the researcher. The release of ORCIDs and their aggregation in community proxies should be prioritised.XXWhat do we want to ask any comunity to do about this, if anything?
5
DARIAH, ELIXIRDiscovery & usabilitySmart discoveryIdP discovery should be "smart enough" to quickly and easily take a user to their appropriate home IdP. For example, show the user a short list tailored to them by home country, institute, e-Infrastructure, research community, project, or other hints.XXXXXXX
6
LIGOLogo in metadata at an agreed standard sizeDiscovery services should display organization logos to aid the user in choosing the IdP. IdPs should provide a logo.XX
7
ELIXIRService catalogueEach research community should provide a service catalogue to help users find relevant resources, ie, service discovery. XXX
8
WLCG, ELIXIRAuthZRealtime authorizationAuthZ decisions at an SP must be based on identity credentials, attributes or assertions that have a short lifetime, i.e. they are valid now and not for too long into the future. Even within this short period it should be possible for the SP to look up realtime status information, e.g. revocation lists and/or suspension lists.XXX
9
WLCG, ELIXIRUser blockingIt must be possible for an Infrastructure or Research Community to block access to a service based on the presence of an identity credential in an operational suspension list or revocation list.(X)XX
10
DARIAH, WLCGService Provider Quota Management. Resource allocation + accounting, e.g. computer resources, access permissionsMust be possible for an SP operator to limit access of an individual identity or a group, or by attributes or roles allocated to the identity by the IdP or the research community AA/Proxy, to subject them to quotas and make resource allocations. Usage records (accounting) must be possible at the same granularity.(X)XXUnsure whether this is a topic for FIM4R, but it's clearly important
11
LSST, PaN, ELIXIRDeprovisioningDeprovisioning of AuthZ attributes, assertions, credentials, tokens, or other artifacts is an essential part of access life-cycle management. It must be possible to suspend or remove an individual's access when they no longer possess right of access, e.g. because they have left the research community. Some use cases may require immediate removal of access while others may only require removal in an identified determinate period of time.XXXX
12
LSST, ELIXIRBona-Fide users for registered accessFor controlled access ("registered" access) to a dataset or other resources, it must be possible to grant this only to those users have been proven to have bona fide rights to access.??XX???To be actionable, this requirement needs to express who determines which users are "bona fide" or how else that standing is to be associated with users. In particular, what does this requirement ask for beyond the other requirements in the AuthZ group? Q of how is this different to community authorization? Maybe reformulate to reflect eduPersonAffiliation "member" value, and remove this row but include mention in the narrative about that there is sometimes this requirement, but we didn't include because the "ask" can't be clearly formulated.

Adoption of https://refeds.org/assurance/ATP/ePA-1m is specifically desired by LSST for quality of the eduPersonScopedAffiliation "member" value.
13
LSST, WLCG, DARIAH, PaN, ELIXIRGroup ManagementResearch Communities must be able to add individuals to Groups, for use in AuthZ, Quota management and Accounting. Groups should be hierarchical and users can belong to more than one group.?XXX
14
WLCGActive role selectionIndividual users must be able to select which attributes, groups or roles are "active" for a particular connection request and AuthZ decision. (Requires use case to illustrate) XXX
15
LSST, WLCG, DARIAH (identifier is enough), PaN, CLARIN, ELIXIR, ESAAttribute release & adoptionAttribute ReleaseIdPs must release a unique, persistent, omnidirectional identifier, email address, and name for users when accessing research services. For example, ensure that R&S is widely adopted, or other means.XXX
16
LSST, WLCG, DARIAH, ELIXIREntity Attribute Adoption StreamliningFederations can take a long time to implement support for new entity tags and entity attributes, so in addition to federations implementing support for new entity attributes as soon as possible, the requirement is to find a work around to that problem that enables dependent research activities to proceed pending Federations completing their implementation.XXXXXEmergence of proxies increases demand by concentrating multiple voices.
17
LSST, WLCG, CLARIN, ELIXIR, ESAAttribute release across bordersThe R&S bundle, especially, needs to easily flow from IdPs to SPs without regard to their nationalities. More outreach of the risk analyses and R&S + CoCo entity categories is needed to increase adoption.XXRe "across borders" from 2012, REFEDS R&S + CoCo + Geant GDPR analysis should be ack'd for justifying R&S attributes flowing across borders. Need adoption rather than further development of such frameworks and analyses.
18
LSST, WLCG, PaN, DARIAH, ELIXIR, ESASecurity incident responseSirtfi adoptionTo be acceptable to Research Communities, an IdP must meet the requirements of Sirtfi and assert this in metadata.XXX
19
LSST, WLCG, PaNPeer assessment of incident response performanceProvide a way for participants in a federated security incident response to provide feedback on how well each participant has performed, as an incentive to maintain good op sec processes.XXX
20
LSST, WLCG, PaN, ELIXIRIncident response communication channelsNext step after Sirtfi is to require the definition and maintenance of IR communication channels. These channels should be tailored to the incident scenario, involving only necessary people, and the contact points should be periodically checked for responsiveness. Assume that Snctfi addresses this with Proxied Research SPs.XXX
21
WLCG, ELIXIRIdP suspensionAbility to disable all logins from identified IdPs as part of managing a security incident. Can happen by home federation or by Proxy.XXShould edugain require each Fed to have a Security Incidient Response Plan that includes this?
22
LSST, WLCG, DARIAH, ELIXIR, ESAResearch e-Infrastructure proxiesIdP/SP Proxies must be allowed to join edugainWe require support of an IdP/SP Proxy so that only the proxy has to join eduGAIN. This pertains to both federations and Research Communities.XX
23
EveryoneResearch Communities voiceRepresentation of Research Communities needs should be incorporated into eduGain governance with the ability to influence (inter)federation. Similar for REFEDS.XXX
24
WLCGSnctfi Research Communities should become Snctfi compliant for scalability and ease of management, enabling a Proxy to meet operational and policy obligations of both worlds that it interconnects: the Research Community and eduGain. Federations should accept a Snctfi'd Proxy as meeting its R&S, Sirtfi, and CoCo obligations.XXXX
25
ESA, PaN, EMBL.int for R&E federationSome research organisations have parts in multiple countries, making membership in one national R&E federation problematic. eduGain should provide a federation home for them.X
26
WLCG, DARIAH, ELIXIRAssurance & MFAAssurance FrameworkThe international community should continue work on developing assurance profiles to meet the evolving requirements of research communities. XXXXX
27
ELIXIRStep up Auth/MFAStrong authentication, eg MFA, is required for some research community activities. The inclusion of MFA information in authentication tokens and metadata should be supported.XXX
28
WLCG, HNSciCloudUsability Consistent operationsAvoid user/interop issues due to inconsistent propagation of metadata for entities.Federations should support standard metadata propagation processes and, where out of bands actions are required, provide clear documentation and supportX
29
DARIAH, ELIXIRIdP deployment profileSpecify precisely what conditions IdPs must meet in order to provide federated credentials in research collaborations. Eg, Sirtfi + R&S. FIM4R to define the deployment profile and IdPs to adopt it.X(X)XX
30
LSST, PaN, DARIAH, CLARIN, ELIXIRFederation entity attributes designed to enhance user experience should be populatedEg, the entity attributes defined in the SAML "MDUI Information" specification and errorURL should be populated, at least.X(X)X
31
LSST, WLCG, PaN, ELIXIR, ESABeyond Non webNon-web use cases & supportA very important requirement for Research Communities. Many interactions between clients and servers are via the user's command-line or via interacting applications using API access to AAI. Cannot assume that all access will be via a web browser interface, or that a web browser will be part of the authentication flow, even beforehand to set things up. Strong authentication (not necessarily MFA) may be required for some use cases.X(X)XXX(X)Good examples include CILogon. Bad examples are ECP.
32
!FermiGrid, PaN*, ESA*, HNSciCloud*, DARIAH* *open to or pursuing alternatives! ECPOne way of solving non-web access is via the use of SAML-ECP. Certain services currently depend on this, but other good means are available that should be used in preference. Hence, this requirement is to retool where ECP is currently present.XXXInclude ECP experience in the narrative somewhere, to explain why we ended up here.
33
LSST, WLCG, CLARIN, ELIXIR, ESAdelegationDelegation here means providing end-entities (users) ability to give a constrained portion of their access to another entity acting on their behalf. This might be reasonably accomplished either by impersonation or by proper delegation. This is required in any use case in which a work-flow continues without the presence and direct connection of a user.(X)XXX
34
WLCG, ELIXIRcredential translationServices will not always be able to consume the credentials the user currently has. Translations from one type of credential to another is a very common and important requirement. (X)X
35
PaNOn-boarding, testing & supportNon-legal entity participation in eduGainResearch Communities are often not legal entities. This causes problems should they wish to join federations and eduGAIN. One institute does not wish to take on liability for the actions of others in the community.XX
36
HNSciCloud, ESAeduGain test/dev environmentEasy-to-use testing environments to allow new Proxies and new SPs to experiment with their Federation-facing parts without interfering with existing production deployments.X
37
Proxy test/dev environmentEasy-to-use testing environments to allow new Proxies to experiment with their SP-facing parts and new SPs to experiment with their Proxy-facing parts without interfering with existing production deployments.X
38
WLCG, ELIXIRsimple process for scientific SPs to become relying partiesDevelop guidance and corresponding on-boarding process to address questions such as: How does a new research SP become a relying party? And an RP of what? Relying parties through a Federation, or behind a proxy?X
39
WLCG, ELIXIRHelp DeskFederations and eduGAIN should provide a Help Desk capability suited to supporting interactions between federations and research communities.X
40
MWASustaining cCritical collateral infrastructureIdPoLRProvide sustained services to meet the many cases where global researchers do not have access to an acceptable Home Organization IdP, as an alternative to each Research Community solving this problem for itself. XShould FIM4R go through the "Un-affilitaed IdP Assessment Form" list and identify those that are needed?
http://bit.ly/iolrForm.
Also, should we add another row for the related "Branded IdPaaS" that some communities might wish?
41
LIGO, MWA, NIHIdPoLR not-a-robotGoogle-based captcha is not available to some users in China, so another approach to not-a-robot must be determined.XX
42
LSST, WLCG, PaN (LEAPS), ELIXIRSustainable operation of specified critical servicesWhen a "component" service, i.e., one that is integrated with others to produce a valuable result, e.g., CILogon, becomes established as a critical element of federated e-infrastructure, Research Communities look to Federations to provide sustainable operations.
XShould we make a specific list? Add Shibboleth to that list?
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...