FIM4R Input
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

RecommendationGap CtgryStatus (addressed, being addressed, recommendation needed)CACTI 8/21/2018 and 7/10/2018Editor (David Walker)Jill GemmillNick RoyWarren AndersonHow to contribute a responseContributorName ObservationsContributorName What remains to be done (gap)InC-TAC ObservationsInC-TAC What remains to be done (gap)CTAB ObservationsCTAB What remains to be done (gap)TIER TechArch ObservationsTIER TechArch What remains to be done (gap)CACTI editors ObservationsCACTI editors What remains to be done (gap)
GÉANT, Internet2, NRENS
Increase research representation in FIM governancePartnershipWe should evaluate how to increase representation of researchers within TIERThe emphasis here is on GOVERNANCE - first, make sure research requirements are known ASAP, but governance has to do with prioriizing what needs to be done. Round 1 CIO investment group governance is done -- what does next round look like?We need to prioritize research representation on TAC. The TAC group makes an effort every year to recruit members from different communities including research. In the past, Jim Basney from NCSA filled this role on TAC, and currently Tom Demaranville from ORCID fills the role, but we do need additional representation from this community.Interested in contributing? To provide a response, create two blank columns to the left of this one and copy the two columns on the right to the blank ones and update the title with your name and role Once copied to the left of the instructions, replace this with your observations about what we have done and what's planned as you see itOnce copied to the left of the instructions, Replace this with your opinion on what remains as a gap to address the recommendationThis just needs some campaigning to make researchers aware of the opportunity and what can be gained. TAC has seen similar challenges with membership from the research community. If we take the time to ask, we learn that more than CILogon and LIGO care about this kind of thing.Add a requirement in the TAC operating procedures that requires at least one research representative on TAC.

Add language in the TAC Nominations Template to request nominations of/from the Research community.
Represented in CTAB CharterNeed to recruit additional representatives for CTAB, marketing, reach out to groups that we're aware of and solicit participation nominations for CTAB.COmanage Influence on the architecture as a source system.  We have had some influence from R1 schoools in the group.  Make sure that CACTI has representation.Making sure that documentation state how federation and multip[le IdP provisioing can be handled in the TIER componets.    Document this clearly* include research representation in Internet2 TIER decision making body (restructure TIER leadership to include research representation)
Sustain operation of critical FIM servicesOpsFocus on Sustainability is importantCOmanage is significant component of CILogon 2 - I2 commit to for long-term support?The InCommon fees increase enacted by Steering in late 2016 was a good start on this, but further sustainable funding for operations and new initiatives needs to be sought out. It is likely that funding on fee-for-service basis for some research-specific needs could be one solution, but not fully sufficient.Contributing as the voice from INC-TAC, CTAB, or TIER Architects? You have your own columns to the right already in place. Please use those for the response from each of those groupsCharity begins at home: InCommon needs to set an example for others to follow. Sustainable federation-operated services like an MDQ service is a start. If TIER proves to be sustainable, it offers another model that others can follow.Baseline Expectations will increase the value of the federation and hopefully increase the number of participant organizations to help sustain the FedOps and continue building community. BE has requirements included for the FedOP and participants to comply with - security, trustworthiness of the federation, organization authority.
Provide avenues for ongoing coordinationPartnershipNeed to structure a way of engaging partners to provide servicesAre there specific gaps that have been identified?The TIER program is a good starting point on this, but likely more work based on the fee-for-service model I noted in my previous comment is needed.The roles of institutions evolves in time - e.g. a small liberal arts colleges hire a LIGO scientists and suddenly there is a federal grant on their campus that is supposed to support researchers, but the college has no way to support federated identity. Can we link FedID support to federal funding somehow? Can we provide an IdP of last resort with a moderate level of assurance that researchers can build a process that includes identity vetting on top of?We need to take the cross-product pollination model from TIER and apply it to more. What if we had a forum for different research-based SPs to collaborate as well as to make their federation and identity needs known to the community?Create an SP/Research focused WG to give the community a common place to discuss these issues.

Champions from the research community need to be identified to help coordinate and lead these efforts. We can't do this on our own - a partnership requires partners.
CTAB's charter, representation from the community is an avenue for ongoing coordination.
A TIER for Research, a software initiative funded by Internet2 to bridge the gap for research organizations. Implementation pilots (in service context) are crucialCACTI serves an important international coordinating role, along with AARC and eduGAIN steering. I would suggest those as the three focus points for ongoing coordination. There is a gap with regard to international coordination of security groups across federated AAIs that needs to be addressed.
Need something to pull identities together to access research. Internet2 is implementing COmanage for that reason.
We need to be sure SPs know how to take advantage of what we offer themThis would be helped tremendously if I2 would develop, maitain and promote Federated IAM plugin for top5 web content frameworks (WordPress, Drupal, .....). Provide free/chaep "application domestication" service.
Home organisations
Release Research & Scholarship attributesUXResearch SPs have Issue around getting the additional data IDPs are not releasingI heard Scott Koranda & Jim Basney say this is a dead issue -- they've gone the proxy route. Maybe use to educate about lost opportunitiesMaking R&S attribute release by IdPs a requirement under baseline expectations (as recommended by the Attributes for Collaboration working group) would be a bold and risky move that could yield enormous returns on investment in terms of setting expectations around software deployment/configuration, choice of federating software, and by removing IdPs from the federation that are not in the game for collaboration. Obviously would pose significant financial and reputational risk to InCommon to make such a move, and likely funding would need to be addressed in parallel.This is not an issue for anyone who has the means to stand up an IdP/SP proxy, but the vast majority of research groups are far smaller and have much less IAM expertise than LIGO or CERN. For those smaller organizations, R&S attribute release is still useful.Those who are listening to the R&S mantra have already done it, and not many are listening. Plus, R&S only helps the SP if they're R or S and the researcher they're working with is from a participating institution -- narrow minded. Rather than trying to force it, we need to think bigger: default attribute release to all SPs, putting the release decisions into the hands of the end-user with informed consent.

GDPR does not seem to support "consent" as a means of releasing attributes, since a user who needs access will provide consent whether they want to or not.
Intra-campus communication and delegation of control to campus departments and VOs needs to be prioritized.

If an SP is a valid resource for researchers and students, there should be a default release of attributes. Perhaps "Consent" should be a tool for users who DON'T want their attributes released (Dissent).
The revised PA requires meeting BE, and BE outlines no funny business with attributes released to SPs, and a Privacy Policy. While R&S could be part of the next version of Baseline Expectations (if the requirement were for IdPs to release the R/S attributes to the category), is releasing the attributes to R&S SPs enough, or should we go further by releasing to all in InCommon?CTAB will initiate a Community Consensus Process on requiring release to R&S (or MORE) for IdPs in the next version of Baseline ExpectationsEducate InCommon members related to this.  GDPR and related regulations for priviacy and consent need to be reviewed carefully and consent modules added to TIER or refeds
Provide usability essentialsUXWhy is useability a home organization issue?I don't understand what this one meansThings like logos, clear descriptions of the roles of different on-campus IdPs, meaningful failure modes, etc can be facilitated by home organizations and make user experience far less frustrating.As the Deployment Profile WG has discovered, it's hard to tell people to use logos if every federation has different guidelines for them. And it's hard to tell people to add error URLs without internationally aligned guidelines for what the IdP should put on the error URL page and when the SP should redirect to it.This is a leading motivation for what's in Baseline Expectations.Add errorURL into BE. Identify a group or instantiate a group to solve this problem. Next step: raise issue at REFEDS18.OutReach and training for any federated SP or IdP.
more of it.  Baseline expectation
Security Incident Response ReadinessOpsWIthin the US, big institutions have REN-ISAC, which coordinates well with CTSC; what about smaller schools who may not have Shib and registered security contact? how well does this community cross borders? See previous comment about a need for an international coordinating body for security incident response. Beyond that, a coordinating body for proactive security measures is likely also needed. Should be the same group. InCommon, REN-ISAC and Trusted Introducer have had some initial conversations about this, and the SIRTFI tabletop that was conducted in early 2018 is a step in a good direction, but I have seen little to no follow-up on the results of that tabletop.Again, the scale of the research matters a lot here. If you are large enough to have representation in REN-ISAC, or even dedicated security persons employed, this is less necessary, but small research groups are in a far more precarious position if their is a vulnerability in their FED-ID software or if there is an incident that might affect them. We need more campaigning of SIRTFI from InCommon to our members. Clearly, SIRTFI becomes more valuable as more members adopt it, and it seems like the federation can provide more guidance and resources to help with that. Also, once we have more SIRTFI adopters, we need a well-defined international clearing house.Add a SIRTFI requirement to the Baseline ExpectationsSIRTFI is already considered good evidence of meeting BE #3 for IdPs and for SPs.

NB: Federation operators also need to have a specified role in federated security incident response, as the Sirtfi wG sill soon look into. InCommon has a good model security incident response plan that has ben tested.
Queue up Community Consensus Process on adding SIRTFI into BE.

Recommend InCommon establish a SIRTFI dashboard.
SIRTFI Require for any federated SP and IdP.
Sensitive Research User ExperienceFunctionalityUser wants a single interface to all the policies and technology solutions available. eg: if IRB knows data will be stored, should notify group offering secure data storage. I don't understand what this one meansBE includes a FedOP responsibility: "Frameworks that improve trustworthy use of Federation, such as entity categories, are implementedand adoption by Members is promoted", though no major campaign for MFA Interop has been initiated.Continue monitoring of and participation in REFEDS Assurance WG.

?? Further outreach about MFA & SIRTFI?? Create SIRTFI dashboard/hall of fame?

Ensure MFA & SIRTFI are reqs for IdP aaS.

Recommend that all SPs ask for MFA and all IDPs that can support MFA respond accordingly.
Difficult one heregranting agencies have many differing requirements.  Asuring with two factor is one large step for such item but in it self not sufficient.
Need to make IAM and federation a priority and align with community practices. Adopt software and other tools (e.g., TIER) where appropriate.
R&E federations
Increase research representation in FIM governancePartnershipSee previous answer about this topic under NRENsWhile this feels like an item that Refeds, not InCommon, should be responding to, we clearly need some internationally agreed upon interop standards. All the work that has come out of InCommon WGs for interoperability should be considered for aligning eduGAIN metadata.Recommended in CTAB CharterNeed to recruit these individuals to participate in CTAB, and other groups.

Need to make more researchers (or research computing people) aware of FIM. Take existing tools that suck and show them how it gets better when they have these tools.

Need a pathway, steps by which further communities become aware of and vested in federation, before they might understand a reason for helping guide Internet2. CTAB should agendize an attempt to figure out such a pathway.

Sustain operation of critical FIM servicesOpsFocus on Sustainability is importantCILogon has become a critical FIM service It includes CoManage. As use of attributes for access control develops, it will become more important. Internet2 should support X FTE annually to this project.See previous answer about this topic under NRENsContinue publishing health check information while useful to promote the health of the FIM services.
Provide avenues for ongoing coordinationPartnershipSee previous answer about this topic under NRENs
Release Research & Scholarship attributesUXSee previous answer about this topic under home organizationsSee response for Home Organization R&S Support, line 10, related to this.
Provide usability essentialsUXI don't understand what this one means - that said, I think InCommon or a contracted partner needs to begin operating three new services (with supporting business models to sustain them): 1) IdP-as-a-Service with R&S enabled by default; 2) IdP proxies that allow participants using cloud IdPs such as Okta, OneLogin, Microsoft Azure AD and Google IdP to interoperate with InCommon. R&S should be enabled by default on this proxy. Support for REFEDS MFA profile by this proxy and the IdP-as-a-service would be nice-to-have; 3) SP proxy for services that operate SAML software that is not well-suited to multilateral federation.Baseline Expectations requires many of the metadata elements considered helpful to UI/UX.Now that more values can be expected consistently, more UI/UX development is needed to incorporate these into the federated login experience.
Remove interoperability barriers in eduGAIN metadata processesFunctionalityI don't understand what this one means.While this feels like an item that Refeds, not InCommon, should be responding to, we clearly need some internationally agreed upon interop standards. All the work that has come out of InCommon WGs for interoperability should be considered for aligning eduGAIN metadata.
Admit research organisations to federationPartnershipHas InCommon solved the problem of having projects like LIGO (not a legal entity) become members of InCommon? InCommon should examine the possibility of extending the nascent Stewards Program to allow one or more Research Community Stewards to easily onboard IdPs and SPs in their community directly to InCommon.If we're stuck with legal entities only, we need to look more carefully at repeating the K12 stewardship program model for other populations.Explore/discuss any expectations for SP Proxies, explore SNCTFI for inclusion into BE or FedOp
Security Incident Response ReadinessOpsThis is actually quite challenging in the US - (see my REN-ISAC talk from last summer). PIs dont worry about security and CSOs focus on semsitive data.See previous comments about need for international security incident response coordinating. InCommon's CTAB should consider requiring SIRTFI support (at least for certain classes of entity descriptors) under its Baseline Expectations program.Continue monitoring of and participation in the SIRTFI WG.

Queue up Community Consensus Process on whether SIRTFI should be added to BE.
TAC has been asked to do requirements for IDP as a service. What Level of security would outsourced IDP solutions have?
We need to be sure SPs know how to take advantage of what we offer them
Community needs to have discussion on how to integrate well established proxies services like CI Logon into the infrastructure
Need to structure a way of engaging partners to provide services
Other Issues
Could InCommon or someone else be a broker for high value identities?High value identities require strong identity registration, which InCommon is not set up to do. However, a third party such as MorphoTrust could be engaged to investigate some kind of a partnership to enable this.
Non-web authentication is a gapSee my comment about IdP-as-a-service, proxies and MFA
Can FIM4R be used to encourage MFA deployment?