UCTrust Workgroup
Child pages
  • Meeting Notes - 2011-3-24 Conference call

Meeting Notes - 2011-3-24 Conference call

Agenda

Attendees

(Partial list, please add/edit your names)

David Walker, UCD
Dedra Chamberlin, UCB
Albert Wu, UCLA
Celia Cheung, UCLA (scribe)

Bob Ono, UCD
Chet Burgess, UCOP
John Kamminga, UCM
Stephen Hock, UCR

Matt Elder, UCSD
Brian Roode, UCI

Notes:

Side notes (before the meeting started):

  • Dedra and David had a presentation for the ITLC this morning. They discussed potential things that are coming up on the workplan; they ended up with an assignment to-do in conjunction with ITAG.
  • New payroll system will perhaps use Incommon Silver; however there is no concrete decision on this yet.
  • User approved release of attributes - there will be a demo of this at the member meeting of Internet2; several campuses have implemented uApprove. For services that people have at different campuses, they can self approve attributes required by the applications.

Federation as a standard?

  • Should we federate campus applications by default? UCSD and UCLA do this currently. Other campuses use single signon and if the need to federate arises, Shibboleth is used.
  • For UCLA, federating is going on right now with their financial and business applications. They are running into issues with federated access management. But generally, having Shib enabled everything, taking that next step in making it a shared service becomes that much easier. They are mostly doing configuration changes now instead of re-coding everything. This has made a big difference in the Santa Barbara project.
  • It seems like everyone agrees on pushing forward with federation as a standard.
  • Also from UCLA, people overestimate how much work there is actually needed in order to federate. It is so easy that people misread how much work they have to do. The other part that has made a big difference for UCLA is that the challenge is not technical; but in getting data released, i.e. What do i need? Where do i get it from? And so on. Is it possible for UC Trust to come up with a pool of technical resources for helping in federating applications? Also, what about the possibility of having a mini-federation?
  • The switch in direction affects those campuses which do not currently use Shib internally. A large part of it is making sure more people get trained in the use and configuration of Shib. There isn't as much of a concern about hardware capacity. We need to verify that it is configured to be available enough in the long run for the majority of applications. We aren't talking about a entire replacement of all applications; rather, we are looking for certain key applications and federating those. There aren't that many of these. This is more like a direction for the future.
  • For UCLA, on the student side, Registrar Offices around campus are talking about sharing courses, so now course managements want to federate. In that particular subcommunity, we are now getting to FERPA data release. This may be a situation where uApprove becomes a necessity. David brings up the point that FERPA doesn't restrict us from sharing student data if it is for business purposes. Albert responds by saying that UCLA's Registrar's Office will need convincing to go from a UCLA to UC mindset.

Work plan for 2011:

  • Driven by other projects *
    • Support for targetedID
    • Support for groups
    • Support for new HR/PPS
  • uApprove
  • Finish strategy for InCommon Silver certification and UCTrust Basic *
  • Guidance to SPs *
    • Assessment of assurance requirements
    • Appropriate attributes and identifiers
    • When to federate
    • Discovery service options
  • An infrastructure to support collaboration (COManage)

Note: HR/PPS is slated to happen in 2013 for the first campus.

InCommon Silver:

  • David gives an overview of what has been happening with Incommon Silver leading up to today. The audit requirement for UC Trust basic was put off until we were able to assess how Incommon Silver might be used. Incommon Silver also has an audit requirement. UC Trust, on the other hand, never defined their audit in terms of what would actually be checked. Davis and Berkeley were slated to do a gap analysis and present a recommendation to the ITLC by the end of last year.
  • As things stand currently, Incommon Silver has shifted some things to make it easier for us to comply with their standards. Davis and Berkeley have completed their gap analysis, and Doreen Meyer has slides showing these results.
  • A meeting will be scheduled in April to go over the gap analysis and to explain everything and answer questions. A few weeks after this, UC Trust will try to get everyone to do a preliminary gap analysis for their respective campuses so that they can put together a plan (assuming that we can replace the UC Trust basic requirements with the Incommon Silver requirements). Then they will put together a timeline to chart when all campuses will have adopted Incommon Silver. After everyone has switched over, the UC Trust basic can be retired.
  • If we go with Incommon Silver as the standard, then at what point do we get everyone certified? Also, there is the technical issue that there are different indicators in the assertion for UC Trust basic and Incommon Silver for meeting the level of assurance.
  • David asks if anyone has a guess as to how long it will take their campus to adopt Incommon Silver. Albert says that for UCLA, we require a substantial process change; in addition, UCLA is also doing the Santa Barbara project so it will happen within the same time frame as the roll out for that project, which is roughly slated for July 2012.
  • One thing to note about the new requirements is that unless there is something specific in 800-63 (like password entropy), then it is left to your interpretation to see whether or not it is good enough. A reasonable technical management decision to determine this is acceptable. If there is a specific number requirement, however, then it harder to argue around that. It has become a lot more outcome oriented instead of specifying how you are supposed to solve the problem. These requirements only apply for the specific assertions you send out with the Silver or Bronze assurance. Nothing here says that you can't continue to specify no assurance. There are still assertions to be sent around with no assurance.
  • Albert notes that the financial processing applications that are about to be shared between UCLA and Santa Barbara will have to comply with these standards. It seems like the first big litmus test for this will be PPS.
  • There is discussion on a local discovery service. Will there be a UC Trust discovery service? Is the common WAYF a good idea? The local Shib community does not seem to view it this way; their thinking tends to be that the central discovery service is a last resort.

Next steps and April's UC Trust meeting:

  1. Start thinking about your gap analysis! It is going to be hard to support two standards for long. We need to transition off UC Trust basic and cannot have campuses straggling behind. Please consider where your identity management sits in regards to Incommon Silver.
  2. There will be a meeting poll coming in the next few weeks.
  3. The next UC Trust meeting will be on April 21, from 1:30-2:30.
  • No labels