Versions Compared

Old Version 60

changes.mady.by.user Licia Florio

Saved on

compared with

New Version 61

changes.mady.by.user Pieter van der Meulen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Title

Adoption & Outreach Support for eduGAIN BCP

DescriptionBCP for eduGAIN will be launched in 2018. Federations should be supported to gain adoption by campuses
ProposerAnn H on behalf of several
Resource requirementsFunding for outreach and adoption efforts at each GEANT partner, strategic/materials support for all.
+1's

Nick Roy, InCommon, SURFnet


Title

Reference implementation of an IdP and OP in Python

DescriptionThe current GN4-2 projet has invested heavly into the Python stack for OpenID Connect (federation) and it should be good to put together a full blown home organisation IdP/OP based on this work and earlier work with the SAML stack. This imlementation should support all current best practices in eduGAIN and retrie attributes from different sources.
ProposerPål Axelsson on behalf of Sunet
Resource requirementsmoney, software dev
+1's

Stefan Winter

Nick Roy, InCommon

Niels van Dijk, GEANT 4-2 Project; This should be carried out in close collaboration with the pyid.org community

...

Title

Attribute Authority Metadata policy development for eduGAIN

Description

While for IdPs and SPs eduGAIN metadata requirements are well described, no such requirements exist for AAs. We have however already 5 of these entities in eduGAIN.

It would also be a good idea to consider/define what it would mean for an AA to claim CoCo, R&S and Sirtifi support

ProposerNiels van Dijk
Resource requirements
  • Standardization
  • Probably a no-brainer as much can likely be derived from IdP requirements (?)
+1's

Constantin Sclifos, RENAM

Nick Roy, InCommon

SURFnet



Title

update SAML tracer

Description

The SAML Tracer (https://addons.mozilla.org/nl/firefox/addon/saml-tracer/) is a highly rated firefox plugin which was developed in our community (UNINETT, with contributions from others). As the browser is the central entity in any SAML transaction, it is extremely convenient tool for testing en debugging SAML transactions. There are not many alternatives to this tool

Unfortunately, Firefox has changed its plugin framework, rendering the existig plugin useless and a major rework is needed.

ProposerNiels van Dijk, SURFnet
Resource requirements

Money, a (junior) developer

+1's

Stefan Winter

Scott Koranda, LIGO

Nick Roy, InCommon

Thomas Lenggenhager, SWITCH:Feasibility to provide also a Chrome and/or Safari compatible version?

Pieter van der Meulen (SURFnet)

Michael Domingues (University of Iowa)

...

Title

Investigate and test privacy enhancing technologies

Description

During REFEDs at TechEx2017,and later-on during TechEx2017 itself, a interesting discussions developed over the future of federation, the role of users and the use/rise of proxy technology.

This activity investigates and showcases privacy enhancing technologies including, but not limited to, PEP (Polymorphic Encryption Pseudonyms) (1) and IRMA (I reveal my attributes) (2) and tests and validates applicability and usecases of these in the context of R&E federations and eduGAIN.


SURFnet has build some experience with these technologies on a national level, and has for example implemented PEP into commonly used software products like ADFS, Shibboleth and SimpleSAMLphp. In regard to IRMA, it has now been enable in pilot for both SURFconext federation as well as the IDIN Bank ID federation. We feel these technologies have significant promise, but would like to validate this in international context. We would also like to learn about other alternative strategies and solutions that may help us to shape the future of our identity federations.

ProposerNiels van Dijk, SURFnet
Resource requirements
  • Other technologies to showcase other then PEP and IRMA
  • Participants for pilots
  • People with good ideas
+1's(SURFnet)
References

(1) https://blog.surf.nl/en/privacy-surfconext-using-polymorphic-pseudonyms/

(2) https://privacybydesign.foundation/irma-en/

...

Title

Identity Discovery

DescriptionGEANT should operate a discovery service for the global identity 
ecosystem based on the outcomes of the RA21 process and dialogues 
with the research infrastructure community. If possible the service 
should be useful for the eIDAS community aswell.
ProposerLeif
Resource requirementsTo be better scoped, but certainly resources and budget
+1's

Nick Roy, InCommon

SURFnet


Title

eduroam DEEP Learning

DescriptionBased on Brooks idea, we train a DEEP network to detect eduroam 
breakage based on log-data. Possible joint work with Juniper Research. 
Leif will provide more information
ProposerLeif
Resource requirementsTo be better scoped, but certainly resources.
+1's

I'll give this one a "sounds cool, need more info" Nick Roy, InCommon

Can be integrated via existing diagnostics context: Existing work evaluation#eduroamdiagnostics so gets a +1 from prior endorsements too. (note from AH)

Should x-ref with the network perf folk. Talk to Kurt Baumann(Note from AH).


...

Title

SOC tools

DescriptionGEANT should develop and maintain a toolchain for security operations 
(SOC) teams. This includes work on stuff like grr, plaso, timesketch, 
information sharing platforms, threat intelligence platforms etc
ProposerLeif
Resource requirementsTo be better scoped, but certainly resources.
+1's

This is similar to a proposal submitted under the security white paper planning. Talk to Sigita Jurkynaite about this.

CommentSURFnet: We support the notion of having good security operations in trust and identity but in the geant project this should probably be developed in the security activity.


Title

IdP Maturity

Description

In the current eduGAIN SAML Profile work there is an effort to develop BCP to position a lot of the current "step-up" processes we have as a set of best current practice for eduGAIN.  Within eduGAIN, these will be positioned as what we consider mature entities  / federations to look like...and this could even possibly be flagged somehow.  The current requirements of eduGAIN will be promoted purely as a baseline and a "first step" to interoperability (acknowledging use cases that don't need any more than that).  The next logical step from that is to review whether there is any need to offer a central service to manage that maturity level for federations / entities as a bolt on to existing federation operations. This could take on a variety of forms and draw in a lot of the areas that have been proposed here. Options and areas could be:

- More work on the eduGAIN technical database to flag maturity for federation / entities.
- Establishing a REEP instance to allow entities to flag maturity when a federation is less developed.
- Allowing eduGAIN OT to decorate entities with additional information.
- Developing processes to allow MDS to select the most mature entity formulation within federations rather than simply the first submitted.

ProposerNicole Harris
Resource requirementsIt depends on the direction taken. Man hours in eduGAIN-OT for developing services, work for a policy lead, work to enhance eduGAIN support service. Possible infrastructure development
+1'sNick Roy, InCommon
CommentsSURFnet: It is unclear to us what is the purpose for this work and who will be the users.



Title

Enhance eduGAIN ops instrumentation with general metadata dashboard and augment existing eduGAIN API to query said stats

Description

The eduGAIN technical website would benefit it's members by having a central overall status dashboard that renders a single page with eduGAIN stats with initial focus on latency estimates for metadata circulation. This page should auto-refresh every X seconds/minutes as a configuration. It would be a 'nice to have' if this were operationally friendly such that someone could have it presented in their NOC control center on a screen and also have the data published at an API endpoint such that someone can publicly poll the information in JSON and then in turn render it on their own.

The problem this addresses is the knowledge gap about the state of the system without requiring operational questions or gueses. Many federations exhibit latency on republishing stemming from operational practices and offline signing techniques. It would be helpful to know in a dashboard fashion the following:

  • Last update of mds.edugain.org
  • And per federation last known update of eduGAIN data and time difference since MDS publishing (inferred by eduGAIN ops tools based on publishing practices in a best effort style calculation)

This will go a long way in managing expectations of when to expect data to circulate beyond '24-48hrs'. I suggest a simple table view of flag and age difference from MDS so we may know how far we all drift from each other republishing data from the eduGAIN MDS 'creation date'.

ProposerChris Phillips, CANARIE
Resource requirementsThis is an effort item, likely on eduGAIN OT with some API work too. I estimate it to be small (few days/1 week?), but highly useful and potentially a marketing tool as well.
+1's

CAF, obviously (smile)

SURFnet


Title

Misc

Description

These requirements were collected via the google form circulated during the I2 Tech Ex 2017.

  • stop inconsistent metadata handling practices
  • more marketing to increase adoption of Sirtfi and R&S
  • Standards for release; enforcing SP-based configuration standards
  • Unified specifications, broader push for common attribute release
  • Federated assertions infrastructure (LF note not sure what this means)
  • reduce the perceived complexity of participation to “support Facebook Connect”. We spent way to much time inventing new terms and ideas, not nearly enough time to reduce them down to “just do this”
  • A Global Trust & Identity Management Lab Plataform (At RNP we curretly offer to researchers gidlab.rnp.br) (2) Translations to portugues of main materials to expand eduGAIN information (3) Benefit costs technology map in order researchers and IT campus staff can start over the easier steps
  • easier integration for SPs
  • Not research based, but: larger framework to handle identity provisioning and deprovisioning as part of a single infrastructure that SPs would need to adopt and IDPs would need to deploy (think: AuthZ often requires local account for cloud service)
  • let's do eduVideo!
  • MDQ as a ubiquitous, class A service; Support for stronger authentication including proofing and binding practices in addition to taming the zoo of MFA beasts
  • federated Cloud access
  • IAM as a service, eduGAIN and eID/eIDAS synergy, more advanced eduGAIN (including IdP certification, IdP categorisation, ...)
ProposerVarious names we can contact them if needed.
Resource requirementseffort and coordination
+1's<for others to voice their support - add your name here>

...