...
| Title | update SAML tracer |
|---|---|
| Description | The SAML Tracer (https://addons.mozilla.org/nl/firefox/addon/saml-tracer/) is a highly rated firefox plugin which was developed in our community (UNINETT, with contributions from others). As the browser is the central entity in any SAML transaction, it is extremely convenient tool for testing en debugging SAML transactions. There are not many alternatives to this tool Unfortunately, Firefox has changed its plugin framework, rendering the existig plugin useless and a major rework is needed. |
| Proposer | Niels van Dijk, SURFnet |
| Resource requirements | Money, a (junior) developer |
| +1's | Stefan Winter Scott Koranda, LIGO Nick Roy, InCommon Thomas Lenggenhager, SWITCH:Feasibility to provide also a Chrome and/or Safari compatible version? Pieter van der Meulen (SURFnet) Michael Domingues (University of Iowa) José Manuel, RedIRIS/SIR. Regarding Thomas question, there's a SAML Chome Panel extension for Chrome Wolfgang Pempe, DFN MIchael Brogan (Universty of Washington) Nate Klingenstein (The California State University) Marcus Mizushima (The California State University) Andrew Morgan (Oregon State University) David Bantz (U Alaska) Brent Putman (Georgetown University, Shibboleth Developer Team) Liam Hoekenga (University of Michigan) Terry Smith (AAF) Dalia Abraham (AAF) Daniel Lutz (SWITCH) Etienne Dysli Metref (SWITCH) Martin Haase (DAASI) |
eduroam
| Title | certbot for all certificate management |
|---|---|
| Description | Let's Encrypt and the certbot have made certificate management for 1 particular CA very easy and effective. With the addition of ACME v2 this will allow additional CAs to participate and allow the dev/test/production environments to automatically deal with certificates. Work should also investigate eduPKI and Let'sRADSEC use of this mechanism for certificate maintenance. TechEx 2016 ACAMP notes: https://docs.google.com/document/d/1o20NmuLjmNySp10QqfueO3of6jmoeTRfmgG4e_olZ_s/edit |
| Proposer | Brook (and a cast of thousands) |
| Resource requirements | People, Money, work to get standardisation of "realm validated certificates via RADIUS infrastructure" and maybe other paths. |
| +1's | Georgi Tsochev, BREN Rhys Smith, UKf: Certbot is going to take over the world, so we should start doing stuff with it. Reimer Karlsen-Masur, DFN-PKI |
eduroam
eduroam SP-as-a-service | |
|---|---|
| Description | With eduroam Managed IdP, there is a service which takes all RADIUS hassle off of Identity Providers. There is no equivalent for eduroam SPs. I.e. a future eduroam SP either needs to set up a local RADIUS server and connect it to the NRO, or (if the NRO supports it) connect the Wireless Controller directly to an NRO server - losing all advanced features such as VLAN assignment. For small hotspots, there is a possible additional complication if the hotspot has a dynamic IP address, which makes the interconnection via RADIUS' shared secrets infeasible. Right now, such potential hotspots are not serviceable by eduroam infrastructure. The goal of this activity is to create a self-service web portal where any prospect SP can register his hotspot (requiring sign-off by the NRO; comparable to eduroam Managed IdP) - regardless whether he has a static IP address, a dynamic one, or doesn't even know what an IP address is in the first place. The new hotspot's RADIUS connectivity is tested in real-time (e.g. using a credential from eduroam Managed IdP, a good complement to this service) and the new SP is instantly connected to the eduroam infrastructure. Where the NRO admin confirms that a particular hotspot maps to a specific realm or Managed IdP instance, the SP can even get VLAN ID assignments for his own users (that part of the use case is possibly a bit weak as an SP who does not know about setting up a RADIUS server likely also doesn't know about VLANs to begin with). For the technicalities of the uplink itself, there should be support for multiple attachment anchors (=RADIUS servers behind the web interface) because geographical proximity to the hotspot is important for performance reasons. The remaining complexity for the SP which this service will not take away is: phyiscal installation of APs, controllers, and the configuration of those so that they are providing proper local eduroam. To ensure service quality on such "no clue" SPs, it could be made mandatory to install a probe at the site so eduroam Operations can monitor the hotspot quality. |
| Proposer | Stefan Winter |
| Resource requirements | VM for web interface, VMs for RADIUS attachment anchors, a clever idea how to handle registering hotspots with dynamic or unknown IPs |
| Comments | Rhys Smith, UKf: just to say that Jisc Liberate, our managed SAML IdP/eduroam IdP/eduroam SP/ABFAB IdP/ABFAB SP/web proxy service, will have the eduroam SP bit towards the start of 2018. Stefan's description is a slightly different use case, however, so I think it doesn't really overlap here. |
| +1's | Rhys Smith, UKf: sounds like a good way to get new visited eduroam sites on board. |
| Title | eduroam DEEP Learning |
|---|---|
| Description | Based on Brooks idea, we train a DEEP network to detect eduroam breakage based on log-data. Possible joint work with Juniper Research. Leif will provide more information |
| Proposer | Leif |
| Resource requirements | To be better scoped, but certainly resources. |
| +1's | I'll give this one a "sounds cool, need more info" Nick Roy, InCommon Can be integrated via existing diagnostics context: Existing work evaluation#eduroamdiagnostics so gets a +1 from prior endorsements too. (note from AH) Should x-ref with the network perf folk. Talk to Kurt Baumann(Note from AH). Georgi Tsochev, BREN Rhys Smith, UKf: Wot Nick said. |
| Title | Scale eduroam infrastructure to the size of WIFI4EU |
|---|---|
| Description | There were a multitude of reasons why the GÉANT community couldn't run the infrastructure for WIFI4EU. Sufficient issues were exposed by managing this as a single centrailsed infrastructure (partially addressed by "get eduroam", "eduroam DEEP Learning", "eduroam SP-as-a-Service"). By identifying all the scaling blocks to existing eduroam services we'd be able to offer advice, guidance and technology push into govroam, WIFI4EU and eduroam services to support the existing infrastructure and development in new territories. |
| Proposer | Brook |
| Resource requirements | People |
| +1's | Georgi Tsochev, BREN Reimer Karlsen-Masur, DFN-PKI |
Future Certificate Services
| Title | certbot for all certificate management |
|---|---|
| Description | Let's Encrypt and the certbot have made certificate management for 1 particular CA very easy and effective. With the addition of ACME v2 this will allow additional CAs to participate and allow the dev/test/production environments to automatically deal with certificates. Work should also investigate eduPKI and Let'sRADSEC use of this mechanism for certificate maintenance. TechEx 2016 ACAMP notes: https://docs.google.com/document/d/1o20NmuLjmNySp10QqfueO3of6jmoeTRfmgG4e_olZ_s/edit |
| Proposer | Brook (and a cast of thousands) |
| Resource requirements | People, Money, work to get standardisation of "realm validated certificates via RADIUS infrastructure" and maybe other paths. |
eduroam SP-as-a-service
With eduroam Managed IdP, there is a service which takes all RADIUS hassle off of Identity Providers. There is no equivalent for eduroam SPs. I.e. a future eduroam SP either needs to set up a local RADIUS server and connect it to the NRO, or (if the NRO supports it) connect the Wireless Controller directly to an NRO server - losing all advanced features such as VLAN assignment. For small hotspots, there is a possible additional complication if the hotspot has a dynamic IP address, which makes the interconnection via RADIUS' shared secrets infeasible. Right now, such potential hotspots are not serviceable by eduroam infrastructure.
The goal of this activity is to create a self-service web portal where any prospect SP can register his hotspot (requiring sign-off by the NRO; comparable to eduroam Managed IdP) - regardless whether he has a static IP address, a dynamic one, or doesn't even know what an IP address is in the first place. The new hotspot's RADIUS connectivity is tested in real-time (e.g. using a credential from eduroam Managed IdP, a good complement to this service) and the new SP is instantly connected to the eduroam infrastructure. Where the NRO admin confirms that a particular hotspot maps to a specific realm or Managed IdP instance, the SP can even get VLAN ID assignments for his own users (that part of the use case is possibly a bit weak as an SP who does not know about setting up a RADIUS server likely also doesn't know about VLANs to begin with).
For the technicalities of the uplink itself, there should be support for multiple attachment anchors (=RADIUS servers behind the web interface) because geographical proximity to the hotspot is important for performance reasons.
The remaining complexity for the SP which this service will not take away is: phyiscal installation of APs, controllers, and the configuration of those so that they are providing proper local eduroam.
To ensure service quality on such "no clue" SPs, it could be made mandatory to install a probe at the site so eduroam Operations can monitor the hotspot quality.
VM for web interface, VMs for RADIUS attachment anchors, a clever idea how to handle registering hotspots with dynamic or unknown IPs
eduroam DEEP Learning
breakage based on log-data. Possible joint work with Juniper Research.
Leif will provide more information
I'll give this one a "sounds cool, need more info" Nick Roy, InCommon
Can be integrated via existing diagnostics context: Existing work evaluation#eduroamdiagnostics so gets a +1 from prior endorsements too. (note from AH)
Should x-ref with the network perf folk. Talk to Kurt Baumann(Note from AH).
Georgi Tsochev, BREN
Rhys Smith, UKf: Wot Nick said.
Scale eduroam infrastructure to the size of WIFI4EU
There were a multitude of reasons why the GÉANT community couldn't run the infrastructure for WIFI4EU.
Sufficient issues were exposed by managing this as a single centrailsed infrastructure (partially addressed by "get eduroam", "eduroam DEEP Learning", "eduroam SP-as-a-Service"). By identifying all the scaling blocks to existing eduroam services we'd be able to offer advice, guidance and technology push into govroam, WIFI4EU and eduroam services to support the existing infrastructure and development in new territories.
| +1's | Georgi Tsochev, BREN Rhys Smith, UKf: Certbot is going to take over the world, so we should start doing stuff with it. Reimer Karlsen-Masur, DFN-PKI |
| Title | cryptech.is |
|---|---|
| Description | |
| Proposer | |
| Resource requirements | |
| +1's |
| Title | CA CAB/Browser forum participation |
|---|---|
| Description | |
| Proposer | |
| Resource requirements | |
| +1's |
Attribute Authorities
| Title | Discovery for Attribute Authorities (AAs) |
|---|---|
| Description | Users can select their IdP via discovery, therefore the SP can potentially receive users from thousands of IdPs. There is no such facility for AA-s however, meaning that SP-s need to hard-configure which AAs they query. Also, query all the configured AAs for all users all the time. In GN4-1-JRA3-T1 it has been established that this is a serious bottleneck, as maximum 2-3 AAs can be queried without breaking the entire login session. A better approach is needed. The SPs need to query AAs selectively, based on either user input or some alternative means, like some VO lookup service. Otherwise all SPs will just stick with the biggest AAs like eduTEAMS basic membership service or hexaa.eduid.hu and not query alternative entities, making single-tenant AAs very unattractive. |
| Proposer | Mihály Héder |
| Resource requirements | This is a hard one. Currently there is no support for any elements of this whatsoever
|
| +1's | Constantin Sclifos, RENAM |
| -1's | Wolfgang Pempe, DFN: Such a dynamic approach would raise issues concerning trust and privacy. An attribute authority must be in control of the list of SPs that are entitled to perform attribute queries and (possibly) recieve PII. |
...