Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

eduGAIN Steering Group Meeting


Tuesday 30th January 2017,


14:00 -




30 CET (in your timezone)

Please Note that the above time is TO BE CONFIRMED.

  • Constitution v3 (effective from 1 August 2017)
  • Decision on the

    1513:45 CESTCET

    Arrival & "Can you hear me now?" (we won't be using Adobe Connectsee Connection Details)
    1614:00 CESTCET

    Welcome, Introductions & Agenda Agreement

    • Open Actions.
    • Membership updates and information.
          • Status of Uganda/RIF vote
      14:15 CET

      Hanging Issues for Members and Participants

      14:30 CETROBOT Attack (PDF) Shannon Roddy
      14:45 CETRevision of the eduGAIN Policy Framework
        • SAML WebSSO Profile - Nicole Harris
        • Grace period for current eduGAIN members
        • What's left?

        Hanging Issues for Members and Participants

        • Errors/Warnings/Issues
        • "Size of the Problem"
        • Possible changes and any impact

        Candidate Issues

        • Long term candidates
        16:40 CEST

        Requirements gathering for GN4-3 - Ann Harding

        16:50 CEST15:00 CET

        Any other Business

        Future SG Meetings

        • DI4R, Belgium - 30 Nov & 1st December 2017
        • Virtual Meeting in December 2017
        • eduGAIN Town Hall - end 2017/early 2018
        • Forums People Attend? TNC, RDA, Other.
        16:55 CEST
        • Conflict/Changes to 2018 meeting dates/times?
        • Next meeting @ APAN45 - Tuesday March 27th 13:30 Singapore Time

        15:15 CET

        Summary, Actions and Close (or we're running over time).

        1715:00 CEST30 CET

        Meeting Close

        Connection Details


        Federations in Attendance (22)

        1. COFRe
        2. RIF
        3. FÉR
        4. InCommon
        5. DFN
        6. SIR
        7. TAAT
        8. SAFIRE
        9. CAF
        10. RCTSaai
        11. eduID.


        ...Apologies (nn):


        1. cz
        2. SWITCHaai
        3. AAI@EduHR
        4. SWAMID
        6. IRANet
        7. SGAF
        8. AAF
        9. LEAF
        10. IIF
        11. Belnet Federation
        12. IDEM

        Attendees (29)

        1. Brook Schofield, GÉANT
        2. Casper Dreef, GÉANT
        3. Nicole Harris, GÉANT
        4. Alejando Lara, REUNA/COFRe
        5. Alex Mwotil, RENU/RIF
        6. Anass Chabli, RENATER/FÉR
        7. Ann West, InCommon
        8. Nick Roy, InCommon
        9. Shannon Roddy, InCommon
        10. Wolfgang Pempe, DFN
        11. José-Manuel Macías, RedIRIS/SIR
        12. Sten Aus, EENet / TAAT (Estonia)
        13. Guy Halse (SAFIRE/TENET)
        14. Chris Phillips, CANARIE/CAF
        15. Esmarelda Pires, RCTSaai
        16. Jiri Borik,
        17. Lukas Hämmerle, SWITCHaai
        18. Marina Adomeit, GN4-2
        19. Miroslav Milinovic, AAI@EduHR
        20. Pål Axelsson, SWAMID
        21. Stefan Winter, RESTENA/
        22. Saeed Khademi, IRANet
        23. Simon Green, SGAF
        24. Terry Smith, AAF
        25. Valentino Pocotilenco, LEAF
        26. Zivan Yoash, IUCC/IIF
        27. Pascal Panneels, Belnet Federation
        28. Barbara Monticini, IDEM
        29. Andi Malaj, Albania/RASH

        Apologies (2)

        • Arnout Terpstra, SURFnet
        • Rhys Smith, UK Federation


        Welcome, Introductions & Agenda Agreement

        The Chair welcomed everyone to the 1st meeting of 2018. The agenda was adjusted to put the ROBOT attack presentation ahead of discussion on the Policy Framework.

        Open Actions

        One (1) open action was addressed.

        ACTION 20170831-01: Chair to ask all “voting-only” members for the timeline for their participation and provide input to the next meeting.
           The voting only candidates were contacted with mixed responses on their progression toward eduGAIN participation. Turkey/YETKIM (no response), New Zealand/Tuakiri (don't see the benifits of fully participating at this time), Italy/GridIdP (desire to participate with a service that wants to extend to eduGAIN so there should be movement in the coming months).This action will remain open and be tabled for the next meeting with a broader scope based on "low participation" that should include meeting attendance, voting, assessment of peer federations and other suitable metrics.


        Current status - New members and candidates: See and work on progressing new members is underway.Future meetings:

        • DI4R, Belgium - 30 Nov & 1st December 2017
        • Virtual Meeting in December 2017
        • eduGAIN Town Hall - end 2017/early 2018

        The hanging issues from members and participants was continued from the above open action.There are a range of issues on raising the bar for identity federations, some of which will be discussed later, and that a fuller discussion is needed.

        The chair raised the phenomenon of 'twin Federations' with expressed of interest from 3 territories (China, Oman and Russia) that already have a federation (or application underway). It was reiterated that membership of eduGAIN is not for national identity federations but for those primarily engaged in Research and Education and that the existance of schools federation, multiple research networks, funding agencies and the like within our community could result in multiple federations from a single territory. There was no concern nor further discussion.

        The use of the eduGAIN-Discuss mailing list for membership matters had none of the downsides raised at previous meetings and was regarded as a success and should continue.

        ROBOT Attack

        Shannon Roddy from Internet2/InCommon presented on their work on the applicability of the ROBOT Attack against the backchannel connection to Shibboleth instances. His presentation is available as a PDF.

        From the presentation and discussion there were some clear themes, such as only paying attention to "brand name" vulnerabilities, the need for security contacts and incident response lines of communication setup prior to a problem, remediation of this (and other issues) and the role of eduGAIN support.

        The #slack channels available for eduGAIN can be used for this and while more than 130 accounts exist on this platform it isn't universal. Federation email contacts should be approached to enquire about specific Security contacts.

        Nick Roy raised the issue of this remidation only focusing on InCommon and while the total affected IdP population was small the remaining eduGAIN (and wider federation community) wasn't approached and federations should take specific measures to look at their own membership.

        Lukas remarked that eduGAIN Support started contacting federations regarding other operational issues.This practice was welcomed and federation operators would me contacted or included in communication directed at specific endpoints.

        Chris Phillips stated that responsible disclosure is Good™ and wheteher there were specific Guidelines from the Steering Group on this? A #slack channel for discussion on this topic was created initially with Shannon, Nick, Chris and Pål to report back at a future meeting.

        Revision of the eduGAIN Policy Framework

        Nicole stated that the SAML2 WebSSO profile work was still being drafted based on community input. The two remaining issues are:

        1. The ability of ADFS to adhere to the Metadata Interoperability Profile.
        2. The requirement for RegistrationInstant. The decision was to drop it as there were zero concrete reasons for its use.

        Further investigation of point #1 is still required at this point in time. An update will be available at the next SG meeting.

        Any Other Business

        There was a request for OIDC Federation work to be presented at a future SG meeting, espcially since the last revision of the Policy Framework was to make it protocol agnostic. The Chair reminded everyone that supporting Moonshot Technology was the original driver for this but work on federated OIDC has overtaken that work. Chris noted that as a community we risk falling behind the curve if we aren't aware of the issues and progress in this space. Suggestions for presenters was made and it will be tabled in the next SG meeting to support a discussion of a roadmap for OIDC inclusion.

        Future meetings

        No issues with the future meeting schedule was raised.