...
| Title | Reference implementation of an IdP and OP in Python |
|---|---|
| Description | The current GN4-2 projet has invested heavly into the Python stack for OpenID Connect (federation) and it should be good to put together a full blown home organisation IdP/OP based on this work and earlier work with the SAML stack. This imlementation should support all current best practices in eduGAIN and retrie attributes from different sources. |
| Proposer | Pål Axelsson on behalf of Sunet |
| Resource requirements | money, software dev |
| +1's | Stefan Winter Nick Roy, InCommon Niels van Dijk, GEANT 4-2 Project; This should be carried out in close collaboration with the pyid.org community |
| Title | Allow eduGAIN OT to enrich MDS metadata |
|---|---|
| Description | Currently, metadata is controlled exclusively by federation operators, which is generally good. However, there will pop up use-cases where it is more efficient, a lot faster and definitely more agile to allow eduGAIN OT to enrich eduGAIN metadata centrally with some entity categories because if all 50+ federations have to do something, it will take years and effort to set some entity category is duplicated for each federation. |
| Proposer | Lukas Hämmerle, SWITCH |
| Resource requirements | Policy might need to be changed, it would have to be defined what/what not eduGAIN OT reasonably could and should do. Some (limited) implementation effort on MDS might be needed. |
| +1's | Nick Roy, InCommon Tom Barton: Although "Query service for Sirtfi" above is formulated as a query service, it might best be implemented as an enrichment by eduGain OT to metadata. Should these two proposals become one? Niels van Dijk, SURFnet: I would be really interested in how distributing the trust between decentralized federations and central OT would work. Hannah Short, CERN Constantin Sclifos, RENAM Scott Koranda, LIGO |
| -1's | SURFnet: Many worries: role of aduGAIN of aggregator that is now going to modify metadata (SURFnet) |
| Title | Discovery for Attribute Authorities (AAs) |
|---|---|
| Description | Users can select their IdP via discovery, therefore the SP can potentially receive users from thousands of IdPs. There is no such facility for AA-s however, meaning that SP-s need to hard-configure which AAs they query. Also, query all the configured AAs for all users all the time. In GN4-1-JRA3-T1 it has been established that this is a serious bottleneck, as maximum 2-3 AAs can be queried without breaking the entire login session. A better approach is needed. The SPs need to query AAs selectively, based on either user input or some alternative means, like some VO lookup service. Otherwise all SPs will just stick with the biggest AAs like eduTEAMS basic membership service or hexaa.eduid.hu and not query alternative entities, making single-tenant AAs very unattractive. |
| Proposer | Mihály Héder |
| Resource requirements | This is a hard one. Currently there is no support for any elements of this whatsoever
|
| +1's | Constantin Sclifos, RENAM |
| Title | Attribute Authority scoping information in Metadata |
|---|---|
| Description | It seems that AARC-JRA1.4A will propose "scoping of group membership information". However, there is no element in the SAML metadata that contains the scope of an AA, therefore, there is nothing to verify the scoped membership information against. The only way today is to learn about the scopes used by an AA entity via word-of-mouth and then apply those scopes in attribute value level filtering and access control rules, maintained manually in the SP config. Obviously this does not scale. |
| Proposer | Mihály Héder |
| Resource requirements |
|
| +1's |
...
| Title | eduroam DEEP Learning |
|---|---|
| Description | Based on Brooks idea, we train a DEEP network to detect eduroam breakage based on log-data. Possible joint work with Juniper Research. Leif will provide more information |
| Proposer | Leif |
| Resource requirements | To be better scoped, but certainly resources. |
| +1's | I'll give this one a "sounds cool, need more info" Nick Roy, InCommon Can be integrated via existing diagnostics context: Existing work evaluation#eduroamdiagnostics so gets a +1 from prior endorsements too. (note from AH) Should x-ref with the network perf folk. Talk to Kurt Baumann(Note from AH). Georgi Tsochev, BREN |
| Title | SOC tools |
|---|---|
| Description | GEANT should develop and maintain a toolchain for security operations (SOC) teams. This includes work on stuff like grr, plaso, timesketch, information sharing platforms, threat intelligence platforms etc |
| Proposer | Leif |
| Resource requirements | To be better scoped, but certainly resources. |
| +1's | This is similar to a proposal submitted under the security white paper planning. Talk to Sigita Jurkynaite about this. |
| Comment | SURFnet: We support the notion of having good security operations in trust and identity but in the geant project this should probably be developed in the security activity. |
...
| Title | Scale eduroam infrastructure to the size of WIFI4EU |
|---|---|
| Description | There were a multitude of reasons why the GÉANT community couldn't run the infrastructure for WIFI4EU. Sufficient issues were exposed by managing this as a single centrailsed infrastructure (partially addressed by "get eduroam", "eduroam DEEP Learning", "eduroam SP-as-a-Service"). By identifying all the scaling blocks to existing eduroam services we'd be able to offer advice, guidance and technology push into govroam, WIFI4EU and eduroam services to support the existing infrastructure and development in new territories. |
| Proposer | Brook |
| Resource requirements | People |
| +1's | Georgi Tsochev, BREN |
| Title | A Global Trust & Identity Management Lab Platform |
|---|---|
| Description | The most interesting session that I had at TechEx 2017 ACAMP was asking "How do students federate an application?" with Fed-Lab.org and TestShib.org existing - but not solving all of the edge cases for new applications and especially new developers. A student can pick a framework off the self - run through tutorials and then connect their application to a host of services (Github, Twitter, Facebook) but SAML often isn't an option - and even if it is - there is a lack of enviornments that a student/new developer can jump into to make their tool work. This needs to be solved to support new developers, create a sandbox for development and expose SAML integration for various frameworks. Include OIDC |
| Proposer | Brook (stolen from Andre Marins idea @ TechEx ACAMP 2017https://docs.google.com/document/d/1mvD27mGJQIkvaqXESijDKWrYKvF_ZlC-Ucb-gWRCJjo/edit ) |
| Resource requirements | |
| +1's |
...
| Title | certbot for all certificate management |
|---|---|
| Description | Let's Encrypt and the certbot have made certificate management for 1 particular CA very easy and effective. With the addition of ACME v2 this will allow additional CAs to participate and allow the dev/test/production environments to automatically deal with certificates. Work should also investigate eduPKI and Let'sRADSEC use of this mechanism for certificate maintenance. TechEx 2016 ACAMP notes: https://docs.google.com/document/d/1o20NmuLjmNySp10QqfueO3of6jmoeTRfmgG4e_olZ_s/edit |
| Proposer | Brook (and a cast of thousands) |
| Resource requirements | People, Money, work to get standardisation of "realm validated certificates via RADIUS infrastructure" and maybe other paths. |
| +1's | Georgi Tsochev, BREN |
You do not have to fill in every field, just give as much detail as you have right now if you know them.