Please Note that the above time is CONFIRMED.
Arrival & "Can you hear me now?" (see Connection Details)
Welcome, Introductions & Agenda Agreement
|Membership Updates and Joining|
Revision of the eduGAIN Policy Framework
Best/Current Practices within eduGAIN
Future SG Meetings
Any other business, Summary, Actions and Close (or we're running over time).
*Not a member.
The Chair welcomed everyone to the 4th meeting of 2018.
For details on new members and candidates see https://technical.edugain.org/status and work on progressing new members is underway.
Membership assessment continues on track but tracking votes will soon be an issue.
|No issues||DZ, AU, AT, BY, BR, CA, HR,CZ, EC, EE, GE, DE, IN, HU, KR, LV, LT, LU, MD, NO, RU, PL, SG, ZA, ES, UA, CH, NL||28|
|EntitiesDescriptor does not contain PublicationInfo||AR, FI, IE, PT||4|
|Missing an "English" value in Metadata||AM, FR, JP, UK||4|
|mdui:Logo has wrong value||BE||1|
|Signature using an Empty Reference||CO, FR, UG||3|
|validaUntil is less than 5 or greater than 28 from creationInstant||CO, IL, IT||3|
|creationInstant wrong / in the future||CL, FR, HK, IR, MK, SI||6|
|Signature Method/Digest Weak||CL||1|
|Organization block / ContactPerson not found or missing tech/support||DK, GR, JP, IE, MK, SE, US||7|
Some refinement of the mdui:Logo assessment is still required for the validator where the SAML Profile requires Data URL or https:// URL and for https:// URLs to be publicly accessible.
The information in this table along with eduGAIN Compliance Issues will be collated and regularly assessed at steering group meetings. There is no immediate need to make a decision on a timeline for these issues and federations will be contacted regarding their issues. Once the problem has been reduced to a small handful of federation, particularly if those federations are non-responsive then a decision will be made.
The outline of a Best Current Practices Guide for Joining eduGAIN as a Federation has been developed. Discussion centred on what should be added/included in this work.
There are many SHOULD requirements that were stripped from the eduGAIN SAML Profile that could be used as the basis for this work.
There is an increasing number of groups providing advice and guidance and this in an opportunity to provide clarity, especially for new/emerging federations in this space. The existance of R&S, CoCo, SIRTFI, FIM4R, SAML2Int, REFEDS MFA needs to be consolidated into useful guidance.
Whether this covers federation or entityt practices was raised but not concluded.
Peter stated that it should be a "Good Practice Guide for Decent Interoperability".
Specifically, Key Management Practices and Incident Response was raised. Some practices have evolved over time but there is "no good reason to keep doing it this way". There is a lot of legacy in documentation and it needs to be clear that some of these practices are no longer a good thing™.
Since Foodle will shutdown from 1 July 2018 there is a need to find a replacement for voting on membership (and other) issues.
The Foodle codebase is available but there is likely to be significant effort in supporting this tool. Nicole to take eduGAIN Steering Group use of Foodle forward as one use-case to justify GÉANT taking on this work. She stated that the domain (in addition to the software) was also available for any suitable home. There have been discussions with some federations on this topic.
Peter Schober sugested a range of tools that could be used for e-Voting purposes.
Anass suggessted Evento from RENATER as a possible solution. This service isn't published into eduGAIN currently.
Terry Smith highlighted the AAFs need for any such tool to support R&S to ensure it is available to its IdPs without going through a committee approval process.
Update: Evento has been succesfully used in the vote of Malaysia/SIFULAN and appears to be acceptable. Additionally, FÉR updated their federation metadata management tools to support R&S for the AAF use-case.
The next meeting will take place on 6-9 August 2018 at APAN46 in Auckland, New Zealand and since the APAN46 programme (and the Identity & Access Management programme that surrounds it is still in flux there might be an adjustment from the initially proposed time. It will be in the Asia/Pacific timezone so some pain will be felt by the Americas and Europe.
Time is now confirmed as per the annoucement of the next meeting.
Peter Schober raised the issue of a DigiCert SSO key rollover. Their SSO entry is published by ACOnet for all TCS subscribers to use and the current signing certificate in SAML metadata is set to expire, while this won't affect saml2int compliant IdPs it will impact ADFS. The current SP setup doesn't allow multiple keys in simultaneous operation. The new certificate is generated from the existing private key material and as such won't cause a problem for simpleSAMLphp instances (but these are in the minority). Peter will be annoucing the rollover on the FOG mailing list and interested parties should follow along.
The meeting closed at 13:30