Kantara FIWG Teleconference
Date and Time
- Date: 20, December, 2012
- Time: 13:00 PT |16:00 ET
- John Bradley, Ping Identity
- Nate Klingstein, Internet 2
- Scott Cantor, Internet 2
- Rainer Hoerbe, KisMed Austria
- Leif Johansson, NORDUnet
- Colin Wallis, Internal Affairs Dept, NZ Government
- Administrative - roll call
- FEDLab SAML tests update
- UK Gov Profile
- eGov 2 Profile
- SAML 2 Int Profile (Profile updates, wiki page)
- Kantara, OIX and other meta-data aggregator projects
1. Administrative - roll call
- Quorate call
- No previous minutes to approve
2. FEDLab SAML tests update
- This topic opened with Rainer presenting his paper... http://kantarainitiative.org/confluence/download/attachments/41649836/SAML+ProfTest+Concept.pdf . The objective is to create a common super set of (web accessible ) tests, whereby each deployer adds tests to a common repository, and work with FedLab to fill test 'gaps'. The actual test harness itself would restrict access to 'signed up' deployers. All test cases covered: Request/Response, Metadata etc.
- [JB: Notes that some vendor products do not automatically import metadata, so have to manually import and refresh. Also that Ping has done work with Box for a connection for SaaS providers, which offers a metadata applet for SP/IDPs supporting Ping Federate].
- Austria wants to start with SP/RP's first since it has many SPs with many client apps and only 3 or 4 vendor products covering the 30 or so IDPs.
- [SC: As an InCommon IDP all I care about is if they consume InCommon's metatada].[JB: SP piece will take a while to build]. General difficulty with metadata tests is testing 'consumption' - each product will behave differently.
- [JB: OID Connect tests if the overall exchange works or nor, rather than if it is conformant].
- Metadata supplied by SP must be validated/pre-checked as OK before submission to the test harness.
- [SC: We must have a test for the XML DSig wrapping attack (since SAML Pummel predates it).
- Austria trying to find funding for this, since it will take hard work to automate.
- Leif: We need to separate the hosting test service from the creating and updating' test case 'repository/database' (as automated as we can get it, so needs to be more than a Wiki.
- Next call consideration: Maybe do a discussion paper to lay out a kind of project plan
- Action: Put Rainer's 'SAML Profile Test Concept' draft paper on the wiki for easier reference (completed on 20th Dec?).
- Action: Put this topic on the list for discussion at the European IIW Vienna meeting, Feb 12/13th
3. UK Gov Profile
Summary: Stephen Dunn agreed to the sharing of the latest draft (still says Dec 2011 but content may have changed?). With some issues noted by FIWG members in the the draft, and actual pilots still ahead that may prove or otherwise the conformance and performance of the draft, attendees generally felt that it was less mature than the other government and SAML2INT profiles, so at this stage FIWG will move ahead without it.
4. eGov 2 SAML Profile
- Leif and Colin to reach out to Anil John (GSA) to clarify requirements outlined in recent emails
5. SAML 2 Int Profile
Discussion relating to SAML2 INT profile and the use of FedLab to prgress this work? (or is this still part of 1 above?). Currently the timeline for progress is 'loose', not because of funding $ shortage but because of capability shortage. If work can be done by a Uni (with the capability to do it) in the GEANT network, then that may be a way forward. Steffen Solensen? Sorrensen? (spelling?) the IETF PKIX chair is someone who could help with contacts. The idea is Operational $ has to come from external/Govt sources
6. Kantara, OIX and other meta-data aggregator projects
Leif introduced and explained a little about the the Kantara registry effort: http://kantarainitiative.org/trust-registry/ and that it was similar to the OIX one in structure. The LOA3 IdP/RP 'market' was small enough globally to use USB tokens for access.
- Date: Thurs 10th, January, 2013
- Time: 13:00 PT | 16:00 ET | (Time Chart)
- Dial-In: +1-218-862-7200
NOTE: Do not follow the code with a "#" symbol as it may cause the code not to be recognized.