| 39 | ==== Community Agreement ==== |
| 40 | * Add external identity providers to GENI |
| 41 | * GPO should build a prototype !InCommon compatible GENI portal / slice authority |
| 42 | * Agree on an initial set of required identity attributes |
| 43 | * Name |
| 44 | * Institution |
| 45 | * Affiliation |
| 46 | * Email address |
| 47 | * Phone number |
| 48 | |
| 49 | ==== Next Steps ==== |
| 50 | * GPO will build a prototype portal / slice authority that accepts !InCommon logons and produces slice credentials |
| 51 | * Build a portal |
| 52 | * Become an !InCommon service provider |
| 53 | * Work with a few test institutions to get desired attributes from their identity providers |
| 54 | * Federate with a few GENI Aggregates |
| 55 | * Demonstrate this portal at GEC11 |
| 56 | * Pending group evaluation, expand this portal to other institutions and aggregates |
| 57 | |
| 58 | ==== Selected Discussion Points ==== |
| 59 | ===== Ken Klingenstein ===== |
| 60 | * GENI should adopt same practice as sites like !PubMed: sign in via old user/pass or !InCommon |
| 61 | * Use local identity in a global fashion |
| 62 | * Other countries use this more than the US |
| 63 | * Standards are developing |
| 64 | * IETF GSSAPI will lead to federated SSH |
| 65 | * But currently this is for web login |
| 66 | * Note this is federated and not domesticated which is likely what GENI wants |
| 67 | * Access Control |
| 68 | * Scale is hard |
| 69 | * Group management tools help |
| 70 | * Privilege management is sometimes needed |
| 71 | * Fine grain delegation needed |
| 72 | * Identity Management Principles |
| 73 | * Scale |
| 74 | * Address privacy via consent |
| 75 | * Leverage institutional attributes |
| 76 | * Make consistent with security |
| 77 | * Extra GENI principles |
| 78 | * Cluster / CF specific attributes should be auto managed |
| 79 | * Integrate across existing projects |
| 80 | * Provide access to GENI to new users and communities |
| 81 | * !CoManage is complementary |
| 82 | * Let GENI leverage this infrastructure |
| 83 | |
| 84 | ===== Rob Ricci ===== |
| 85 | * I want |
| 86 | * Accountability |
| 87 | * Neck to wring |
| 88 | * Name, email, institution, role |
| 89 | * PI or faculty advisor |
| 90 | * Could be a candidate for a self asserted attribute |
| 91 | * Class enrollment would be nice to have |
| 92 | * ProtoGENI already does this |
| 93 | * ProtoGENI will accept these attributes from trusted sources |
| 94 | * ProtoGENI will separate the concept of the slice authority from the identity provider |
| 95 | * A change, but a good idea |
| 96 | * Optimize for low hassle with assurances of trustworthiness |
| 97 | * Scale isn't that big: |
| 98 | * Thousands currently, not 10s of thousands |
| 99 | * Adding undergrads will stretch that |
| 100 | * ProtoGENI users |
| 101 | * 25% non US |
| 102 | * PIs verify students |
| 103 | * ProtoGENI (Rob) verifies PIs |
| 104 | * 100s of users, not thousands |
| 105 | * Pruning of accounts is manual currently |
| 106 | * Users are trusted to self update their information currently |
| 107 | |
| 108 | ===== Jeff Chase ===== |
| 109 | * Build in security, trust roots, and federation into GENI |
| 110 | * Separate policy from mechanisms |
| 111 | * Use off the shelf solutions, like Shibboleth |
| 112 | * Grouper (now part of !CoManage) allows an institution to manage group memberships |
| 113 | * Use Shibboleth at the edge of GENI using a portal |
| 114 | * Use existing X509 keys internally |
| 115 | * Don't use the Shibboleth delegated authentication stuff for now |
| 116 | * How do we handle revocation? Limited life certificates? |
| 117 | * Putting attributes in certificates would mean revealing attributes to services that the identity provider did not explicitly permit |
| 118 | |
| 119 | ===== Group ===== |
| 120 | * Rob Ricci: if this could help with 'instant gratification' of a newly enrolled student getting access, that would be nice |
| 121 | * Andy Bavier says PL is willing to federate with a new, GPO-run portal / slice authority that does this |
| 122 | * Andy is interested in using !CoManage or similar to offload some attribute maintenance |
| 123 | * Trusting the GPO portal still requires establishing trust, and the portal would still manually approve experimenter applications |
| 124 | |