[Concordia] Notes from 19 Feb 2008 Concordia call: note next steps below!

Eve Maler Eve.Maler at Sun.COM
Tue Feb 19 14:15:22 EST 2008 

[I'll put this on the wiki shortly with more links etc. added.]

== Next meeting and next steps ==

Tuesday, 4 March 2008
10-11am PT / 1-2pm ET / 6-7pm UK / 7-8pm CET
US toll-free +1 866 469 3239 or caller-paid +1 650 429 3300
Code 7860-6951#

We need to know interop participation details and A/V needs by FRIDAY,  
FEBRUARY 29.  We will set up the list of interop roles by MONDAY,  
FEBRUARY 25 and will encourage all the interop technical contacts to  
sign up immediately and provide A/V requirements.

== Attending ==

Eve Maler (Sun), Mike Jones (Microsoft), Ari Kermaier (Oracle), Damien  
Carru (Oracle), Allen Schaas (PKMI TC), Britta Glade (LAP), Ashish  
Jain (Ping ID), Scott Cantor (Internet2), Brett McDowell (LAP),  
Shivaram Mysore, Eric Tiffany (LAP), Sampo Kellomaki (Symlabs), Gerry  
Beuchelt (Sun)

== AI roundup ==

Pending:

* Eve to work up a draft of presentation material, and all to review  
and comment. [To be done a bit closer to the event, when the  
participation matrices and scenario details are filled out.]
* All to collate A/V needs for RSA by the end of February. [Ongoing.]
* Scott to flesh out the IdP discovery problem wiki page. [Ongoing but  
low priority.]

New this time:

* Eric to create a list of scenario roles and companies participating  
in each one.
* Mike J. to update the wiki to reflect what was discussed, in the  
"Chained SAML/WS-Federation SSO" area (we need a new wiki page for  
this).
* Scott and Mike J. to fork the infocard+federation scenario to allow  
for separate SAML and WS-Fed branches.
* Mike J. to check on the applicable version of WS-Fed that he  
suggests to target.

== Interop participation ==

Looking at the list of tentative participants:

http://projectconcordia.org/index.php/RSA_IOP_Scenarios

Oracle has now confirmed that it will participate, with today's two  
call participants being the technical contacts.  CA is still pending.   
Sun's technical contact will be Pat Patterson.  Sampo is interested in  
the newly developing WS-Fed/SAML scenario as well as the infocard  
scenarios.

AI: Eric to create a list of scenario roles and companies  
participating in each one.

The Liberty event in Santa Clara, hosted by Sun, in early March was  
discussed as a potential location for a dry run.  Some of the RSA  
participants will be around, but there won't be critical mass for a  
true dry run.  We'll try to get people together if their intended  
interop roles will line up nicely.  We do have space for Concordia  
side-meetings there for the whole week.

We have one more Concordia call on March 4 before the Santa Clara  
event, to give attendees of that event the best chance of exploiting  
the F2F opportunity.  We might be able to set up some online testing  
that we can use in that timeframe.

== Report on WS-Fed/SAML2 scenario ==

Mike reports that he executed his AI from the last call to get  
together with tentative participants on the WS-Fed/SAML scenario.   
They met today (MSFT, Sun, Ping ID) and came up with a rough plan.   
Sun needs to first ensure that OpenSSO can issue SAML2 tokens for WS- 
Fed, e.g., and MSFT and Ping also need to do some remedial work.   
Others (e.g. Sampo) would be interested in participating if the wiki  
can be updated soon enough to give them a look.  What's new in our  
scenario vs. what's been done in the past, e.g. the Burton multi- 
protocol interop event, is the presence of the SAML2 tokens.

AI: Mike J. to update the wiki to reflect what was discussed, in the  
"Chained SAML/WS-Federation SSO" area (we need a new wiki page for  
this).

We believe this scenario involves WS-Fed SP, WS-Fed IdP, SAML SP, and  
SAML IdP roles, all using SAML2 as their common token format.  The  
basic mechanism to achieve this bridging would be proxying.  After  
logging into the WS-Fed IdP, the issued SAML2 token could contain  
authn context statements using the Concordia-defined URIs (which means  
we can essentially build a composite scenario that involves the use of  
all of WS-Fed, infocards, and SAML2 protocol).

Eve would like to have a "clean" scenario that deals with WS-Fed and  
SAML in the absence of infocards (in addition to their presence).  We  
don't have a lot of time left, so we should have a small set of well- 
defined scenarios.  Scott concurs.

== Interop roles for all of the scenarios ==

The infocard+federation scenario bucket seems, according to the wiki,  
to be solely about SAML federation; we haven't focused on details of  
infocards+WS-Fed to date.  We will consider interop roles for WS- 
Federation that are parallel to those for SAML in our interop  
participation list/matrix, and then see who signs up.  We'll need to  
nail down deployment details for each individual scenario using its  
own set of specific protocols.

AI: Scott and Mike J. to fork the infocard+federation scenario to  
allow for separate SAML and WS-Fed branches.

== RSA logistics ==

Right now we have 220 people signed up for this workshop!  The room  
will hold 350-400.  We expect additional signups in the next seven  
weeks.

Our plan is to present, for ~60 minutes, the scenarios we've chosen  
and ask deployers for their further input.  Then we can break and  
allow people to wander around the different interop stations.  Eve and  
Allen are currently signed up to do this presentation.  One "interop  
station" may just be a continued interview-type discussion among  
deployers; Eve can run this.

Britta is working on email message #1 to send to the RSA workshop  
attendees who have opted in to share their email info with us.  We'll  
mention the confirmed interop participant companies in this email, and  
supply more details in email #2 closer to the event.

== Interop roles ==

We think the following are the possible interop participation roles:

* For the infocards+federation scenarios (all using SAML2 tokens, with  
the exceptions noted below):

** For the infocards+SAML2 protocol scenario (we also need an  
indication of authn method):
*** Infocard client (which is also an IdP for self-asserted cards --  
this needs SAML1.1 tokens)
*** Infocard RP/SAML2 IdP
*** STS (optional)

** For the infocards+WS-Fed protocol scenario (we also need an  
indication of authn method):
*** Infocard client (which is also an IdP for self-asserted cards --  
this needs SAML1.1 tokens)
*** Infocard RP/WS-Fed IdP
*** STS (optional)

* For the WS-Fed/SAML2 protocol bridging scenario (using SAML2 tokens):
** WS-Fed1.1 RP
** WS-Fed1.1 IdP
** SAML2 SP
** SAML2 IdP

We should point to the exact specs whose versions we intend to use:  
SAML2, SAML1.1, WS-Fed ?? (Mike will check), infocards (Identity  
Selector Interoperability Profile v1.0).

AI: Mike J. to check on the applicable version of WS-Fed that he  
suggests to target.

Our goal is to get enough detail on the wiki to allow interop  
participants to sign up; once we have coverage of the roles, we can  
get down to the task of fleshing out subject confirmation details,  
metadata usage details, etc.  Scott suggests self-signed  
certificates.  He notes that there are no callbacks in our scenarios,  
so we don't need to mess with TLS.


Eve Maler                                         +1 425 947 4522
Principal Engineer                            eve.maler @ sun.com
Business Alliances group                    Sun Microsystems, Inc.

More information about the Community mailing list