Middleware Coordination, Coperation and Copenhagen

I will be spending today at the tf-emc2 meeting in Copenhagen. For those of you not familiar with tf-emc2, safe to say it is the home of the uber-techies involved in middleware stuff in Europe (and indeed beyond, with Ken Klingenstein in the room). I’m in a mellow mood after being charmed with great food and free wine at my hotel last night so will probably be very enthusiastic about everything that comes out of the meeting. Forgive me.

Moving Metadata Around

We start with great promise with a report from Ken on the rather tongue in cheek ‘BEER’ (Bucket of End Entity Registrations). I think the name may change at some point 🙂 The idea here is that a place is created where people can ‘dump’ entity metadata for general use. The metadata would carry with it the name of the depositor and have some general technical standard requirements, but other than that would not carry with it a strong policy trust framework. It would have a ‘terms of use’ that puts the risk on the consumer in terms of use. This will be a very interesting experiment in pushing the boundaries of trust and trust requirements. Something to keep an eye on, and something I will be looking for volunteers in the UK to play with. Literally, I will be encouraging you to consume BEER!

How Many IdPs?

We moved on to a conversation about why would an institution want to have multiple IdPs? The purists in the room pointed out that it was technically easy to have one IdP and it provided a strong trust argument if there was one authoritative point of access for an institution. The more practical amongst pointed out that many institutions have medical schools, library directories for external users, alumni directories and start-up companies / BCE style organisations that really want to maintain a separate directory and IdP. I think this again reflects the very different political landscapes in the smaller European countries to places like the UK, the US and Australia.

Monitoring, Testing, Proving, Baking

One of the areas that people have been interested in for a long time is the monitoring and diagnostics space. On a practical level in the UK we are making some progress here in terms of baseline statistics through RAPTOR and the JISC Usage Statistics Portal. The more basic line of monitoring problems (downtime) and diagnosing problems still has some way to go, but the librarians who spend a vast amount of time reporting downtime from publishers will appreciate the absolute need in this area.

This is a nut tf-emc2 is very keen to crack. There is some work within the GEANT framework to do this (GN3-JRA3-T2: Federation Lab for those of you who understand the strangeness of GEANT) and there has been some basic work using NAGIOs as a framework but there is no tabled solution at the moment. This is something the UK federation Board discussed at a recent meeting so we are fully aware of the UK need for this.

Definition Requirements

Something we haven’t discussed much in the UK is SCHAC. The reason for this is simple – the UK federation has taken the stance that it will only make recommendations around a small set of attributes using the eduPerson specification. SCHAC takes things a bit further for those interested in a full scope…perhaps people looking at the Identity Management Toolkit and the upcoming call on Identity Management from JISC. This really follows on from previous posts about the problems we are facing we encouraging institutions to populate more attributes. This basically comes down to a disconnect between where the requirement comes from (library, virtual organisation) and the owner of the directory (IT department). This is definitely a problem we need to crack if we want to exploit the potential of federated access and the potential of virtual organisations- but how do we manage this?

The Proxy Question

A bit of a blast from the past when the idea of a centralised proxy service came up today. We looked at this issue at JISC back in March 2008. In some ways, this does make sense for IP only resources, but I have lots of reservations. The more opportunities we give to for people to use ‘the easy way out’ of IP access, the less opportunities we will have for decent access and identity management in the future. We also run the risk of annoying people like EXProxy by destroying their business models. I also think the complexities of trying to manage a central service with up-to-date information is not scalable – certainly in the UK. A couple of NRENs are looking at taking this forward however, so we will keep an eye on this.

Collaborating on Collaborations

I’ve mentioned COManage a couple of times, and it is starting to show some maturity as a platform for managing virtual organisations. There are some great mock-ups on the site and will be of interest to the VRE people I would have thought. A very similar project is COIN from SURFnet.

In Perfect Harmony…

Well the saml2int profile just has to be important in terms of getting us all in line. I hope that we will all be able to move towards this regardless of software (Shibboleth, OpenAthens, Guanxi) but I would encourage you to be asking for it!

Other important work in this area is the Kantara Full Matrix test – as this becomes embedded it should be an excellent way for you to tell if something is *really* SAML compliant as it will come complete with test results and the rubber stamp of approval that we have been reluctant to take on as federations testing software.

For more lightweight testing and as I mentioned earlier, Feide are working on an Automated Testing Tool – essentially a test IdP that emulates http to create real test environments for people installing SAML products. This is still work in progress, but there is a great video available.

Other Stuff

For those of you interested in OAuth, Diego gave an overview of OAuth2lib – a project they are working on to integrate OAuth at PAPI. I won’t say much more as I really am not qualified to talk about OAuth, but will link to the slides when they are made available.

Our very own Logins4Life project had a quick demo – see more on the Logins4Life website.