Concordia telecon 19 Feb 2008

From Project Concordia

Contents 1 Next meeting and next steps 2 Attending 3 AI roundup 4 Interop participation 5 Report on WS-Fed/SAML2 scenario 6 Interop roles for all of the scenarios 7 RSA logistics 8 Interop roles

Next meeting and next steps

Tuesday, 4 March 2008 10-11am PT / 1-2pm ET / 6-7pm UK / 7-8pm CET US toll-free +1 866 469 3239 or caller-paid +1 650 429 3300 Code 7860-6951#

We need to know interop participation details and A/V needs by FRIDAY, FEBRUARY 29. We will set up the list of interop roles by MONDAY, FEBRUARY 25 and will encourage all the interop technical contacts to sign up immediately and provide A/V requirements.

Attending

Eve Maler (Sun), Mike Jones (Microsoft), Ari Kermaier (Oracle), Damien Carru (Oracle), Allen Schaaf (PKMI TC), Britta Glade (LAP), Ashish Jain (Ping ID), Scott Cantor (Internet2), Brett McDowell (LAP), Shivaram Mysore, Eric Tiffany (LAP), Sampo Kellomaki (Symlabs), Gerry Beuchelt (Sun)

AI roundup

Pending:

• Eve to work up a draft of presentation material, and all to review and comment. [To be done a bit closer to the event, when the participation matrices and scenario details are filled out.]
• All to collate A/V needs for RSA by the end of February. [Ongoing.]
• Scott to flesh out the IdP discovery problem wiki page. [Ongoing but low priority.]

New this time:

• Eric to create a list of scenario roles and companies participating in each one.
• Mike J. to update the wiki to reflect what was discussed, in the "Chained SAML/WS-Federation SSO" area (we need a new wiki page for this).
• Scott and Mike J. to fork the infocard+federation scenario to allow for separate SAML and WS-Fed branches.
• Mike J. to check on the applicable version of WS-Fed that he suggests to target.

Interop participation

Looking at the list of tentative participants on the RSA IOP Scenarios page... Oracle has now confirmed that it will participate, with today's two call participants being the technical contacts. CA is still pending. Sun's technical contact will be Pat Patterson. Sampo is interested in the newly developing WS-Fed/SAML scenario as well as the infocard scenarios.

AI: Eric to create a list of scenario roles and companies participating in each one.

The Liberty event in Santa Clara, hosted by Sun, in early March was discussed as a potential location for a dry run. Some of the RSA participants will be around, but there won't be critical mass for a true dry run. We'll try to get people together if their intended interop roles will line up nicely. We do have space for Concordia side-meetings there for the whole week.

We have one more Concordia call on March 4 before the Santa Clara event, to give attendees of that event the best chance of exploiting the F2F opportunity. We might be able to set up some online testing that we can use in that timeframe.

Report on WS-Fed/SAML2 scenario

Mike reports that he executed his AI from the last call to get together with tentative participants on the WS-Fed/SAML scenario. They met today (MSFT, Sun, Ping ID) and came up with a rough plan. Sun needs to first ensure that OpenSSO can issue SAML2 tokens for WS-Fed, e.g., and MSFT and Ping also need to do some remedial work. Others (e.g. Sampo) would be interested in participating if the wiki can be updated soon enough to give them a look. What's new in our scenario vs. what's been done in the past, e.g. the Burton multi-protocol interop event, is the presence of the SAML2 tokens.

AI: Mike J. to update the wiki to reflect what was discussed, in the "Chained SAML/WS-Federation SSO" area (we need a new wiki page for this).

We believe this scenario involves WS-Fed SP, WS-Fed IdP, SAML SP, and SAML IdP roles, all using SAML2 as their common token format. The basic mechanism to achieve this bridging would be proxying. After logging into the WS-Fed IdP, the issued SAML2 token could contain authn context statements using the Concordia-defined URIs (which means we can essentially build a composite scenario that involves the use of all of WS-Fed, infocards, and SAML2 protocol).

Eve would like to have a "clean" scenario that deals with WS-Fed and SAML in the absence of infocards (in addition to their presence). We don't have a lot of time left, so we should have a small set of well-defined scenarios. Scott concurs.

Interop roles for all of the scenarios

The infocard+federation scenario bucket seems, according to the wiki, to be solely about SAML federation; we haven't focused on details of infocards+WS-Fed to date. We will consider interop roles for WS-Federation that are parallel to those for SAML in our interop participation list/matrix, and then see who signs up. We'll need to nail down deployment details for each individual scenario using its own set of specific protocols.

AI: Scott and Mike J. to fork the infocard+federation scenario to allow for separate SAML and WS-Fed branches.

RSA logistics

Right now we have 220 people signed up for this workshop! The room will hold 350-400. We expect additional signups in the next seven weeks.

Our plan is to present, for ~60 minutes, the scenarios we've chosen and ask deployers for their further input. Then we can break and allow people to wander around the different interop stations. Eve and Allen are currently signed up to do this presentation. One "interop station" may just be a continued interview-type discussion among deployers; Eve can run this.

Britta is working on email message #1 to send to the RSA workshop attendees who have opted in to share their email info with us. We'll mention the confirmed interop participant companies in this email, and supply more details in email #2 closer to the event.

Interop roles

We think the following are the possible interop participation roles:

• For the infocards+federation scenarios (all using SAML2 tokens, with the exceptions noted below):
  • For the infocards+SAML2 protocol scenario (we also need an indication of authn method):
    • Infocard client (which is also an IdP for self-asserted cards -- this needs SAML1.1 tokens)
    • Infocard RP/SAML2 IdP
    • STS (optional)
  • For the infocards+WS-Fed protocol scenario (we also need an indication of authn method):
    • Infocard client (which is also an IdP for self-asserted cards -- this needs SAML1.1 tokens)
    • Infocard RP/WS-Fed IdP
    • STS (optional)

• For the WS-Fed/SAML2 protocol bridging scenario (using SAML2 tokens):
  • WS-Fed1.1 RP
  • WS-Fed1.1 IdP
  • SAML2 SP
  • SAML2 IdP

We need to point to the exact specs whose versions we intend to use: SAML2, SAML1.1, WS-Fed (Mike will check), Identity Selector Interoperability Profile v1.0.

AI: Mike J. to check on the applicable version of WS-Fed that he suggests to target.

Our goal is to get enough detail on the wiki to allow interop participants to sign up; once we have coverage of the roles, we can get down to the task of fleshing out subject confirmation details, metadata usage details, etc. Scott suggests self-signed certificates. He notes that there are no callbacks in our scenarios, so we don't need to mess with TLS.