UC Identity Management Conference Call - 6/30/2004 - Notes

Participants

• Mike Baptista, UCOP
  
• Kalpa Barman, UCOP
  
• Elazar Harel, UCSD
  
• Bruce James, UCOP
• Gabe Lawrence, UCSD
• Brian Roode, UCI
  
• David Walker, UCOP
• Jerry Wilcox, UCOP
  

Re-Verification of User Identity

• In the absence of University policy standards for identity management for this pilot (recommendations for such standards being an outcome of this project), UCFY/YBO will re-verify a person's identity the first time that person enters UCFY/YBO from a particular campus's Shibboleth origin.  Everyone still agrees with this approach.
• There was also discussion of appropriate inactivity timeouts for authentication.  The UCFY/YBO people had proposed having UCFY/YBO prompt for the user's PIN on every entry (see Re-Verification of User Identities Acquired from Shibboleth - DRAFT - 6/29/2004), under the assumption that the campuses had long (several hour) timeouts, whereas UCFY/YBO enforces a 15-minute timeout.  (That is, UCFY/YBO will require the user to re-login if there's been an inactivity period of 15 minutes or more.)  It turns out, though, that UCI and UCSD have the ability to enforce different timeouts for different applications.  (UCLA was not in the call.)  Mike Baptista will discuss this within Benefits to explore the possibility of replacing the proposed PIN prompt with an assurance from the campuses that they will not invoke UCFY/YBO via Shibboleth without enforcing a 20-minute timeout on the login information.
  
• An important issue here is who is responsible for protecting logins:  the user, identity management, or the application?  We'll want to deal with that when we develop our standards recomendations.

Integration Testing

• We will establish test users within the UCFY/YBO databases that can be used by UCOP people to test access through the campus portals.  Jerry, Bruce, and Mike will distribute a list of test UCnetIDs within the next week.  Each campus will be assigned three test UCnetIDs, with some UCnetIDs shared among multiple campuses.
  
• We will also be testing the "logout URL" that can optionally be provided when UCFY/YBO is invoked.

Logout URL

• There was agreement that we should pass this on the invoking URL, but people who were not in the call should speak up if they would prefer it as a Shibboleth attribute.
• The tradeoff is that passing the logout URL in the invoking URL might make it easier to control the logout URL by the context of how UCFY/YBO is invoked.  Passing it as a Shibboleth attribute might make it easier to store logout behavior as a user preference.
• Kalpa will distribute the invoking URL format that will be required by UCFY/YBO.
  

Formal Shibboleth Definition of UCnetID

• We agreed that we should find a portion of the URN name space for UC system-wide attributes, such as UCnetID.
  
• Gabe will propose something to the group, and David can follow through will appropriate naming authorities to ensure uniqueness.

Our Next Meeting

• The next conference call will be at 9:00a on June 30, 2004.  The dialin number is 510-587-6079; the call ID is 52014#; and the password is 0500#.