2. Discussion on New Version on shibboleth IDP which supports defining attribute release in the metadata.
3. Looking into Social Login -
Social login is a form of single sign-on using existing information from a social networking service such as Facebook, Twitter or Google+, to sign into a third party website instead of creating a new login account for that website.
Ex: Parents (don't have SUNETID) can log in into a website by using their twitter or facebook or Google account to pay their children Tuition Fee's
4. Most of the time is dedicated to Q/A and their thoughts on future Stanford Single Sign-on enhancements.
What's Next
Migrating off of WebAuth - web.stanford.edu (AFS) migration from WebAuth to SAML is "coming soon"
Cardinal Key - user/machine certificates
Infrastructure for identity management has been moved to AWS (Kerberos, LDAP, IdP, credentials cache)
Federated metadata for sites.stanford.edu and people.stanford.edu
New version of the IdP supports defining attribute release in the metadata, which hopefully will allow more automation around attribute releases
Integrations with AWS SSO
Q&A
What is SAML going to look like to the end user as it rolls out? Most services are already using SAML for authentication. Two-step authentication screen changed with the "flip" from WebAuth to SAML.
In SPDB, there is access control on configurations based on Workgroup. Why do you have to be a member of the workgroup in order to add it as an owning workgroup in SPDB? (From Alex Tayts, TCG). Workgroup names are not private; any workgroup *name* is discoverable (not necessarily the members of a private workgroup).
Social login? E.g., the use case of parents logging in to Axess using their Google identity. This has been explored a little bit by the Authentication team but not a lot of work has been done on this. Anyone who wants to do this, talk to Scotty Logan, because he's interested in use cases.
Feature request (Ken Sharp): Allow end users to request the release of workgroups that they own in the SPDB interface.
Feature request (Leroy Altman): View which attributes have already been released to the Service Provider (SP).
Feature request (Karl Kornel): If an SP requires an email address, and the user doesn't have one, the SP errors. This occurs with users with a base sponsored SUNetID. Possible to require an email address when a SUNetID is created.
Question: Is there a plan to start lifecycle management of SPDB entries? IdP stopped worrying about certificate expiration. Metadata submitted to SPDB can have a "validUntil" attribute. May start requiring that, and then using that for lifecycle management.
Question: Do we have a central collection of SAML configurations for different platforms? Scotty has a repo on code.stanford.edu with different configurations.
