General Feedback on Authentication and Identity mapping

Requirements/Suggestions drawn from notes below:

Top priorities have to do with (1) minimizing the steps the user has to take to gain access (2) reducing barriers and annoyances where ever possible, including longer cert lifetimes and timeout values and (3) providing help / tooltips / feedback throughout (4) removing information, tabs, functions that are not essential for users.

Group 1: minimizing steps the user has to take to gain access

Group 2: reducing barriers and annoyances

Group 3: providing help / tooltips / feedback throughout

Group 4: removing information and functions

Group 5: other functional requests
Ad hoc notes from Session 1 
AD hoc notes from 1:00 Auth ID Session

- Is logging using logged in identity? (yes)

- Can we assume ID's are unique w/o a provider

- What if one of my ID's gets re-allocated to another user at one of my institutions? A:This is a problem. WE need to work this issue, but we think it is rare.  Also, InCommon "best practice" requires InCommon members to not re-use  identities

- Should we block certain ID's? such as postmaster (prevent ID reuse by product)

- if you have multiple mapped identities - how do you decide which organizational affiliation is used for data creation? A: The affiliation is the affiliation used for login.

- Revocation of access - how to handle

- can we allow a group to own a group? (we would like to)

- Can we allow multiple admins for a group (delegation)

- What does "remeber my OA mean?" - add a tool tip

- explain page - what is a certificate and why should I love them?

- Put cert lifetime on CI Login page (user info)

-What lifetime should be allowed? Should the vary by role  (e.g.e read olny -> 2 weeks )

- What info shoudl datane collect and keep for D1 user identities; what information should MN collect?

- Need "report false map" for ID mapping how watch for abuse

- What should be done with esisting d1 accounts (plone, ...)

- This seems complicated. It would seem easier to use Dryad ID. PLease start with my home institution ID.

- Seems not optimized for common case that the majority of users will use.

- The proposition of "the first time is more complicate" is not true. WE want the barrier lowest at the first time.

- Need a FAQ to explain how (why?) anyone would want to do a more advanced ID management function.

- For personalization give feedback not only "Hello Bertram" to "Hello Bertram (@google, @Dryad, ...)

- Make additional plugin for leveraging logins at MN's for DataONE.

- Shouldn't DMPTool use CILogin access to federated identity instead of creating a new DMPtool U/P combination.

- Consider using e-mail instead of web-login for the identity proofing for identity association

- Make it clear what can be done without a login

- Keep in touch with Orchid for an industry-wide  identity mapping and pull it into the slide deck to show 2``    AS


Raw Notes from Ben Birch; annotated with Bruce Wilson's transcriptions
Tamaya A Session 

    What do you mean by authentication? 
       There are levels of authentification. 
        
    Identity Mapping   
    You have to send a query to Chicago, e.g.? 
        Yes. You only have to do it once.
        
    Groups
    How about a group owning a group? 
        
    Begin Logon
    Would "Remember my OK" extend the life of the certificate?
        That would allow you to skip that step (for a certain amount of time)

    What would stop a user from making an extremely long time for the life of the certificate? 
        Built-in maximum. 
    
    Is this a login workflow or an identity management workflow? 

    This seems too complicated compared to other logins. 

    This is a barrier to entry. 
        There is a lot of functionality accessible without a login. 

    It's good to have a solid certificate base like we are developing

Badger A & B Session

    No new DataONE passwords
    CiLogon handles authentication. 

    Initial Logon 
    Begin login
    Select identity provider 
    Certificate based identification 
    
    Identity mapping 

    Data One recognizes any identity you have established. 
    Some legacy accounts may be no longer valid. 

    Groups 

    Mapping Issues 
        Map identities to google login
        Log out 
        
        Remember my selection? 
            We decided that an 18 hour limit is practical. 

        How about having a longer time than 18 hours? 
        
        I thinkm that reading should be less of a barrier! 
            Some member nodes say data is readable by any authenticated user. 

        You can spcify access rules on a group basis. 

        Do data providers specify filters for access? 
            
        The member node gets to decide who can write to the data. 

        Does the member node have to accept the DataONE credential? 
            Yes. 

        If I'm a brand new user, what do I see that tells me what I need to do to authenticate? 
            Initiation proess. 
            Which account do you want to use to verify.  
            A brand new user can do a lot without logging in. 

        How hard is it to get your idetity provider to certify you? 
            Depends on the provider. 

        If you get riffed, and that id is no longer valid, how do I know what other option I have?

        You need more "What Is This" clickable help features. 
        
        scrolling through a long list of providers would be a problem. Predictive serach is a good solution.
        
        Hide LDAP field from user, show in more user-friendly format
        
        Need to handle duplicated emails
        
        Consider using forever cookie for known IDs to populate a list?
        
        Have an indicator on page for "log in as" or not log in
        
        Consider having a desktop app for certificate generation?
        
        Consider if users can reuse Java applet
        
        No need to show all accounts list
        
        

Hawk B & C Session
    Identity mapping (done within DataONE) 

    Crucial to allowing access to older data

    Groups 
       We need to have a way to allow someone to co-manage a group.
       
       What about groups within groups?
       Can a group be a rights-holder?

    Begin logon
    Select an identity provider
    Log on
    Certificate Lifetime (in hours)
    Remember my OK for the site
    Have certificate. 
    Log off. Log in under Google password.
    New identity not connected to other identity. That's where identity mapping comes in. 
    Logged in as Chicago ID. 
    Mapped to Google identiy.

    Who is CILogin? 
       NSF funded middleware service.              

    When you were setting up a Google idenity, you were kicked off the DataONE site to the Google site. 
    Wouldn't this be confusing to users? 

    What's this Certificate Lifetime thing? 
        It was set as a practical comprise. 

    What about the accumilation of expired certificates? 
        They are overwritten. 
        We opted for a less secure and less burdensome solution. 

    I work in a library where we have different levels of security. Could that be used in DataONE? 
        We don't want to getting into having levels of users. That's not necessary in DataONE. 
    
    Are there any concerns over allowing access for 18 hours? 
        But owners of the artifact have control over their datasets.  
    
    What about shared computers, especially in school settings?  
    - how to revoke a certificate
    - make a "public computer" checkbox
    - what does a user logout do
    
    Does a logout wash the browser cookie? 
    
    Do we need the option of requesting different certificate lifetimes?
        An alternative is using a proxy certificate. Proxy chains can be created. 
    
    From a user interface standpoint, could this be simplified? 
    
    How might one generate user profiles based on identity? 
        The principle of public access to data was paramount in our decision process. 

    How about privacy? 
        There are two sides: one that wants anonymous use, the other wants user data collected. 
        
    Define the default access policy
    
    Is identitiy mapping transititive? (e.g., A->B, B->C, so A->C?)
    
    Consider following two situations: 
    (1)if a user does a long run for large computation and the certificate expires during the long run, how to renew/update the certificate?
    (2) if a user begins a long time downloading, how to handle authentication: mulit-pkg download or show timed out?
    
    For above two situations, how they can be done for Kerberos/AFS?
    
    Consider programmatically renew a certificate, but it may create a hole
 
WOLF B & C
    Who maintains CILogon? 
        It's an NSF-funded middleware initiative. 
    
    Identity mapping 
    
    CILogon handles authentication. 
    DataONE handles authorization. Identity mapping is part of authorization. 

    How can I know that the data that I archived 10 years ago is still mine? 

    Do members of a group inherit all the privelidges of the group creator? 

    How do you set up access rules? 
        Each Digital object sets their own access rules. 

    What about people that process data over a long period? 
    
    What about getting the certificate from the R-script? 
    
    What does "how long my certificate lasts" mean? It means "Remember me for ...", maybe consider changing the wording
    
    Document certificate download process: include lifetime for certificate in docs.
    
    Certificate cleanup process: 
    - some apps have a path/password for the certificate. 
    - Certificate is not password protected.
    
    How to do scheduled task?
    - request certificate for longer life
    - proxy certificate chain
    
    logged in as a banner?

BEW general observations across sessions: