ADTF 2016 08 03
Password Policy Complexity/Reset Portal Update
Status of joining workstations to AD
Begin discussion to extend schema in test domain to support 2016
dattilo, kimn, sandoval, chartier, carheden, fredrick, hharris, tarrant, rjbubon, gwilliam, jtanner, jlampe, mark, erinmcd, mperna, hoekstra
Mark speaks about Anixis PPE -- just about ready to go. Input from SEG on password rules and extra password database. Question about using SMS for verification for reset; contrary to upcoming NIST guidance but there will be some time before the industry can respond. Complexity requirements are relaxed as password length grows. Will password lifetime lengthen? Not as currently configured. Getting close to opening for ADTF testing. Likely next week.
Joining workstations to AD? Where are we? It’s August… RAL has offered to help out folks, HAO and EOL intend to take advantage of that. EOL has a plan and procedure and will start “cranking them out.” What service will go first? Not yet determined -- delaying Time Card due to impact and having difficulty establishing federation. We’re being Agile. :) Question: Will it be possible to just use username, or will everyone have to type email@example.com? Will depend on product and how it can be configured. We’ll try to minimize confusion. Question: Will historical principals with @cit.ucar.edu need to be modified to @ucar.edu? Part of syncing *ought* to be standardization to @ucar.edu so it might already be handled.
Information people need ought to be on ADTF wiki -- “Cliff Notes” version. Please let Garth know if there are ways the documentation could be more useful.
Erin with IAM updates. Trying to establish ADFS federation with InCommon, Google, SciQuest (part of STEPS project). Working with Steve Waltman in F&A to federate Spring authentication for test harness, which could be used for F&A Java apps like TimeCard and Kuali. Interest from Library for DPMTool authentication via InCommon.
Which leads to the final item, testing 2016 version in test domain to support (beta version of) ADFS v4 to enable InCommon federation. Troubleshooting in both environments.
Will give warning before Anixis product goes into production and password complexity requirements will apply to (newly set) CIT passwords. CISL will let ADTF know when a date is set.
Erin on extending schema to support 2016. Will be released in September. CISL wants to experiment in test domain to see how things work. Will need it if groups start using 2016. Have to extend schema to do that according to our tests. And if ADFS 4 starts working, will need the same extension in production domain. Just a schema extension, not a full upgrade -- at this point. Questions or concerns? Question: How are we doing on CALs? Erin checks -- we will have to buy new licenses for 2016 upgrade.
Nick checked for non-EM staff -- visitors and collaborators are @CIT.UCAR.EDU. What timeframe to support those? Erin thinks we can start that conversation. Nick advocates for removing the “check for EM” flag. Will require discussion. Specifically concerned about on-site people. Maybe just V2 and V3. Erin and Mark will discuss with Aaron.
Anne-Marie raises concern that visitors and collaborators were cut off from Staff Notes posting access when authN shifted to Google Apps rather than UCAS pwd. Does UCAS pwd still work for reading? Mark will check with SWEG.
To ask RAL for help, email firstname.lastname@example.org!
Wrapped at 11:01.