Shibboleth Team Meeting Notes: 05.08.2006 Attending: Digant Kasundra, Russ Allbery, Jon Pilat, Kathy Baker, Scotty Logan, Bruce Vincent, Quanah Gibson-Mount New Action Items: 5/8.1 Digant: Get 2 boxes for shib testing (coordinate with Bruce) 5/8.2 Scotty: Review USC code for ARP enforcement. 5/8.3 Scotty: Talk to NYU streaming media folks about joining their federation (they don't use InCommon). 5/8.4 Jon: Talk to Steven about getting Kevin or Jon Robertson to work on shib SP application website. Open Action Items: 1/27.12 Scotty: submit reviewed patches back to shib project. (in progress) 2/6.1 Bruce: Write a position paper advocating the inclusion of shib as an approved authentication technology for people authenticating to stanford.edu services and a section on federated identity management/shib/cross-realm kerberos. These would be proposed as changes to Admin Guide 64 2/6.2 Bruce: Write a position paper advocating the creation of an office (or authority for an existing office) to be the party responsible for the assertion of Stanford's identity digitally. This position paper should also include a statement on how services/machines are authenticated as part of stanford.edu. This assertion is required for shibboleth to assert stanford.edu identity to external institutions and/or federations. 3/27.1 Scotty: Coordinate with Tim about shib'ed Moveable Type 3/27.2 Scotty: Put shib'ed web software on the shib service website 3/27.6 Scotty/Bruce: Talk to Casey/Rachel about shib for libraries 3/27.7 Scotty/Q: Figure out URNs for suPerson attributes 3/27.10 Bruce: Pay InCommon dues (contract w/Karen Mackie-Jones) 4/10.9 Jon: Get approvals for ARP from ISO, Bruce, AS (Minh?) 4/10.10 Jon: Incorporate ARP onto the project website 4/10.11 Scotty: Get IdP WAR file to Quanah 4/10.13 Q: Create Solaris stow packages for SP software. (in progress) 4/24.1 Digant: Test (or coordinate testing) of Shib RPMs for RHEL 4/24.2 Russ: Review Q's SP Packaging 4/24.3 Russ: Package new version of SP for debian unstable 4/24.4 Russ: Upload new SP software to Debian 4/24.5 Q: Backport new version of SP to stable (mod_shib in progress) Deferred Action Items: 2/27.4 Bruce: Set up mtg w/Steve Jung & Eric (& Lauren/Susan Weinstein) once 2/6.2 writeup is complete. 3/27.5 Russ: Send AFS web authentication presentation slides to shib-team for review. (once written) Key Dates: Package Shibboleth SP Kit 5/1 (done) Test Shibboleth SP Kit internally 5/15 (new version to test) Draft Policy Modifications for Shibboleth 5/15(*) Move IdP to production (unpackaged) 6/1 Join InCommon Federation 6/1 Coordinate with External SP (Elsevier?) 6/15 Complete SP Kit Documentation 6/15 Deploy shibboleth on www.stanford.edu 7/1 Package IdP Software 7/15 -> 8/31 Document Process for Joining Federations 8/1 Website for SP applications 8/31(**) (*) date at risk (**) new date added Notes: We're meeting next week to update progress and talk about the documentation effort. We have Bruce Campbell as a resource, but we need to tell him what to write. Usher (certs for higher ed) uses the same application process as InCommon, so we have a leg up in getting in there as well. 3 packages that have to be added to debian for shibboleth: OpenSAML xmlsecurity-c shibboleth-sp 7/15 isn't a feasible timeframe for packaging the IdP software for Debian. I've proposed pushing that out until 8/31. We will be able to run the IdP in a production fashion, even if it is not packaged to Debian. We don't have the expertise in packaging java apps for debian, and the IdP ships as a WAR file with all the dependencies included, which is opposite of how debian prefers to do packaging. The IdP will require multiple names and IP addresses for each different federation that requires you to use their certs (InCommon, for example). For less formalized federations may allow us to use our own certs, at which point we don't need a separate machine name and interface to accept the cert for the federation. Scotty proposed that the shibboleth machines be renamed to idp.stanford.edu, and the additional names be idp-incommon.stanford.edu, etc.