Shibboleth Team Meeting Notes: 7.11.2006 Attending: Russ Allbery, Jon Pilat, Bruce Vincent, Scotty Logan, Kevin Hall New Action Items: 7/11.1 DK: update idp template to fix metadata download problem 7/11.2 DK: update idp template to do metadata download daily, not out of AFS. 7/11.3 Scotty: talk to Renee about generic ID for InCommon 7/11.4 Scotty: talk to Xueshan about using the MySQL service for shib 7/11.5 Kevin: Point shibboleth.stanford.edu at www/services/shib (talk to Hua) 7/11.6 Jon: Set up www/services/shibboleth 7/11.7 Scotty: File bug on http header prefix for shib--should be a apache config variable 7/11.8 Jon: Talk to Hua/JCR about 1.3e debian package (prereq for www) 7/11.9 Scotty: Confirm that OCLC is really in production 7/11.10 Scotty: 1 year vs. 2 year InCommon certs--tell Kevin 7/11.11 Scotty: document configuration for joining the various federations 7/11.12 Scotty: Test whether apache will break if there are no certs for a defined federation Open Action Items: 4/10.9 Jon: Get approvals for ARP from ISO (re-ping tina) 4/10.10 Jon: Incorporate ARP onto the project website 5/8.2 Scotty: Review USC code for ARP enforcement (code is for shib2.0, not 1.3) 5/15.13 Q: Document install instructions for Debian 5/15.14 Digant: Document install instructions for Red Hat (add more explicit what-to-do for folks downloading from shib site) 5/15.15 Scotty: Document configuration for Stanford shibboleth webserver (forward doc to shibboleth-team@lists) 5/23.1 BV: Get .doc's of Adminguide 15.5 & 64 for Bruce (was Jon) 5/23.3 Team: Review proposed changes to admin guide wording 5/30.1 Scotty: Coordinate with Hua about installing shib on www-preview with InQueue membership 5/30.3 Q: Build makefile installer for shibd/siterefresh man pages 6/19.1 Scotty: Investigate security between 2 load-balanced IdP's 6/19.2 BV: Talk to Eric and Susan about next steps for AG work (cc team) 6/19.4 Q: Repackage SP 1.3e for Debian Deferred Action Items: 3/27.2 Scotty: Put shib'ed web software on the shib service website 4/24.2 Russ: Review Q's OpenSAML, mod_shib packaging (xmlsecurity-c done) 4/24.3 Russ: Package new version of OpenSAML, mod_shib for debian unstable (xmlsecurity-c done) 4/24.4 Russ: Upload OpenSAML, mod_shib software to Debian (xmlsecurity-c done) Key Dates: Draft Policy Modifications for Shibboleth 5/15 (done) Coordinate with External SP 6/15 (done) Complete SP Kit Documentation 6/15(*) Deploy shibboleth on www.stanford.edu 7/1 -> 8/31 Package IdP Software 7/15 -> 8/31 Document Process for Joining Federations 8/1 Website for SP applications 8/31 (*) date at risk/missed Notes: Spec for "Website for SP applications" cgi script that collects: SUNetID of requester PTA/Acct info. (validation of PTA authority an open issue) Hostname (validates) Department owning the request Description of the application/use of shib Drop down of which federation Take either a cert or a csr (for InCommon) Sends mail to a role address to process the requests cert creation/validation script that: Turns a csr into a cert (for InCommon) Mail the user useful things lifecycle script that: tells users that their certs are going to expire contacts a department contact if there is no action metadata download problem--shib_util.jar in the wrong place. /usr/share/tomcat/common/endorsed/. Need to install and update metadata download script and later incorporate into packaging PTA validation is an open issue--this is being pursued through the OMR project. HelpSU ticket to request access to a remote SP (Attribute Release Policy). Remote SP's need a Stanford sponsor (and department sponsor?) Need to determine lifecycle for ARPs--can we group them by sponsoring organization and send an annual report? We will not have shib in Debian proper by 8/31. Packages will be available through our local Debian repository. This should be reflected in the documentation. Bruce is taking over the policy intiative and will be following up with Eric and Susan about next steps for changes to the admin guide to support federated identity management and digital representations of Stanford. This effort will take far longer than the project is supposed to last.