Shibboleth Team Meeting Notes: 8.17.2006 Attending: Scotty Logan, Jon Pilat, Kevin Hall, Quanah Gibson-Mount Digant Kasundra New Action Items: 8/17.1 Q/Scotty: Setup stunnel for idp2 8/17.2 Jon: Write intro paragraph for cert request site 8/17.3 Scotty: spin database schema page 8/17.4 Q: Point Digant at shib-config cert 8/17.5 Q: Work w/www-team to request InCommon certs for www, www-new, www-preview Open Action Items: 5/8.2 Scotty: Review USC code for ARP enforcement (w/our visibility settings) 5/30.1 Q: Coordinate with Hua/jcr about installing shib on www-preview with InCommon membership 7/18.4 Q: Create a stanford-shibboleth package with metadata script and shibboleth.xml generation script. 7/24.5 BV: Forward the good pages on shibboleth from the I2 site 7/31.1 Q: Create stanford-shibboleth stow package for Solaris 7/31.2 DK: Create stanford-shibboleth RPM for Red Hat 7/31.4 Scotty: Test how shib handles failed MySQL server 8/10.3 Q/DK: Rename shib-config to stanford-shibboleth 8/10.4 Scotty: test multiple apaches, one shibd for SUL Deferred Action Items: 4/24.2 Russ: Review Q's OpenSAML, mod_shib packaging (xmlsecurity-c done) 4/24.3 Russ: Package new version of OpenSAML, mod_shib for debian unstable (xmlsecurity-c done) 4/24.4 Russ: Upload OpenSAML, mod_shib software to Debian (xmlsecurity-c done) 5/30.3 Q: Build makefile installer for shibd/siterefresh man pages Key Dates: Complete SP Kit Documentation 6/15(*) Code complete on SP application website 8/7 (done) Deploy shibboleth on www.stanford.edu 7/1 -> 9/4 Package IdP Software 7/15 -> 8/31(*) Document Process for Joining Federations 8/1 (*) Website for SP applications 8/31 (done) (*) date at risk/missed What's Left by 8/31: + Bring idp2 up as idp, rebuild idp1 in east, and point both at MySQL + Build shibboleth service website, including install docs + Finish stanford-shibboleth packages + by 9/4, be on www.stanford.edu Notes: Spec for "Website for SP applications" (Kevin) cgi script that collects: SUNetID of requester PTA/Acct info. (validation of PTA authority an open issue) (javascript off of which federation is chosen) Hostname (validates) Department owning the request Description of the application/use of shib Drop down of which federation Take either a cert or a csr (InCommon requires csr, test-shib cert) Sends mail to a role address to process the requests Validate cert or csr (for InCommon) lifecycle script that: tells users that their certs are going to expire contacts a department contact if there is no action Audiences for Shib websites: + Managers who want an overview of how shib fits into their life + People who have to use shib and want to make it happen and test it + People with web content who are looking at options (shib vs. webauth) + People who are handling multi-realm authentication and need to understand how shib handles that. stanford-shibboleth packages should include: + Scotty's program (shib-config) + wrapper script with correct options to shib-config + cert for signed XML + script for cron and/or instructions to have a cron entry for siterefresh Quanah is coordinating with www-team to get shib onto the www's for their 9.4 release. Libraries are in test-shib with uPortal, once we got through the maze of stow dependencies on Solaris. Scotty worked with them on Monday. Federation schema pages are at www/services/shibboleth/federations/ Internal schema page is at www/services/shibboleth/idp/database.html Per finance, we will sell InCommon certs at $50/year.