Project index

Planning index

Project planning meeting - 5 July 2006

Present: Stuart Yeates (SY), Graham Klyne (GK)

Last report: SakaiVre/PlanningProgress/20060619

This report: SakaiVre/PlanningProgress/20060705

Next meeting: 24 July 2006, 09:00 SakaiVre/PlanningProgress/20060721

Contents

1. Agenda

2. Activity since last report

Following completion of our initial Shibboleth installation, we have been tidying up some loose ends and looking at the next steps to deploying a project-wide federation, and hooking it into Sakai. Also, we have conducted further investigations into Shibboleth user attributes and their relation to indovidual institutional user data. The main technical problem currently facing us is how to integrate Shibboleth into Sakai - the availab;le information about how this might be achieved is rather sparse, and we shall probably need some help from some quarter to get to the bottom of this.

2.1. Actions closed or completed

20060619.2

[GK] Review Stuart's notes about publishing LDAP attributes via Shibboleth (LDAP mapping, ARP, AAP). DONE.

20060619.6

[GK] Draft an email and wiki page to open discussion with other project partners about a multi-site Shibboleth deployment for the VRE project. Sent: see SakaiVre/ShibbolethFederation. Response so far has been muted.

20060605.3

[SY] Update Sakai installation notes to reflect Java 1.5 installation (see SakaiNotes) Done.

20060619.5

[SY] Arrange more formal meeting with Christian Ferneau and Kang Tang to discuss (a) attribute passing models, (b) multi-federation protection of web pages, (c) deployment of shared Shibboleth IdP for Sakai and ShibGrid projects, (d) hardware and software platform deployment options (bearing in mind performance issues and a possible limitation of available machine room space; possible use of virtualization?). Done. See: SakaiVre/ShibbolethPlanning/20060621 (and emails).

20060619.7

[SY] Prepare an initial list of attributes generated by OUCS LDAP, and the Shibboleth mappings used. This will be used to help seed project-wide discussion. Done. See: SakaiVre/AttributeMappingsTable.

20060508.2

[GK] Finish securing the Sakai VRE demonstrator system. HSM is now installed and running. See SakaiVre/MachineStatus.

  • On 2006-06-21, we have decided to undertake some housekeeping on the Shibboleth/Sakai host system: there is a kernel upgrade to install, old log files to clear out, and the system needs rebooting to ensure all services start up OK. This was completed without problems (though we have yet to confirm that HSM will restart on reboot.)
  • Related to the previous point, document key services we are using, with init.d script file name (if any) and location of log files. See SakaiVre/MachineStatus.

  • Created a wiki page about MyProxy, as this affects the ShibGrid project's use of Shibboleth. See MyProxy.

  • Following a warning about a serious Shibboleth security flaw http://shibboleth.internet2.edu/secadv/secadv_20060615.txt, our Shibboleth service provider installation has been upgraded, using the procedure previously documented ShibbolethInstallNotes.

  • Stuart has created an AWK script to convert LDAP (LDIF?) format user descriptions into RDF/XML using FOAF and other vocabularies.
  • 2.2. Actions progressed

    20060619.1

    [GK] Initiate process of SDSS federation credentials. Have obtained an SDSS CA certificate, but have not yet joined the SDSS federation. See http://maillist.ox.ac.uk/ezmlm-cgi?3855:mss:84:200606:hbmpafckdeclpnjmmgmb.

    20060619.3

    [GK/SY] Initiated investigation of how to make Shibboleth attributes available for use in Sakai access controls. Initial investigation of Sakai web site is not very helpful. Investighations are being recorded at SakaiVre/SakaiUserDirectoryProvider

    2.3. New activities and notes

    20060705.1

    [GK] add details from David Spence (CCLRC/RAL) to wiki page at SakaiVre/ShibbolethFederation, and email Sakai project list in attempt to prompt further responses.

    20060705.2
    [SY] investigate OUCS procedures for spinning up new shared trial facilities.
    20060705.3

    [SY] draft a paragraph about LDAP/Eduserve groups to add to the federation page at SakaiVre/ShibbolethFederation (or some other appropriate location).

    20060705.4

    [GK] Add note aboput EduPerson attributes (cf. EduCause site) to the federation page at SakaiVre/ShibbolethFederation.

    20060705.5

    [SY] Send URI link to EduPerson attruibute information to local project mailing list (in support of action 20060705.4).

    20060705.6
    [GK] Review RDF from Stuart's conversion of LDAP user information, and provide feedback.

    2.4. Summary of ongoing actions brought forward

    20060301.5
    [SY] Analysis of search requirements.
    20060301.10
    [GK] Add Shibboleth authentication to Sakai. We are now ready to start looking into this. See also, new action 20060619.3.
    20060301.9
    [GK] Port SPIE Shibboleth/WSRP (cf. work by Jasper Tredgold) to Sakai: (Waiting for 20060301.10) Install Shibboleth/WSRP software locally, and convert to work with Sakai. The main remaining unknown is to get Shibboleth attributes into the Sakai portal framework - this has been separated out as a new action 20060619.3.
    20060301.11

    [GK] Investigate Sakai background technologies (Spring, JSF) (See SakaiNotes; TODO: input concerning JSF.)

    20060619.1

    [GK] Initiate process of SDSS federation credentials. Have obtained an SDSS CA certificate, but have not yet joined the SDSS federation. See http://maillist.ox.ac.uk/ezmlm-cgi?3855:mss:84:200606:hbmpafckdeclpnjmmgmb.

    20060619.3

    [GK/SY] Initiated investigation of how to make Shibboleth attributes available for use in Sakai access controls. Initial investigation of Sakai web site is not very helpful. Investighations are being recorded at SakaiVre/SakaiUserDirectoryProvider

    20060619.4
    [GK/SY] Write Shibboleth configuration document, in particular showing how the various configuration elements and functions are inter-related.
    20060619.8
    [SY] Investigate performance problems with our Sakai/Shibboleth demo machine, and propose appropriate upgrade or route resolution.

    3. Discussion

    3.1. Shibboleth integration with Sakai

    This is now our top technical priority, and is looking as if it could be problematic. Documentation about how to hook single sign-on systems into Sakai is sparse and fragmented. So far my request to the sakai-dev mailing list has drawn very little response, though I did get one useful pointer to the Sakai "UserDirectoryProvider" code, which appears to be key to this undertaking. (I notice that I don't seem to be able to link directly to messages in the email archive, which is IMO a fundamental failing for a system that claims to be a web-based collaboration system.)

    GK has started exploring the Sakai code base - notes are at SakaiVre/SakaiUserDirectoryProvider. We are planning to work together today (20060705) or Friday (20060707) to try and jointly learn more from the codebase and/or available documentation about how we can integrate Shibboleth into Sakai, and identify possible avenues of independent further investigation.

    GK has also started to delve a little more deeply into Java and servlet authentication and authorization frameworks; in particular how servlets interact with JAAS.

    If we get stuck (which currently seems likely), the following sources of further information might be mined:

    3.2. Coordinating with other project partners

    (See also discussion notes at SakaiVre/PlanningProgress/20060619, section 3.2)

    A wiki page has been created SakaiVre/ShibbolethFederation, and an initial email has been sent to the project mailing list http://tools.iso.port.ac.uk/pipermail/sakai-vre/2006-June/000062.html.

    So far the response has been muted (http://tools.iso.port.ac.uk/pipermail/sakai-vre/2006-June/000063.html), and I've also had a response from David Spence at RAL (http://maillist.ox.ac.uk/ezmlm-cgi?3855:mss:86:eiagcpckjaejkligacnj). It's not clear to me that other project partners are currently engaged with this issue, and it's not obvious to me [GK] how to change this. For now, I'll update the wiki page with David Spence's response and send another message to the project mailing list (see new action 20060705.1). (See also, new action 20060705.3.)

    More broadly, it's not clear to us who should be driving coordination of project-wide elements like this, and what the appropriate mechanisms are for raising urgency in other groups. Or indeed, just identifiying who from the partner sites might be involved.

    3.3. Shared Shibboleth facilities in Oxford

    We held a meeting with SPIE/!ShibGrid - this was a useful meeting, but there weren't any compelling outcomes to drive further activity. See SakaiVre/ShibbolethPlanning/20060621.

    Stuart reports that there is an OUCS procedure/protocol for creating new shared facilities for trial purposes like this (see new action 20060705.2)

    After our planning meeting, Christian Fernau mentioned that he had re-installed the SPIE Shibboleth services platform to use Xen virtualization http://www.cl.cam.ac.uk/Research/SRG/netos/xen/, rather than user Mode Linux (UML), which he repiorts is more reliable, faster and better maintained.

    Separately, we've created a wiki page about MyProxy, as this affects the ShibGrid project's use of Shibboleth. See MyProxy.

    3.4. User profiles

    Stuart has created an AWK script prototype to convert LDAP (LDIF?) format user descriptions into RDF/XML using FOAF and other vocabularies. This will be used as a basis for selective release of information from LDAP for search purposes, and also for exploring harmonized access to user-related search facilities across multiple sites in the Shibboleth federation. (See also action 20060705.6).

    3.5. Other

    Following a warning about a serious Shibboleth security flaw http://shibboleth.internet2.edu/secadv/secadv_20060615.txt, our Shibboleth service provider installation has been upgraded, using the procedure previously documented ShibbolethInstallNotes:

    4. Notes for next meeting

    (Matters arising following the planning meeting.)

    20060705.4

    [GK] Add note aboput EduPerson attributes (cf. EduCause site) to the federation page at SakaiVre/ShibbolethFederation. Done.

    20060705.5

    [SY] Send URI link to EduPerson attruibute information to local project mailing list (in support of action 20060705.4). Done.

    20060705.1

    [GK] add details from David Spence (CCLRC/RAL) to wiki page at SakaiVre/ShibbolethFederation, and email Sakai project list in attempt to prompt further responses. Done.

    20060705.6

    [GK] Review RDF from Stuart's conversion of LDAP user information, and provide feedback. Done - see [:].

    20060705.3

    [SY] draft a paragraph about LDAP/Eduserve groups to add to the federation page at SakaiVre/ShibbolethFederation (or some other appropriate location). Done - see http://maillist.ox.ac.uk/ezmlm-cgi?3855:mss:96:200607:bjpidnkgfknbdhbakack. Comments have been added to SakaiVre/AttributeMappingsTable.


    -- GrahamKlyne 2006-07-05 11:08:06

    OSSWatchWiki: SakaiVre/PlanningProgress/20060705 (last edited 2013-04-15 13:56:25 by localhost)

    Creative Commons License
    The content of this wiki is licensed under the Creative Commons Attribution-ShareAlike 2.0 England & Wales Licence.

    OSS Watch is funded by the Joint Information Systems Committee (JISC) and is situated within the Research Technologies Service (RTS) of the University of Oxford.