Back to MeetingNotes


You can edit this page!


ShibGrid architecture meeting 9 March 2006

Present: Matt Viljoen, Jens Jensen, David Spence, David Wallom and Mark Norman

David showed us his great work in fleshing out the high level architecture (see architecture pdf - N.B. "CDR"=Corporate Data Repository). This effectively covers the use case of the user who does not havr a certificate and gets a lower assurance certificate from myProxy.

The other use case (to be drawn up) involves where the user has (or puts) a proxy certificate in the myProxy server.

DNs on short-lived certificates

One idea that the IdP/AA should hold the DNs so that they can be mapped through to the eventual short-term certificate generated by myProxy (so that AuthZ would occur seamlessly across the NGS via known DNs). However, it is likely that the DN for a person without a certifiate can be generated via an algorithm at myProxy or the portal.

Second scenario (user has long-term cert. and wants to put a proxy in myProxy)

There is a second myProxy server on the same machine.

The user generates the proxy certificate on their client and uploads it into myProxy. The current upload tool is difficult to use and would not fit this purpose. Therefore, David is to work on his own Java upload tool - probably accessed from a web page - so that we know the Shib 'identity' when the certificate is uploaded (to avoid the user having to invoke her SSO credentials as well as their own myProxy username/password).

Oxford developer

David W, Mark and Andrew Martin are interviewing a candidate today (9th of March). So hopefully there will be good news very soon!

Other notes

  1. We need to mention something about certificate lifetimes (or make suggestions for a live/production system). Should the lifetimes reflect the Shibboleth session lifetime in any way?
  2. Requirements: Jens has a set from the Diamond users (good). (Someone needs to check with the Integrative Biology users).
  3. There were some fears expressed that the development required within the NGS portal may not be forthcoming (at least in a timely way). We may need a contingency of using - possibly - the Integrative Biology portal.

Who does what?

Early plans are:

David Spence

Work on the various bits of myProxy and to (develop and) shibbolise his proxy upload tool.

Also to work on establishing the Shibboleth IdP and AA at RAL.

The portal work

Not David S!

Possibly the Oxford developer (not yet recruited): we need to see his expertise.

We have some resource at CCLRC Daresbury that should be able to be used for this.

Action and things we need to find out

  1. (Regarding step 6 on David's diagram) Does the IdP sign the attribute assertions?

    • (Or do we trust the TLS tunnels between IdP and portal, and between portal and myProxy?) If the assertions are not signed, we may need an extra callout (8b?) for myProxy to check directly with the IdP/AA. Mark to forward some possible contact details who can help with this.

  2. We need requirements (and other input) from the Oxford Integrative Biology users. Also David would like to know what AA schema is used in Oxford. (The same contacts that Mark will forward should be able to help with this).
  3. David W to liaise with Matthew Mascord regarding the use of the IB portal and obtaining requirements there.

  4. David W also raised the idea of the portal containing a virtual command-line portlet environment. Action: we should discuss this a few months down the line (to see if it is workable within the project). It certainly seems to be a good idea.

  5. Andrew Martin (probably) should contact Rob Allen at Daresbury to schedule the portal work.

  6. Jens to somehow 'publish' the Diamond user requirements.

Next meeting

The suggestion is to have the next meeting in approximately one month over access grid. In two months, we should try for another face-to-face.

Possible dates for next meetings

AG around 10th April

(N.B. this is likely to be Easter holidays for some people, e.g. Mark is away between 6-17 April inclusive). Possible dates:

Please feel free to create a username for the wiki and edit this page to put in your available dates.

Mark can do:

Next F2F

Possible dates:


Back to MeetingNotes

ESPGRIDwiki: ShibGridMtg9Mar (last edited 2013-05-17 16:26:47 by localhost)