Back to MeetingNotes

You can edit this page!

• just click Login above and

• create a user and
• hey presto, it's all editable!

ShibGrid architecture meeting 9 March 2006

Present: Matt Viljoen, Jens Jensen, David Spence, David Wallom and Mark Norman

David showed us his great work in fleshing out the high level architecture (see architecture pdf - N.B. "CDR"=Corporate Data Repository). This effectively covers the use case of the user who does not havr a certificate and gets a lower assurance certificate from myProxy.

The other use case (to be drawn up) involves where the user has (or puts) a proxy certificate in the myProxy server.

DNs on short-lived certificates

One idea that the IdP/AA should hold the DNs so that they can be mapped through to the eventual short-term certificate generated by myProxy (so that AuthZ would occur seamlessly across the NGS via known DNs). However, it is likely that the DN for a person without a certifiate can be generated via an algorithm at myProxy or the portal.

• N.B. in future (possibly beyond this project) we would need a way of mapping DNs so that the low assertion level DN is later mapped to a higher assertion level certificate DN if the user decides to get a long term certificate. (To avoid them having to register twice at the NGS).

Second scenario (user has long-term cert. and wants to put a proxy in myProxy)

There is a second myProxy server on the same machine.

• (One is integrated with kerberosCA for scenario 1, but both need to be made to talk to single sign on and Shibboleth somehow).

The user generates the proxy certificate on their client and uploads it into myProxy. The current upload tool is difficult to use and would not fit this purpose. Therefore, David is to work on his own Java upload tool - probably accessed from a web page - so that we know the Shib 'identity' when the certificate is uploaded (to avoid the user having to invoke her SSO credentials as well as their own myProxy username/password).

• N.B. We will need a persistent identifier to come from the AA. This could be the DN, but does not need to be (as long as a mapping from ShibID - probably eduPersonTargetedID [pseudonymous] or eduPersonalPrincipalName [explicit] - is made to the DN at the portal or myProxy level).

Oxford developer

David W, Mark and Andrew Martin are interviewing a candidate today (9th of March). So hopefully there will be good news very soon!

Other notes

1. We need to mention something about certificate lifetimes (or make suggestions for a live/production system). Should the lifetimes reflect the Shibboleth session lifetime in any way?
2. Requirements: Jens has a set from the Diamond users (good). (Someone needs to check with the Integrative Biology users).
3. There were some fears expressed that the development required within the NGS portal may not be forthcoming (at least in a timely way). We may need a contingency of using - possibly - the Integrative Biology portal.

Who does what?

Early plans are:

David Spence

Work on the various bits of myProxy and to (develop and) shibbolise his proxy upload tool.

Also to work on establishing the Shibboleth IdP and AA at RAL.

The portal work

Not David S!

Possibly the Oxford developer (not yet recruited): we need to see his expertise.

We have some resource at CCLRC Daresbury that should be able to be used for this.

Action and things we need to find out

1. (Regarding step 6 on David's diagram) Does the IdP sign the attribute assertions?

   • (Or do we trust the TLS tunnels between IdP and portal, and between portal and myProxy?) If the assertions are not signed, we may need an extra callout (8b?) for myProxy to check directly with the IdP/AA. Mark to forward some possible contact details who can help with this.

2. We need requirements (and other input) from the Oxford Integrative Biology users. Also David would like to know what AA schema is used in Oxford. (The same contacts that Mark will forward should be able to help with this).

3. David W to liaise with Matthew Mascord regarding the use of the IB portal and obtaining requirements there.

4. David W also raised the idea of the portal containing a virtual command-line portlet environment. Action: we should discuss this a few months down the line (to see if it is workable within the project). It certainly seems to be a good idea.

5. Andrew Martin (probably) should contact Rob Allen at Daresbury to schedule the portal work.

6. Jens to somehow 'publish' the Diamond user requirements.

Next meeting

The suggestion is to have the next meeting in approximately one month over access grid. In two months, we should try for another face-to-face.

Possible dates for next meetings

AG around 10th April

(N.B. this is likely to be Easter holidays for some people, e.g. Mark is away between 6-17 April inclusive). Possible dates:

• 3-5 April
• 6-7 April
• 10-13 April (14th is Good Friday, 17th is Easter Monday)
• 18-21 April

Please feel free to create a username for the wiki and edit this page to put in your available dates.

Mark can do:

• 3-5 and 18-21 April

Next F2F

Possible dates:

• (Need to avoid weeks of May 8th and 15th due to GGF and CC meetings. Also 1 May is bank holiday)
• 2-5 May
• 22-26 May

Back to MeetingNotes