~-Back to MeetingNotes-~ ---- You can edit this page! * just click ''Login'' above and * create a user and * hey presto, it's all editable! ----- = ShibGrid architecture meeting 9 March 2006 = Present: Matt Viljoen, Jens Jensen, David Spence, David Wallom and Mark Norman David showed us his great work in fleshing out the high level architecture (see [[http://users.ox.ac.uk/~markn/wikifiles/Shib%20Arch.pdf|architecture pdf]] - N.B. "CDR"=Corporate Data Repository). This effectively covers the use case of the user who does not havr a certificate and gets a lower assurance certificate from my``Proxy. The other use case (to be drawn up) involves where the user has (or puts) a proxy certificate in the my``Proxy server. == DNs on short-lived certificates == One idea that the Id``P/AA should hold the DNs so that they can be mapped through to the eventual short-term certificate generated by my``Proxy (so that AuthZ would occur seamlessly across the NGS via known DNs). However, it is likely that the DN for a person without a certifiate can be generated via an algorithm at my``Proxy or the portal. N.B. in future (possibly beyond this project) we would need a way of mapping DNs so that the low assertion level DN is later mapped to a higher assertion level certificate DN if the user decides to get a long term certificate. (To avoid them having to register twice at the NGS). == Second scenario (user has long-term cert. and wants to put a proxy in myProxy) == There is a second my``Proxy server on the same machine. (One is integrated with kerberosCA for scenario 1, but both need to be made to talk to single sign on and Shibboleth somehow). The user generates the proxy certificate on their client and uploads it into my``Proxy. The current upload tool is difficult to use and would not fit this purpose. Therefore, David is to work on his own Java upload tool - probably accessed from a web page - so that we know the Shib 'identity' when the certificate is uploaded (to avoid the user having to invoke her SSO credentials as well as their own my``Proxy username/password). N.B. We will need a persistent identifier to come from the AA. This ''could'' be the DN, but does not ''need'' to be (as long as a mapping from ShibID - probably eduPersonTargetedID [pseudonymous] or eduPersonalPrincipalName [explicit] - is made to the DN at the portal or my``Proxy level). == Oxford developer == David W, Mark and Andrew Martin are interviewing a candidate today (9th of March). So hopefully there will be good news very soon! == Other notes == 1. We need to mention something about certificate lifetimes (or make suggestions for a live/production system). Should the lifetimes reflect the Shibboleth session lifetime in any way? 1. Requirements: Jens has a set from the Diamond users (good). (Someone needs to check with the Integrative Biology users). 1. There were some fears expressed that the development required within the NGS portal may not be forthcoming (at least in a timely way). We may need a contingency of using - possibly - the Integrative Biology portal. == Who does what? == Early plans are: === David Spence === Work on the various bits of '''my``Proxy''' and to (develop and) shibbolise his '''proxy upload tool'''. Also to work on '''establishing the Shibboleth Id``P and AA at RAL'''. === The portal work === Not David S! '''Possibly the Oxford developer''' (not yet recruited): we need to see his expertise. We have some resource at '''CCLRC Daresbury''' that should be able to be used for this. == Action and things we need to find out == 1. (Regarding step 6 on David's diagram) Does the Id``P sign the attribute assertions? (Or do we trust the TLS tunnels between Id``P and portal, and between portal and my``Proxy?) If the assertions are ''not'' signed, we may need an extra callout (8b?) for my``Proxy to check directly with the Id``P/AA. '''Mark''' to forward some possible contact details who can help with this. 1. We need requirements (and other input) from the Oxford Integrative Biology users. Also David would like to know what AA schema is used in Oxford. (The same contacts that Mark will forward should be able to help with this). 1. '''David W''' to liaise with Matthew Mascord regarding the use of the IB portal and obtaining requirements there. 1. David W also raised the idea of the portal containing a virtual command-line portlet environment. '''Action''': we should discuss this a few months down the line (to see if it is workable within the project). It certainly seems to be a good idea. 1. '''Andrew Martin''' (probably) should contact Rob Allen at Daresbury to schedule the portal work. 1. '''Jens''' to somehow 'publish' the Diamond user requirements. == Next meeting == The suggestion is to have the next meeting in approximately one month over access grid. In two months, we should try for another face-to-face. === Possible dates for next meetings === ==== AG around 10th April ==== (N.B. this is likely to be Easter holidays for some people, e.g. Mark is away between 6-17 April inclusive). Possible dates: * 3-5 April * 6-7 April * 10-13 April (14th is Good Friday, 17th is Easter Monday) * 18-21 April Please feel free to create a username for the wiki and edit this page to put in your available dates. Mark can do: * 3-5 and 18-21 April ==== Next F2F ==== Possible dates: (Need to avoid weeks of May 8th and 15th due to GGF and CC meetings. Also 1 May is bank holiday) * 2-5 May * 22-26 May ---- ~-Back to MeetingNotes-~