Shibboleth Developers

Phone #: (800) 541-1710
Pin #: 0142203

Agenda:

1) Startup
      - Roll call, agenda bash
      - Intellectual Property Rights Awareness: Internet2 
Intellectual Property Framework
                (http://members.internet2.edu/intellectualproperty.html)

2) Any outstanding Issues?
        - others?

3) (short discussion) Short term documentation priorities for Nate --

4) (short discussion) Comments, thoughts on Shibboleth/RITE 
submission (pasted in at the bottom of this note)

5) (short discussion) Process for accepting "shib contributions"

6) Shib + CAS + A-Select -- what steps would we like to take over the 
next few months, toimprove "integration", as all of these projects 
expect to be providing new releases. Notes from the initial Shib + 
CAS conversation; there's also been a long + growing thread on the 
shib dev list this week.

Howard's doc, to frame the discussion

        http://tp.its.yale.edu/shib/tiki-index.php?page=CasShib

Background
	UWash looking to replace pubcookie with shib (but need to 
address functionality that PC has but CAS lacks);

	need to address implications of SAML 2 requirements, and 
e-authn requirements

High Level Goal
	Andy - making move to shib as painless as possible for 
existing cas sites (installation of CAS is really easy, and impl of 
shib is NOT easy,concepts are complex... how do you lower the skill 
level?)  (howard -- big payoff is if a campus has locally deployed 
one system (eg cas), then the addition of the other can be done 
without widespread disruption....)

		scott -- what does it mean to bring federation into 
our environment? what does the login page look like? which 
identifiers do we use?

	 scott -- API compatibility is the item that jumped out at 
him...... he has same compatibility issue @ osu with his previous SSO 
(what is the shib api for programmers?)

	Rl -- from the shib point of view, a nice feature would be -- 
for sites installing shib provide a spin of the cas server that is 
easy and works with shib..... opportunities for tighter integration..

Small items
        two systems with different session  timers

CAS transition goal
	howard -- let the CAS server operate as a proxy, rather than 
using the saml end-to-end model; all local servers will trust the CAS 
server to process the signature, for instance

----------------------------

> Hurderos 0.1.3 which will be released shortly has preliminary support
> for provisioning and attaching 'SHIBBOLETH' service identities to user
> identities.
>
> In order to test this functionality we invested some time working on
> deployment engineering for the Shibboleth Origin/Target software and
> its accompanying dependencies.  We thought this work may be useful to
> others interested in deploying Shibboleth hence this notice on the
> availability of the Rapid Initiation Technology Environment (RITE) for
> Shibboleth.
>
>
> The following URL will snare the distribution RPM for anyone who is
> interested:
>
> ftp://ftp.hurderos.org/pub/Hurderos/appsupport/Shibboleth_RITE-0.1.0-1.i386.rpm
>
>
> The following instructions should produce a functional Origin/Target
> environment for testing:
>
> ---------------------------------------------------------------------------
> A working Java implementation is required.  This distribution has been
> validated against SUN SDK release 1.4.2.06.
>
> Root privileges will be needed to install and run the distribution.
>
> The following recipe should yield a functional test implementation:
>
>         Obtain distribution.
>         [become root]
>         rpm -ivh Shibboleth_RITE-0.1.0-1.i386.rpm
>         /opt/shibboleth/etc/rc.d/init.d/shibboleth start
>
>         Open the following location in a browser:  http://localhost/secure
>
>         When asked for a userid and password use the following values:
>
>                 userid: testuser
>                 passwd: shibtest
>
>         Depending on the speed of the machine a sample web page should
>         appear in a few seconds.
>
>         To shutdown the Origin/Target system issue the following
>         command:
>
>                 /opt/shibboleth/etc/rc.d/init.d/shibboleth stop
> ---------------------------------------------------------------------------
>
>
> Some implementation details follow for anyone who might be interested.
>
> The RPM should deploy and run on any reasonably modern Linux
> distribution (<5 years old).  It contains a tuned and coordinated
> release of dependencies required to run a sample Origin/Target
> environment.
>
> The entire distribution has been built against gcc 3.4.3.  The
> compiler decision was based on the premise that this release of gcc
> now has standardized polymorphic symbol translation and other features
> which should yield a standardized ABI.  This will help minimize
> libstdc++ dependency problems in the future.
>
> A copy of libstdc++ version 6.0.3 supported by gcc 3.4.3 has been
> included in the distribution.  In order to keep things as
> self-contained as possible the integrated start-up system uses an
> environmental declaration to direct the dynamic loader to its
> location.  This does mean that the binaries in /opt/shibboleth/bin
> will not run standalone unless the following execution format is used:
>
>         LD_LIBRARY_PATH=/opt/shibboleth/lib ./shibtest
>
> Knowledgeable users can edit /etc/ld.so.conf and run ldconfig to setup
> global knowledge of the libraries.
>
> The distribution has been largely built 'out of the box' with the
> exception of a small patch to saml.h to correct what appears to be a
> non-standards compliant templated typedef instantiation.  I can put up
> a roll-up tarball of all the dependencies, configure commands and the
> patch if anyone is interested.
>
> The distribution also contains the most recent release of the Apache
> web-server configured to operate in both Origin and Target modes.  The
> Origin configuration uses BASIC authentication to secure access to the
> virtualized /shibboleth/HS location.  An Apache password file
> configured with a testuser account has been provided.
>
> The Apache component has been augmented with mod_auth_pam support.
> The objective was to provide a standardized interface for users who
> wish to begin work on integrating Origin services into existing
> enterprise authentication systems.
>
> Implementing PAM support simply involves changing the AuthPAM_Enabled
> directive in the Location clause for handle services from off to on.
> In addition an httpd directive needs to be made in /etc/pam.conf or
> alternately /etc/pam.d/httpd to implement whatever back-end
> authentication system is desired.
>
> The distribution provides cleaned up versions of the Origin and Target
> configuration files (origin.xml, shibboleth.xml).  The shibboleth.xml
> file is in /opt/shibboleth/etc/shibboleth.  The origin configuration
> files can be accessed through a convenience symlink (origin) found in
> the above directory as well.
>
> All logfiles with the exception of the Tomcat application server are
> located in /opt/shibboleth/var/log.  Those files are the best place to
> start with debugging efforts.  The application server logs are in
> /opt/shibboleth/tomcat/logs.
>
> The distribution has been tested in a separated Origin/Target
> environment but the configuration files do not implement this.  Plans
> are to provide a configuration program to do these types of setups in
> the next release.
>
> The only component that needs to be supplied is a Java SDK or runtime
> environment.  This was not provided due to licensing issues.  If there
> is interest we could research the issues surrounding a release bundled
> with a copy of the JRE.
>
> Linux systems can vary widely but the focus on this distribution has
> been to put together a very bullet-proof system for rapid deployment
> of Shibboleth.  Please feel free to forward any show-stopping behavior
> to us.
>
> Over the next several months the focus of our architectural and
> engineering efforts will be on enhancing Shibboleth functionality
> using the Hurderos IDfusion identity model.
>
> The initial objective will be to use the encapsulation objects created
> for service instance identities as the basis for management of
> attribute release policies on a user by user basis.  A useful
> side-effect will be the ability of the Hurderos GOOII (Graphical
> Object Oriented Identity Interface) to manage ARP on a user by user
> basis.
>
> The second major focus will be on using the Reciprocal Identity
> Management properties of Hurderos to allow target sites to implement
> identity and service management for targetted user identities.  This
> work may be of interest to anyone interested in Grid-based
> applications of Shibboleth.  There is currently ongoing design and
> implementation work to create a 'Hurderized' version of the SLURM HPC
> resource scheduling system to replace fixed resource partitions with
> the notion of resource services.
>
> Hopefully this work on rapid deployment engineering will find some
> usefullness for users in the Shibboleth community.
>
> Good luck, best wishes for a pleasant holiday season.
>
> As always,
> GW
> ------------------------------------------------------------------------------
>                          The Hurderos Project
>          Open Identity, Service and Authorization Management
>                        http://www.hurderos.org