shibboleth-dev - SHIB design call -- (12/20), 3:00 pm est, noon pst
Subject: Shibboleth Developers
List archive
- From:
- To: <>
- Subject: SHIB design call -- (12/20), 3:00 pm est, noon pst
- Date: Mon, 20 Dec 2004 13:49:26 -0500
Phone #: (800) 541-1710
Pin #: 0142203
Agenda:
1) Startup
- Roll call, agenda bash
- Intellectual Property Rights Awareness: Internet2 Intellectual Property Framework
(http://members.internet2.edu/intellectualproperty.html)
2) Any outstanding Issues?
- others?
3) (short discussion) Short term documentation priorities for Nate --
4) (short discussion) Comments, thoughts on Shibboleth/RITE submission (pasted in at the bottom of this note)
5) (short discussion) Process for accepting "shib contributions"
6) Shib + CAS + A-Select -- what steps would we like to take over the next few months, toimprove "integration", as all of these projects expect to be providing new releases. Notes from the initial Shib + CAS conversation; there's also been a long + growing thread on the shib dev list this week.
Howard's doc, to frame the discussion
http://tp.its.yale.edu/shib/tiki-index.php?page=CasShib
Background
UWash looking to replace pubcookie with shib (but need to address functionality that PC has but CAS lacks);
need to address implications of SAML 2 requirements, and e-authn requirements
High Level Goal
Andy - making move to shib as painless as possible for existing cas sites (installation of CAS is really easy, and impl of shib is NOT easy,concepts are complex... how do you lower the skill level?) (howard -- big payoff is if a campus has locally deployed one system (eg cas), then the addition of the other can be done without widespread disruption....)
scott -- what does it mean to bring federation into our environment? what does the login page look like? which identifiers do we use?
scott -- API compatibility is the item that jumped out at him...... he has same compatibility issue @ osu with his previous SSO (what is the shib api for programmers?)
Rl -- from the shib point of view, a nice feature would be -- for sites installing shib provide a spin of the cas server that is easy and works with shib..... opportunities for tighter integration..
Small items
two systems with different session timers
CAS transition goal
howard -- let the CAS server operate as a proxy, rather than using the saml end-to-end model; all local servers will trust the CAS server to process the signature, for instance
----------------------------
Hurderos 0.1.3 which will be released shortly has preliminary support
for provisioning and attaching 'SHIBBOLETH' service identities to user
identities.
In order to test this functionality we invested some time working on
deployment engineering for the Shibboleth Origin/Target software and
its accompanying dependencies. We thought this work may be useful to
others interested in deploying Shibboleth hence this notice on the
availability of the Rapid Initiation Technology Environment (RITE) for
Shibboleth.
The following URL will snare the distribution RPM for anyone who is
interested:
ftp://ftp.hurderos.org/pub/Hurderos/appsupport/Shibboleth_RITE-0.1.0-1.i386.rpm
The following instructions should produce a functional Origin/Target
environment for testing:
---------------------------------------------------------------------------
A working Java implementation is required. This distribution has been
validated against SUN SDK release 1.4.2.06.
Root privileges will be needed to install and run the distribution.
The following recipe should yield a functional test implementation:
Obtain distribution.
[become root]
rpm -ivh Shibboleth_RITE-0.1.0-1.i386.rpm
/opt/shibboleth/etc/rc.d/init.d/shibboleth start
Open the following location in a browser: http://localhost/secure
When asked for a userid and password use the following values:
userid: testuser
passwd: shibtest
Depending on the speed of the machine a sample web page should
appear in a few seconds.
To shutdown the Origin/Target system issue the following
command:
/opt/shibboleth/etc/rc.d/init.d/shibboleth stop
---------------------------------------------------------------------------
Some implementation details follow for anyone who might be interested.
The RPM should deploy and run on any reasonably modern Linux
distribution (<5 years old). It contains a tuned and coordinated
release of dependencies required to run a sample Origin/Target
environment.
The entire distribution has been built against gcc 3.4.3. The
compiler decision was based on the premise that this release of gcc
now has standardized polymorphic symbol translation and other features
which should yield a standardized ABI. This will help minimize
libstdc++ dependency problems in the future.
A copy of libstdc++ version 6.0.3 supported by gcc 3.4.3 has been
included in the distribution. In order to keep things as
self-contained as possible the integrated start-up system uses an
environmental declaration to direct the dynamic loader to its
location. This does mean that the binaries in /opt/shibboleth/bin
will not run standalone unless the following execution format is used:
LD_LIBRARY_PATH=/opt/shibboleth/lib ./shibtest
Knowledgeable users can edit /etc/ld.so.conf and run ldconfig to setup
global knowledge of the libraries.
The distribution has been largely built 'out of the box' with the
exception of a small patch to saml.h to correct what appears to be a
non-standards compliant templated typedef instantiation. I can put up
a roll-up tarball of all the dependencies, configure commands and the
patch if anyone is interested.
The distribution also contains the most recent release of the Apache
web-server configured to operate in both Origin and Target modes. The
Origin configuration uses BASIC authentication to secure access to the
virtualized /shibboleth/HS location. An Apache password file
configured with a testuser account has been provided.
The Apache component has been augmented with mod_auth_pam support.
The objective was to provide a standardized interface for users who
wish to begin work on integrating Origin services into existing
enterprise authentication systems.
Implementing PAM support simply involves changing the AuthPAM_Enabled
directive in the Location clause for handle services from off to on.
In addition an httpd directive needs to be made in /etc/pam.conf or
alternately /etc/pam.d/httpd to implement whatever back-end
authentication system is desired.
The distribution provides cleaned up versions of the Origin and Target
configuration files (origin.xml, shibboleth.xml). The shibboleth.xml
file is in /opt/shibboleth/etc/shibboleth. The origin configuration
files can be accessed through a convenience symlink (origin) found in
the above directory as well.
All logfiles with the exception of the Tomcat application server are
located in /opt/shibboleth/var/log. Those files are the best place to
start with debugging efforts. The application server logs are in
/opt/shibboleth/tomcat/logs.
The distribution has been tested in a separated Origin/Target
environment but the configuration files do not implement this. Plans
are to provide a configuration program to do these types of setups in
the next release.
The only component that needs to be supplied is a Java SDK or runtime
environment. This was not provided due to licensing issues. If there
is interest we could research the issues surrounding a release bundled
with a copy of the JRE.
Linux systems can vary widely but the focus on this distribution has
been to put together a very bullet-proof system for rapid deployment
of Shibboleth. Please feel free to forward any show-stopping behavior
to us.
Over the next several months the focus of our architectural and
engineering efforts will be on enhancing Shibboleth functionality
using the Hurderos IDfusion identity model.
The initial objective will be to use the encapsulation objects created
for service instance identities as the basis for management of
attribute release policies on a user by user basis. A useful
side-effect will be the ability of the Hurderos GOOII (Graphical
Object Oriented Identity Interface) to manage ARP on a user by user
basis.
The second major focus will be on using the Reciprocal Identity
Management properties of Hurderos to allow target sites to implement
identity and service management for targetted user identities. This
work may be of interest to anyone interested in Grid-based
applications of Shibboleth. There is currently ongoing design and
implementation work to create a 'Hurderized' version of the SLURM HPC
resource scheduling system to replace fixed resource partitions with
the notion of resource services.
Hopefully this work on rapid deployment engineering will find some
usefullness for users in the Shibboleth community.
Good luck, best wishes for a pleasant holiday season.
As always,
GW
------------------------------------------------------------------------------
The Hurderos Project
Open Identity, Service and Authorization Management
http://www.hurderos.org
- SHIB design call -- (12/20), 3:00 pm est, noon pst, Steven_Carmody, 12/20/2004
Archive powered by MHonArc 2.6.16.