Submitted by Martin Matthiesen on 05 November 2014
These are the minutes of the Clarin AAI TF Soesterberg meeting 24.10.2014 17:15-18:30 CET.
Participants: Sander Maijers (from 17:30) Jozef Misutka, Oliver Schonefeld, Martin Matthiesen (chair & minutes), Paul Meurer (U Bergen), Mitchell Seaton (U Copenhagen)
Excused: Thomas Kisler, Kai Zimmer, Dieter Van Uytvanck, Lene Offersgaard
Agenda
- Formalia: Agreeing on agenda, secretary
- Action points from last meeting
- Service Level Agreements for AAI services
- Quality Assurance issues
- Security level checks
- Regular monitoring
- eduGAIN as SP requirement
- Action points for next meeting
- Next meeting
Action pointsfrom last meeting
- Martin, Oliver, Sander: Metadata aggretation SPF
- Implemented, but has some issues: The feed would need to be aggregated for each national federation (excluding entries that SPs get through their national metadata stream anyway).
- Dieter, Sander, Jozef: Promote the IdP-Validator
- I also promoted in in eduGAIN and it will be used there as well.
- Thomas: Hook up BAS with the SPF
- Skipped.
- Martin: https://wiki.edugain.org/CLARIN; Contact Feide to accept the CoC.
- There has been mail contact, got cut of by holidays. A request was sent to all Home Institutions. (Outcome after the meeting: 2 HO's are connected.)
- Dieter: Promote the SPF in Zürich.; Contat Feide to opt-in to the SPF.
- Skipped.
Service Level Agreements for AAI services
The SCCTC discussed Service Level Agreements for central Clarin services. The taskforce identfied the following services as within our scope:
- Disco Juice
- Clarin homeless IdP
- SPF-Metadata availability
We will help define appropriate SLA parameters for these services.
Quality Assurance issues
We discussed constant monitoring from 2 viewpoints: Security and General Availability.
Security
Oliver suggested we help to make sure that Clarin SPs are up-to-date with respect to current security threats like Heartbeat, Shellshock, SSLv3 and the like. The general sentiment was that such tracking such issues centrally fall out of the scope of this task force, a separate security taskforce would be needed to put proper protocols in place. What we can and should do is document the incident response protocols and procedures on a national level. Some centres have such procedures in place and Clarin monitoring would be an unneccessary extra layer. We also decided to raise awarness, it was left open, in what form.
General Availabilty
It has become aparent that AAI services need close monitoring, SAML2 has just too many moving parts. We all agreed that monitoring is a good idea, we did not go into detail, what the right level would be. The tools and procedures developed at Lindat deserve a closer look.
eduGAIN as SP requirement
This topic came up during the meeting. Keeping the metadata up-to-date is a real challenge for the SPF, requiring SPs to join eduGAIN would make this task much easier. We did discuss the issue for quite a bit, since bringing this to the SCCTC relatively shortly after the CoCo requirement approval might be polically difficult. There are, however, quite a few good arguments for such a requirement. We decided to formulate a SCCTC proposal to be discussed and decided upon in the the next AAI TF meeting.
Action points for next meeting
These were not discussed in the meeting but derived from the topics discussed:
- Old APs
- Thomas: Hook up BAS with the SPF
- Dieter: Promote the SPF in Zürich.; Contat Feide to opt-in to the SPF.
- Define appropriate SLA for AAI services (owners to be decided in next meeting)
- SP Security: Raise awareness (owners to be decided next meeting)
- General Availability monitoring (proposal for next meeting needed)
- eduGAIN as SP requirement, formulate proposal for next meeting. Owners so far: Martin
Next meeting
We agreed to meet rather promptly hopefully in November.
