| | 1 | Submitted by [https://www.clarin.eu/user/1937 Martin Matthiesen] on 05 November 2014 |
| | 2 | |
| | 3 | Participants: Thomas Kisler, Kai Zimmer, Mitchell Seaton, Jozef Mišutka, Oliver Schonefeld (from 14:31 CET) , Martin Matthiesen (chair & minutes), |
| | 4 | |
| | 5 | !Excused:Dieter Van Uytvanck, Lene Offersgaard, Sander Maijers |
| | 6 | |
| | 7 | Optional: Paul Meurer, Pavel Straňák |
| | 8 | |
| | 9 | |
| | 10 | == Agenda == |
| | 11 | |
| | 12 | 1. Formalia: Agreeing on agenda, secretary |
| | 13 | 1. Action points from last meeting |
| | 14 | 1. Service Level Agreements for [https://www.clarin.eu/glossary#AAI AAI] services |
| | 15 | 1. QA: [https://www.clarin.eu/glossary#SP SP] Security level checks |
| | 16 | 1. QA: General availabilty regular monitoring |
| | 17 | 1. eduGAIN as [https://www.clarin.eu/glossary#SP SP] requirement |
| | 18 | 1. Action points for next meeting |
| | 19 | 1. Next meeting |
| | 20 | |
| | 21 | == Formalia == |
| | 22 | Martin assumed chair and secretary. The agenda was altered in the following way: |
| | 23 | |
| | 24 | Oliver asked to add the topic of signed metadata. It was added to "SP security". |
| | 25 | |
| | 26 | Kai asked to add the issue of updated metadata not propagated. It was added to "Availability monitoring". |
| | 27 | |
| | 28 | |
| | 29 | == Action points from last meeting (5 min) == |
| | 30 | |
| | 31 | * Old APs |
| | 32 | * Thomas: Hook up BAS with the SPF: Not yet |
| | 33 | * Dieter: Promote the SPF in Zürich.; Contat Feide to opt-in to the SPF. Skipped |
| | 34 | |
| | 35 | == Define appropriate SLA for AAI services (10 min) == |
| | 36 | We identified the following service that should have SLAs: |
| | 37 | |
| | 38 | |
| | 39 | * Disco Juice |
| | 40 | * Clarin homeless [https://www.clarin.eu/glossary#IdP IdP] |
| | 41 | * SPF-Metadata availability |
| | 42 | |
| | 43 | Martin will contact Sander and Dieter on this issue. |
| | 44 | |
| | 45 | |
| | 46 | == QA: SP Security (15 min) == |
| | 47 | We discussed two issues: |
| | 48 | |
| | 49 | 1. Should we prepare a letter to SPs to inform publicly about their incident procedures and raise awareness about security? |
| | 50 | |
| | 51 | We came to the conclusion that SP security, although important, is not the main focus of this taskforce. If Clarin wants to take on Service Provider security, which is in practice server security, a separate taskforce should be formed. |
| | 52 | |
| | 53 | 2. What do we want to do about unsigned metadata coming from clarin.eu? |
| | 54 | |
| | 55 | Eg. https://infra.clarin.eu/aai/prod_md_about_spf_idps.xml |
| | 56 | |
| | 57 | We agreed that the MD should be signed. Proper certificates (they should be free for academic institutions from Terena) are prefered over self-signed ones. The public key of the signed MD should also be made available. Mitchell voluteered to take this issue further. |
| | 58 | |
| | 59 | |
| | 60 | == QA: General Availability monitoring (15 min) == |
| | 61 | We covered the following areas: |
| | 62 | |
| | 63 | |
| | 64 | === 1. Monitoring of trust relations (ie. getting logging screens) === |
| | 65 | Lindat.cz has been using for a long time a tool that can test any SP-IdP trust relation. (https://github.com/ufal/lindat-aai-shibbie) results for Lindat can be seen here: |
| | 66 | |
| | 67 | https://lindat.mff.cuni.cz/secure/aai-idps-lindat (requires login). Basically two models of monitoring are possible: |
| | 68 | |
| | 69 | 1. Centralized: Lindat could check all Clarin SPs againsta all SPF-!IdPs. |
| | 70 | |
| | 71 | 2. De-centralized: Each country installs the tools and checks their own SPs against SPF-!IdPs. |
| | 72 | |
| | 73 | Option one seemed to make most sense, the question would be in what setting such a service could be funded. Another problem: Lindat has 200 not working !IdPs. What to do with that, how can we get this number down? |
| | 74 | |
| | 75 | To discuss further on what setup makes most sense and what to do with (possibly bad) results, Martin will call a separate meeting only for this issue, with at least Kai and Jozef. |
| | 76 | |
| | 77 | |
| | 78 | === 2. Organising Europe-wide manual loggin attempts (which tests also availabilty of attributes, or lack thereof) === |
| | 79 | |
| | 80 | === We came up with the idea of trying to use trac.clarin.eu to get testing needs and testers together. A rough workflow: === |
| | 81 | Requests for login test can be sent via trac.clarin.eu |
| | 82 | |
| | 83 | Each federation is one component with known possible owners and one default owner. Owners should be spread accross the federation, so that a few !IdPs get covered per federation, ideally all. |
| | 84 | |
| | 85 | Results are reported back to Trac, where the requestor can close the ticket himself, if happy. Or comments can be exchanged. Over time a history will form. |
| | 86 | |
| | 87 | Decision: Martin will discuss this with Sander and Dieter, Jozef cc. |
| | 88 | |
| | 89 | |
| | 90 | === 3. Alerting SP admins to failed loggin attempts. === |
| | 91 | Lindat has a tool to parse shibboleth logs (with debug on): https://github.com/ufal/lindat-aai-info |
| | 92 | |
| | 93 | |
| | 94 | === 4. Propagation of metadata === |
| | 95 | There was an issue with updating BBAW metadata in Haka, it was simply not updated there. The official route goes via SPF, so Sander. Martin will ask the Haka folks as well, to find out what went wrong. |
| | 96 | |
| | 97 | |
| | 98 | == eduGAIN as SP requirement (10 min) == |
| | 99 | We still are for making this a requirement. We did discuss the possibility that commerical SPs might be able to also join eduGAIN in some countries. In practice this should not be a big problem, since Shibboleth accounts connected to academia are relatively easy to come by, say via university libraries or by registering as a part-time student. Material that needs to be tightly conroled should not rely on simple "user can login" authentication but on more sophisticated authorization methods, like extended attributes (CLARIN ACA) or explicit individual permissions (CLARIN RES). But this is a senstive issue and we will address this in the proposal. Jozef, Oliver and Martin volunteered to prepare the proposal. |
| | 100 | |
| | 101 | |
| | 102 | == Documentation for setting up SPs (10 min) == |
| | 103 | Is it sufficient, up-to-date? We only briefly touched this, since the owner of this topic, Dieter, could not join us today. |
| | 104 | |
| | 105 | Mitchell: Some tidying up would be nice, A "Hello World" document would be good. |
| | 106 | |
| | 107 | Martin relays the feedback to Dieter and Sander. |
| | 108 | |
| | 109 | |
| | 110 | == Action points next meeting (5 min) == |
| | 111 | |
| | 112 | * SP Signing: Mitchell and Oliver make sure the SPF XML is signed. |
| | 113 | * Setup Trac for manual login tests across federations. Martin will talk to !Sander/Dieter. |
| | 114 | * Meeting on Central Monitoring: Martin prepares a meeting, Jozef and Kai will at least join. |
| | 115 | * eduGAIN as SP Requirement: Martin, Jozef and Oliver prepare the proposal. |
| | 116 | * Documentation for SPs: Martin relays feedback to !Sander/Dieter. |
| | 117 | |
| | 118 | == Next meeting == |
| | 119 | Middle of January 2015. |
