wiki:Taskforces/AAI/Meetings/2014-11-27

Version 1 (modified by Dieter Van Uytvanck, 6 years ago) (diff)

--

Submitted by Martin Matthiesen on 05 November 2014

Participants: Thomas Kisler, Kai Zimmer, Mitchell Seaton, Jozef Mišutka, Oliver Schonefeld (from 14:31 CET) , Martin Matthiesen (chair & minutes),

Excused:Dieter Van Uytvanck, Lene Offersgaard, Sander Maijers

Optional: Paul Meurer, Pavel Straňák

Agenda

  1. Formalia: Agreeing on agenda, secretary
  2. Action points from last meeting
  3. Service Level Agreements for AAI services
  4. QA: SP Security level checks
  5. QA: General availabilty regular monitoring
  6. eduGAIN as SP requirement
  7. Action points for next meeting
  8. Next meeting

Formalia

Martin assumed chair and secretary. The agenda was altered in the following way:

Oliver asked to add the topic of signed metadata. It was added to "SP security".

Kai asked to add the issue of updated metadata not propagated. It was added to "Availability monitoring".

Action points from last meeting (5 min)

  • Old APs
    • Thomas: Hook up BAS with the SPF: Not yet
    • Dieter: Promote the SPF in Zürich.; Contat Feide to opt-in to the SPF. Skipped

Define appropriate SLA for AAI services (10 min)

We identified the following service that should have SLAs:

  • Disco Juice
  • Clarin homeless IdP
  • SPF-Metadata availability

Martin will contact Sander and Dieter on this issue.

QA: SP Security (15 min)

We discussed two issues:

  1. Should we prepare a letter to SPs to inform publicly about their incident procedures and raise awareness about security?

We came to the conclusion that SP security, although important, is not the main focus of this taskforce. If Clarin wants to take on Service Provider security, which is in practice server security, a separate taskforce should be formed.

  1. What do we want to do about unsigned metadata coming from clarin.eu?

Eg. https://infra.clarin.eu/aai/prod_md_about_spf_idps.xml

We agreed that the MD should be signed. Proper certificates (they should be free for academic institutions from Terena) are prefered over self-signed ones. The public key of the signed MD should also be made available. Mitchell voluteered to take this issue further.

QA: General Availability monitoring (15 min)

We covered the following areas:

1. Monitoring of trust relations (ie. getting logging screens)

Lindat.cz has been using for a long time a tool that can test any SP-IdP trust relation. (https://github.com/ufal/lindat-aai-shibbie) results for Lindat can be seen here:

https://lindat.mff.cuni.cz/secure/aai-idps-lindat (requires login). Basically two models of monitoring are possible:

  1. Centralized: Lindat could check all Clarin SPs againsta all SPF-IdPs.
  1. De-centralized: Each country installs the tools and checks their own SPs against SPF-IdPs.

Option one seemed to make most sense, the question would be in what setting such a service could be funded. Another problem: Lindat has 200 not working IdPs. What to do with that, how can we get this number down?

To discuss further on what setup makes most sense and what to do with (possibly bad) results, Martin will call a separate meeting only for this issue, with at least Kai and Jozef.

2. Organising Europe-wide manual loggin attempts (which tests also availabilty of attributes, or lack thereof)

We came up with the idea of trying to use trac.clarin.eu to get testing needs and testers together. A rough workflow:

Requests for login test can be sent via trac.clarin.eu

Each federation is one component with known possible owners and one default owner. Owners should be spread accross the federation, so that a few IdPs get covered per federation, ideally all.

Results are reported back to Trac, where the requestor can close the ticket himself, if happy. Or comments can be exchanged. Over time a history will form.

Decision: Martin will discuss this with Sander and Dieter, Jozef cc.

3. Alerting SP admins to failed loggin attempts.

Lindat has a tool to parse shibboleth logs (with debug on): https://github.com/ufal/lindat-aai-info

4. Propagation of metadata

There was an issue with updating BBAW metadata in Haka, it was simply not updated there. The official route goes via SPF, so Sander. Martin will ask the Haka folks as well, to find out what went wrong.

eduGAIN as SP requirement (10 min)

We still are for making this a requirement. We did discuss the possibility that commerical SPs might be able to also join eduGAIN in some countries. In practice this should not be a big problem, since Shibboleth accounts connected to academia are relatively easy to come by, say via university libraries or by registering as a part-time student. Material that needs to be tightly conroled should not rely on simple "user can login" authentication but on more sophisticated authorization methods, like extended attributes (CLARIN ACA) or explicit individual permissions (CLARIN RES). But this is a senstive issue and we will address this in the proposal. Jozef, Oliver and Martin volunteered to prepare the proposal.

Documentation for setting up SPs (10 min)

Is it sufficient, up-to-date? We only briefly touched this, since the owner of this topic, Dieter, could not join us today.

Mitchell: Some tidying up would be nice, A "Hello World" document would be good.

Martin relays the feedback to Dieter and Sander.

Action points next meeting (5 min)

  • SP Signing: Mitchell and Oliver make sure the SPF XML is signed.
  • Setup Trac for manual login tests across federations. Martin will talk to Sander/Dieter.
  • Meeting on Central Monitoring: Martin prepares a meeting, Jozef and Kai will at least join.
  • eduGAIN as SP Requirement: Martin, Jozef and Oliver prepare the proposal.
  • Documentation for SPs: Martin relays feedback to Sander/Dieter.

Next meeting

Middle of January 2015.