Bob Basch, Mark Silis and Paul Hill met on Wednesday, September 12th, 2007 to discuss issues that needed to be completed prior to turning on the Touchstone pilot.
- We talked about the mail sent regarding various Shibboleth SAML assertion signing options. It was agreed that we would use the default settings at this time and not require the optional assitional signing. This does not have a security implication for any of the expected use cases during the pilot. This configuration option may have to be revisited if MIT users desire to use GridShibb applications.
- Mark suggested:
- moving the contact information to the top of the Touchstone Help page. [ZEST:This has been done.]
- Add IS&T logo the page footer. [ZEST:This has been done.]
- Error page should point users to the help desk, not touchstone-support. [ZEST:This change has been done, and the help desk is aware.]
- Bob and Paul should be set up as help desk consultants so that they can read cases as requested. [ZEST:Paul believes this has been done.]
- Set up a briefing of the help desk staff and student employees. [ZEST:This was done on September 25th]
- Offer to perform briefings to the help desk on an ongoing basis, especially as new applications enter the pilot. [ZEST:This has been done.]
- Add robots.txt file to login and associated pages to tell web robots to go away. This will reduce unnecessary load on the servers.
- Steve Landry asked that he and Hunter be given access to the logs and config files of the IdP. Since our current mechanism requires an account on the machine this has been turned down. Neither Steve nor Hunter have any experience with Stanford WebAuth or Shibboleth operations so no value would be added. The operations of the machines will be the responsibility of NIST when the transition has been completed.
- Mark provided Bob and Paul with RSA secure tokens. These will be used for our root access as we move forward.
- Mark will provide two machine for onging test and staging evironment to Bob by October 10th. These will run NIST RHE3.
- RPM packages are not required for entry into pilot. Bob will start working on RPM packages after the test/staging machines are made available to Bob.
- Mark has asked: Once meta data has been set up, what happens if the web admin copies it to multiple machines or moves? E.g. the data to day is a URI which by convention specifies the hostname, but it doesn't have to be. Bob and Paul will look at this more and write a response. The concern is that people can start instantiating more web applications that we are aware of.
We talked about a test application for the help desk staff to help them determine if the login server and shibboleth are working. Mark suggested that this should be instantiated on the IdP servers themselves. Fromthe dicussion it was determined that we don't have to have the test application installed on the IdPs in order to turn on the pilot.
Bob will get a cname for the test application so that we can provide the help desk with a stable URL but the host will migrate over time. [ZEST:This is now in progress.] In the meantime https://idp-mit-edu.ezproxy.canberra.edu.au/auth-options has been provided to the help desk staff and student employees. They realize the limitations of this application but are satisfied as a start. They do look forward to having the more complete test available in the future.