UCTrust Workgroup
Child pages
  • Meeting Notes - 2008-06-10 at UCD

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Meeting Notes - 2008-06-10 at UCD (Under Construction)

Attendees

Arlene Allen, UCSB
Curtis Bray, UCD
Chet Burgess, UCOP
Dedra Chamberlin, UCB
Matt Elder, UCSD
Greg Fellin, UCM
Patrick Flannery, UCDHS
Jannelle Fong, UCSF

Eric Goodman, UCSC
Karl Grose, UCB
Mike Helm, LBNL
Bruce James, UCOP
Brian Koehmstedt, UCM
Chris Lambertus, UCDHS
Debbie Lauriano, UCD

Warren Leung, UCLA
Simon Litvak, UCB
Jeff Mc Cullough, UCB
Kiltesh Patel, UCDHS
Chris Peters, UCI
Tom Poage, UCD
Lucas Rockwell, UCB

Brian Roode, UCI
Heidi Schmidt, UCSF
Robert Schwartz, UCDHS
Hampton Sublett, UCD
David Walker, UCOP
Troy Wright, UCSC
Albert Wu, UCLA

Introductions and Significant Campus Events

  • UCD and UCDHS are currently planning their identity management strategy.  They currently use CAS for internal applications and Shibboleth for external.
    • UCSD uses Shibboleth for all applications; they currently have approximately 130 SPs.
  • UCLA is looking into group management.
  • UCB is looking into using Sun Identity Manager.  They're also educating service providers to the UCTrust rules.
  • UCOP certified for UCTrust Basic at the end of May.  The first application was Project Tracker, an ASP.net application that President Yudof brought from the University of Texas.
  • UCSF recently hired Jann Fong from UCB to head their identity management project.
  • UCSC has Shibboleth installed.
  • ESnet (LBNL) is looking to federate with various Shibboleth infrastructures globally.
  • After some study, UCI is continuing with their use of home-grown identity management software.

Updates

  • The UC Grid community has implemented their UCTrust integration and is currently putting it into production.
  • Technical management for Human Resources's "learning" management system is moving to Human Resources and Benefits's technology group at UCOP.  Sean Baglin, who had been the project manager within Human Resources has left the University.
  • The integration of Connexxus into UCTrust is complete, and UCSD and UCR have started to use it.  There is still significant work to do, however, on the provisioning feed that must be sent from the campuses.
  • UC Ready is a system-wide incarnation of Restarting Berkeley that is being implemented at UCB.  Simon Litvak (of that project) attended the meeting to discuss UCTrust integration.
  • The new Enterprise Risk Management (ERM) system is being implemented by IBM under contract to Risk Management at UCOP.  It will be integrated with UCTrust.
  • InCommon's work on their Bronze and Silver assurance profiles continues.  Karl Heins and David Walker are involved with the effort.
  • A "Federation Soup" meeting was held in Seattle at the beginning of the month to discuss global interfederation issues.  Karl Heins, Mike Helm, and David Walker attended.
  • Campuses are starting to plan for IPv6.  We'll want to track that to ensure Shibboleth interoperability.
  • UC's library community is starting to be interested in UCTrust.  It's a good time to reach out the campus library staff who may be interested.
  • Warren Leung, Albert Wu, and David Walker will be giving a session at UCCSC on integrating applications with UCTrust.

Identity management collaboration at UCD and UCDHS

Hampton Sublett, Curtis Bray, and Gary Jellis talked about joint planning that is underway for the UCD campus and Health System

  • The Burton Group did a study of identity management for UCD in 2006; they are going forward with selected recommendations and increasing the emphasis on Health System issues.
  • The campus is looking at various implementation issues as they migrate from their legacy system.
  • The Health System didn't get much attention in the Burton Group study.
    • Most application do their own identity management.
    • They have mainframe and lost of Windows and Citrix.  There aren't very many web applications, so Shibboleth isn't a major driver.
  • The campus and Health System are merging their Active Directory forests.
  • Next steps are to identify resource needs and to educate departments.

Shibboleth 2.0

Tom Poage and Matt Elder gave an overview of the 2.0 release of Shibboleth.

  • Shibboleth 2.0 uses SAML 2.0, so it should be much more compatible with commercial SAML implementations.   Liberty Alliance, Google Apps for Education, Cardspace, and ADFS have been tested.
  • Installation has been simplified, particularly for IIS.  There is no upgrader from Shibboleth 1.3, however; the differences are too fundamental.
  • New IdP features
    • The installation process now automatically generates keys, certificate requests, metadata, etc.
    • The attribute resolver and filtering are now more flexible.
    • The IdP can now be integrated in JAAS, the Java Authentication and Authorization Service, rather than using the REMOTE_USER web server environment variable.
  • New SP features
    • The installation process now automatically generates keys, certificate requests, metadata, etc.
      • Also, there is a standard URL that can be used to harvest an SP's metadata.
    • Metadata can be filtered.
    • There is support for protocols other than SAML 2.0
    • There is better support for clustering.
  • Discovery services (i.e., WAYF) can now be chained, and SPs can provide their own discovery services, based on metadata.
  • Manageability
    • Much of the metadata can be updated without a restart.
    • The protocol has been simplified.  It no longer requires a "call-back" for attributes.  This should help with firewall interactions.
  • Single Logout has been implemented, but there still a lot of issues.
  • Benefits for UC
    • Broader commercial support for SAML 2.0
    •  
  • No labels