MIT Touchstone Project Planning

Goals:

Transition the IdPs to Shibboleth 2.1.4 release.

Phase One: Transition core MIT IdPs (idp.mit.edu)

Hardware

...

Idp1 and idp2 are running on RHEL3 physical machines.

...

NIST has also provided idp2-dev, which is also a RHEL3 machine.

...

Bob has been using foonalagoona which is provided by OPS/AMIT. This is not a RHEL3 machine.

...

To complete the transition new RHEL5 VMs will be requested from NIST:
 

1. 1. 1 dev machine
   2. 2 staging machines
   3. 2 production machines
   4. Configuration:
      1. minimum RAM 2GB, suggest 4GB
      2. at least 10Gb disk, 7200 RPM
      3. Switch recommendation for CPUs Federation recommends on a physical machine is the CPU should 4 cores, each running at 2GHz. It has been noted that IdPs tend to be CPU bound, not disk io or network bandwidth intensive.

 
e.       Once the transition to the new IdPs has been completed the following physical machines will no longer be needed by Touchstone:                                                               i.     

1. 1. Idp1

...

1. 1. Idp2

...

1. 1. Idp2-dev

 
f.        Once the transition to the new IdPs has been completed the following virtual machines will no longer be needed by Touchstone:                                                               i.     

1. 1. Idp1-staging.mit.edu

...

1. 1. Idp2-staging.mit.edu

...

1. 1. Foonalagoona.mit.edu (OPS/AMIT)

...

Develop login page(s) that support multiple mechanisms, without using Stanford WebAuth.

...

1. Authentication mechanisms:

   ...

   1. 1. Username/password (done) urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

   ...

   1. 1. X.509 certificates (via Apache mod_ssl) urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI

   ...

   1. 1. Kerberos via http-spnego (via modgssapache) urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos

   b.      The login page that presents all three of these mechanisms will be written in JSP.c.        Work estimate is 2 to 3 weeks to have a proof of concept page.3.     

   High Availability plans

   a.       ShibHA is not available for the 2.x IdPs. The recommendation is to use Tomcat Terracotta. As of October 18^th Bob had not started working with Terracotta. Bob estimates that he will need approximately 2 weeks to become familiar with Terracotta configuration issues.
    
   b.      Paul will request two test machines from NIST (RHEL5 VMS). These will start as test machines and become the new staging machines.
    
   c.       DNS round robin is being used today, and we plan to continue using this for next phase of the project, despite Internet2s recommendation to use a hardware load balancer. We wish to avoid performing an SSL termination at the F5, especially since usernames and passwords are being sent to the IdPs in some cases.4.     

   Migrate from SP attribute query to IdP attribute push.

   This means that the user’s attributes will be included with the authentication assertion that is returned to the SP in the initial POST transaction. This will reduce one network round trip between the SP and the IdP.

   ...