You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

The following milestones for the WebSSO project are out of date: I currently have a test setup of Webauth (login server and one
application server, using Apache 2). Given the ongoing concerns about
its platform coverage, and the availability of a major new release of
Cosign, I have begun configuring these servers to test the Cosign package
as well.

July 28: Complete initial configuration of test Cosign 2.0 login and
application servers.

Aug. 1: Request server machines (login and test login servers) from Mark.

Aug. 7: Complete testing, and provide a document summarizing findings
from comparison of test Webauth and Cosign servers and
identifying advantages/disadvantages, required development
work, risks and other issues for final product decision, with
a recommendation on how to proceed.

Aug. 11: Come to final agreement on which product to use, the web
server versions to support, and the timeline for such
support.

Aug. 18: Identify customers for pilot.
Set up source repository for development work.

Aug. 25: Bring up test login server on NIST-provided machine.

Assuming we proceed with Webauth:
Aug. 18: Demonstrate the ability to authenticate via any of the 3
methods (username/password, SPNEGO, certificates).

Aug. 25: Demonstrate fixed REMOTE_USER setup (i.e. canonicalize
instead of stripping realm).

Sep. 1: Complete customized login page.

Sep. 8: Complete customized logout, confirmation, and error pages.

Sep. 15: Complete customized documentation pages.

Sep. 22: Complete documentation for pilot participants.
Bring up login server for pilot.

If we decide to go with Cosign:
Aug. 11: Identify needed development work for pilot.
Subsequent milestones TBD.

=====

Issues:

  • If we go with the Webauth package, and provide only Apache 2 support
    in the pilot, this limits possible participants in the pilot.
    Can we get enough participants for a meaningful pilot?
  • Are we willing to commit significant long-term development resources
    to (for example) supporting Apache 1, IIS, and Java servlet in Webauth?
  • If we go with Webauth, what other web server platforms are required
    for the intended Q2 roll-out? (Or, put another way, does that roll-out
    correspond to Phase 1 or Phase 2 of our discussed plan?)
  • When do we need to test other servers (Windows IIS, Java, Oracle)?
  • When should we test redundant login servers?
  • This schedule assumes server machines are provided in a timely
    manner.
  • What approval process is required before proceeding to pilot?
  • No labels