Milestones/ Project Steps [ZEST:Proposed by B. Sanjay Bissessur, March 11, 2007 - to be reviewed]
The proposed steps are for the new phase (Pilot Phase) of the project following agreements made between NIST and ISDA after the initial TRB meeting. Some steps may occur concurrently and a few have been already initiated.
Timeline information presented in parenthesis (), made by melding previous milestones to current framework.
- Establish revised Core Team
	- Establish steering group (established March 2007)
 
- Redraft Scope and requirements (March 21th, 2007)
- Agree Scope and requirements with Core Team (March 28th, 2007)
- Prototype testing (August 7, 2007)
	- Report on Platforms tested - A great amount of work has already been effected for this part by Bob and has been documented [ZEST:link to Technical Documentation - Test Environment ]
- Identify other platforms for testing
- Test other platforms
- Document results
- Recommendations and any o/s issues (include integration costs with third parties)
- Review by Core Team / Cross-functional Steering Group
 
- Identify customers for Pilot Phase (August 18, 2007)
- Pilot Implementation
	- Implementation at sites
- Documentation (September 22, 2007)
- Recommendations & Review
 
- Cross-functional Steering Group review
- Refinement of proposed implementation for MIT community
- TRB review
- Action Points for full implementation
Notes:
A. Core Team / Cross-functional Steering Group
Cross-functional Steering Group:
A steering group has been established which will oversee the ongoing projects under the Identity Management umbrella (First meeting was held on 2/28/07). One of the projects to be covered is the WebSSO.
WebSSO Core Team:
ISDA, OIS, Libraries, CSS/DCAD, ISDA/Stellar, Sloan, SAIS, others (TBD).
======
Old Milestones:
The following milestones for the WebSSO project are out of date: I currently have a test setup of Webauth (login server and one
application server, using Apache 2). Given the ongoing concerns about
its platform coverage, and the availability of a major new release of
Cosign, I have begun configuring these servers to test the Cosign package
as well.
July 28: Complete initial configuration of test Cosign 2.0 login and
application servers.
Aug. 1: Request server machines (login and test login servers) from Mark.
Aug. 7: Complete testing, and provide a document summarizing findings
from comparison of test Webauth and Cosign servers and
identifying advantages/disadvantages, required development
work, risks and other issues for final product decision, with
a recommendation on how to proceed.
Aug. 11: Come to final agreement on which product to use, the web
server versions to support, and the timeline for such
support.
Aug. 18: Identify customers for pilot.
Set up source repository for development work.
Aug. 25: Bring up test login server on NIST-provided machine.
Assuming we proceed with Webauth:
Aug. 18: Demonstrate the ability to authenticate via any of the 3
methods (username/password, SPNEGO, certificates).
Aug. 25: Demonstrate fixed REMOTE_USER setup (i.e. canonicalize
instead of stripping realm).
Sep. 1: Complete customized login page.
Sep. 8: Complete customized logout, confirmation, and error pages.
Sep. 15: Complete customized documentation pages.
Sep. 22: Complete documentation for pilot participants.
Bring up login server for pilot.
If we decide to go with Cosign:
Aug. 11: Identify needed development work for pilot.
Subsequent milestones TBD.
=====
Issues:
- If we go with the Webauth package, and provide only Apache 2 support
 in the pilot, this limits possible participants in the pilot.
 Can we get enough participants for a meaningful pilot?
- Are we willing to commit significant long-term development resources
 to (for example) supporting Apache 1, IIS, and Java servlet in Webauth?
- If we go with Webauth, what other web server platforms are required
 for the intended Q2 roll-out? (Or, put another way, does that roll-out
 correspond to Phase 1 or Phase 2 of our discussed plan?)
- When do we need to test other servers (Windows IIS, Java, Oracle)?
- When should we test redundant login servers?
- This schedule assumes server machines are provided in a timely
 manner.
- What approval process is required before proceeding to pilot?
From the Jeff, Mark, Wilson meeting...
Again I thank everyone for their participation and patience as we work through this effort. Bob will do a quick analysis (learnings from Stanford should be included) of any potential integration issues.Articulate the support/operational issues and mitigation steps
Assess additional development efforts and align resources towards that.