WebSSO Pilot

Identify Pilot Applications:

1. Confluence?
2. Jira?
3. Stellar
4. Alfresco / ACEGI
5. NIST's Spam Management Tools
   • https://nic.mit.edu/cgi-bin/spamscreen#scoring
   • https://nic.mit.edu/cgi-bin/spamscreen#allow-list
   • https://nic.mit.edu/cgi-bin/spamscreen#purge
   • https://voip.mit.edu
6. DSPACE? (libraries)

Pilot Implementation:

What do we need to enter pilot phase?

• NIST running Webauth login server
  1. ISDA having login access to server to examine logs and config files.
  2. Hardware for Webauth login server
  3. Login server using MIT CA issued certificates
  4. Do we need documented process for modifying Webauth config files?
• IdP for MIT account holders
  1. Confirmation that NIST will run this
  2. ISDA access to server to examine logs, and config files
  3. Process for updating config files
• SPs on (are these dev or production in Pilot?):
  1. Stellar
  2. Jira
  3. Confluence
• Work to support Stellar and Confluence external account holders
  1. IdP for external account holders
  2. Login server for external account holders
  3. LDAP directory for external accounts?

Development Tasks:

WebAuth-specific work:
    (some of the work is in progress, if not nearly completed, and some is less relevant if we're only going to deploy Shibboleth on application servers)

- Get MIT server certs for login server

- Customize/redesign login page:
  - Support both Kerberos (SPNEGO) and MIT Certificates, per user
    option
  - Look and feel

- Customize/redesign confirm page:
  - Change to support two remote-user options (SPNEGO or Certs) -
    this means changing saved cookie and login.fcgi script
  - Look and feel

- Customize Help page
  - How to configure browser (accept cookies, SPNEGO, certificate)
  - Point to doc for Web server admins?

- Provide a page from which users can change their remote-user option
    Currently can only be done from the confirm page.  (Perhaps not strictly required for a pilot, but probably should be done).  Has UI needs.

- Provide some logout ability (though that won't be global logout).  
    Both Shibboleth and WebAuth provide some non-global logout ability, so this may just be a matter of configuring things, customizing or providing sample pages, etc.

- Document how to configure application web server for simple auth,
  delegated credentials, force username/password, logout.

Shibboleth-related work:
    Obviously we need to discuss these further.  It does not take into account the possible expanded scope due to Stellar requirements.

- decide on certificate scheme/setup (NIST)
  - use Apache/SSL cert for Shibboleth too?
  - SP needs client cert as well as server
  - inline cert data, or use CA?

- sample jsp SP code

- web server script to generate SP xml files, metadata

- IdP script to regenerate its metadata (e.g. for a new SP)

- Attribute release

- Solaris builds - what versions, etc.?

- IIS?

- get/setup test machines from NIST?

- federation?  metadata update system (cron job)

- integrate Webauth/Shibboleth - minimally fix confirmation page

- document Shibboleth setup

- load balance/failover setup?? - untested

- customize error pages, etc.

- set up source repository, build procedures, download sites, etc.