gsk short term roadmap
Fri, Dec 8, 2006
Following on from the success of the GSK proof of concept, I’ve sorted out the classloader issues and cleaned out /shared/lib so all the Guanxi SP specific libraries now reside in /webapps/shibb/WEB-INF/lib. Here’s what the layout looks like now. All paths are relative to TOMCAT_HOME:
/components/sakai-guanxi-pod-manager-pack - provides GSKPod services for the shibb portal to use /components/sakai-guanxi-user-pack - the Guanxi UserDirectoryProvider and GroupProvider implementations
/shared/lib/sakai-guanxi-gskpod-api-1.0.jar - the GSKPod api. Implementations of GSKPod (Guanxi Shibb Kit Pod) offer SAML attribute policy enforcement etc. /shared/lib/sakai-guanxi-pod-manager-api-1.0.jar - the Guanxi PodManager api. Implementations of this allow the shibb portal to register GSKPods with Sakai
/webapps/shibb - the Guanxi Shibboleth portal. This is where it all happens. Users get here after they’ve been through the Shibboleth process.
It’s certainly alpha at the moment as it only works with the Guanxi IdP on my machine as I’ve set up the attribute mapping rules to support the crude profile I’ve created to get the shibb portal working. To get in to Sakai via Shibboleth you need these attributes. You’ll notice their tightly bound to Sakai’s UserEdit:
- sakaiUserID - currently mapped from our LDAP’s cn attribute. This is the Sakai eid.
- sakaiFirstName - currently mapped from our LDAP’s givenName attribute
- sakaiLastName - currently mapped from our LDAP’s sn attribute
- sakaiMail - currently mapped from our LDAP’s mail attribute
- Refactor the Guanxi Guard Pod and Bag subsystem to cache raw SAML assertions from an IdP. This will result in a point release of the Guanxi SP.
- Add SAML assertion support in GSKPod. Currently it’s just mirroring Sakai’s UserEdit structure. The fields are set according to attributes in the HTTP headers.
- Add a GSKPod factory so GSKPod implementations can be changed.
- Sort out some sort of error reporting to the user if they have a problem with their Pod or they can’t get in to Sakai via /shibb/gx
- Implement logout for a Shibboleth user
- Implement all the methods in GuanxiUserDirectoryProvider and the corresponding helper methods in PodManager
- Add the Guanxi Engine to the distribution. Currently /shibb/gx is using the Engine on my machine.
- Come up with a first pass attribute profile, possibly using eduPerson, possibly not.
Then the work will begin on SAML assertion policy enforcement. Attribute TTLs and Audiences etc. That should be interesting.