gsk short term roadmap

Fri, Dec 8, 2006

Following on from the success of the GSK proof of concept, I’ve sorted out the classloader issues and cleaned out /shared/lib so all the Guanxi SP specific libraries now reside in /webapps/shibb/WEB-INF/lib. Here’s what the layout looks like now. All paths are relative to TOMCAT_HOME:

/components/sakai-guanxi-pod-manager-pack - provides GSKPod services for the shibb portal to use /components/sakai-guanxi-user-pack - the Guanxi UserDirectoryProvider and GroupProvider implementations

/shared/lib/sakai-guanxi-gskpod-api-1.0.jar - the GSKPod api. Implementations of GSKPod (Guanxi Shibb Kit Pod) offer SAML attribute policy enforcement etc. /shared/lib/sakai-guanxi-pod-manager-api-1.0.jar - the Guanxi PodManager api. Implementations of this allow the shibb portal to register GSKPods with Sakai

/webapps/shibb - the Guanxi Shibboleth portal. This is where it all happens. Users get here after they’ve been through the Shibboleth process.

It’s certainly alpha at the moment as it only works with the Guanxi IdP on my machine as I’ve set up the attribute mapping rules to support the crude profile I’ve created to get the shibb portal working. To get in to Sakai via Shibboleth you need these attributes. You’ll notice their tightly bound to Sakai’s UserEdit:

  • sakaiUserID - currently mapped from our LDAP’s cn attribute. This is the Sakai eid.
  • sakaiFirstName - currently mapped from our LDAP’s givenName attribute
  • sakaiLastName - currently mapped from our LDAP’s sn attribute
  • sakaiMail - currently mapped from our LDAP’s mail attribute
I haven’t bothered with URNs on the attribute names as this is alpha. What should probably happen is a Sakai attribute naming space be defined, urn:org:sakai, or something similar and IdPs can map accordingly. Well the Guanxi IdP can map. Not sure about other IdP implementations. The 4 attributes listed above can be handled by eduPerson though. What’s not clear yet is the group memberships coming in from Shibboleth. In which attribute should they be held? If we define our own we risk excluding IdPs that can’t map. Is that a good thing? It’s not good or bad I suppose. Certainly however, the technical limitations of a Shibboleth implementation should not affect how Sakai defines attribute sets. This is policy. IdPs must satisfy the policy or their users won’t get in. So there are a few steps to take to get to a beta release. I’d say I’m in alpha at the moment as the GSKPod only works with raw HTTP headers containing attribute names and values. I’ve just noticed that the Guanxi Pod from the Guard doesn’t cache the raw SAML assertions. Instead it just passes them to a Bag which streams them through a SAX parser into their constituent attribute names and values. I’ve never really used the Bag in anger, so now it’s time to refactor it to cache the raw SAML assertions. The shibb portal can then add them to the GSKPod it registers when the user gets past Shibboleth. So what do I have to do in the short term to get to beta?
  • Refactor the Guanxi Guard Pod and Bag subsystem to cache raw SAML assertions from an IdP. This will result in a point release of the Guanxi SP.
  • Add SAML assertion support in GSKPod. Currently it’s just mirroring Sakai’s UserEdit structure. The fields are set according to attributes in the HTTP headers.
  • Add a GSKPod factory so GSKPod implementations can be changed.
  • Sort out some sort of error reporting to the user if they have a problem with their Pod or they can’t get in to Sakai via /shibb/gx
  • Implement logout for a Shibboleth user
  • Implement all the methods in GuanxiUserDirectoryProvider and the corresponding helper methods in PodManager
  • Add the Guanxi Engine to the distribution. Currently /shibb/gx is using the Engine on my machine.
  • Come up with a first pass attribute profile, possibly using eduPerson, possibly not.
That should bring it up to beta and ready for testing. Once I’ve got my head round subversion I’ll commit the whole lot to Sakai’s contrib.

Then the work will begin on SAML assertion policy enforcement. Attribute TTLs and Audiences etc. That should be interesting.

comments powered by Disqus