Signet Working Group conference call January 6, 2005

Signet Working Group conference call
January 6, 2005

*Attendees*

Lynn McRae, Stanford U. (chair)
Andy Cohen, Stanford U.
Minh Nguyen, Stanford U.
Tom Barton, U. Chicago
Gary Brown, U. Bristol
Tom Poage, U. C., Davis
Joy Veronneau, Cornell U.
Karel Sedlacek, Cornell U.
Andrea Beesing, Cornell U.
Butch Labrecque, Cornell U.
Steven Carmody, Brown U.
Ann West, EDUCAUSE/Internet2
Renee Frost, Internet2
Steve Olshansky, Internet2
Jessica Bibbee, Internet2 (scribe)

New *Action Items*

[AI] Lynn will forward Tom’s email (2-Oct) to the Group, regarding the Grouper source adapter.

Carry Over *Action Items*

[AI] Those interested in attending the workshop should contact Ann with available dates; Ann will schedule the event so all interested can attend. (9-Dec-05)

[AI] {Bob} will send .htaccess local syntax to the group via the list.

[AI] {Tom} will send a few brief Signet case studies to the group via the list.

[AI] {Group} will develop use cases for Signet.

[AI] {Jennifer} will solicit on site feedback from UC Davis about the UI demo/mock up.

[AI] {Minh} will develop a list of requirements for how Signet will interface with LDAP and Grouper.

[AI] {Tom, Jennifer, and Gary Brown} will discuss the modularity of Signet's UI and the internationalization of code for Grouper and Signet. There will be a separate call for this item.

[AI] {Lynn} will write up a person and function summary to express the relationship of privileges to roles and to determine what gets expressed in the eduPerson entitlement space.

*Discussion*

The Signet/Grouper Early Adopters Deployment workshop now has a tentative date of March 22-24. {Ann} will email invitations to interested parties, as details are finalized.

{Lynn} had emailed the Group with a link to a downloadable Signet demo – a bundled version that includes Tomcat and a database, which one can easily download-and-run. The Group discussed packaging options, and whether a bundled version would be useful to deployers. Several people commented that while it is useful for someone who simply wants to load Signet quickly, it is not practical for those moving to a production level. One option might be that two versions are available on the product site – the distribution with and without the bundled extras – where, Ant could be told whether to include the extras. Those interested in the bundled version may have a primary goal of showing it to management, while those interested in a leaner version would be moving on to a real installation of the product; this also would suggest that the second stage users would already have an understanding of Tomcat, etc. The Group also discussed the idea of including the tar sources with the non-QuickStart distribution.

{Tom Barton} raised the issue of ensuring that the various I2MI tools (Shibboleth, Grouper, and Signet) are harmonious, in terms of housing the distributions in a common folder (cf. email 5-Jan). There may also be sufficient reason to keep separate libraries, in instances where an upgrade is not needed or desired for one of the products. {Tom} suggested that the developers collaborate and show each other which 3rd part libraries they are using. Reducing confusion for the deployers should be a common goal when the effort is minimal, in comparison, to the developers. These ideas should be kept in mind as the products are developed and made available to the community.

{Lynn} has been working on creating a single ‘fake’ community for the demo subject population. He is working on covering the naming convention of common subjects’ titles, which includes consideration of organizational structures beyond the typical US scenario, i.e. a President of an institution may be titled as Vice Chancellor. The current KITN demo may accommodate these ideas through having more than one campus location (overseas, VO, etc.) – in this way, the user will always be able to work on familiar terms.

{Lynn} is thinking to use names from the <signet-dev> list, and suggested that anyone opposed to having their name used may opt out by contacting him. Another item is creating a large enough name base (1,000+) such that there are enough results to satisfy a large search result. Just as one can view all privileges for a certain subject, it is also possible to view privileges assigned by a group.

The Group discussed security measures, and agreed that Signet and Grouper should work together to not duplicate efforts. The Group will follow-up on a separate meeting regarding general security for the I2MI products.

A person's complete set of privileges includes those directly assigned to an individual, as well as those currently inherited as a member of a group with assigned privileges. These have two manifestations:
- Within the UI (or a derived report) showing all of a person's privileges
- A part of provisioning (output in the XML document)

The latter is the same as the former in terms of content, but differs in any scaling issues involved in provisioning changes based on monitoring changes in group memberships.

There are privacy issues involved in revealing workgroup memberships that are the source of privileges. One requirement of the Subject API that could address this is the ability to indicate the Subject ID of the person making any query through a Source adaptor to allow visibility rules to be applied at the source of the information.

The next Signet WG call will be held on Friday, January 20, 2006 at 11am ET.