Hi,
All of the recent excitement has rather got in the way of an email I've been preparing for a few days:
I'm now getting towards the final stages of preparing our production IdP to go live, (although I still have to do all the HASHib stuff yet). I'm again feeling a bit like I'm wandering round in the dark as the advice around seems a bit on the thin side once you get here, particularly for those of us who don't normally do this stuff.
Can I ask all you folks who've been there before some advice:
1) What do you do about logging. I've heard mention of log4j for everything and am reading up on that now. Anyone using that - any cookbooks available for how you've set it all up? In the logs, how do you relate an ePTID that has been released to an SP for an actual user, where is that logged, I can't see it in the shib log.
2) Hardening tomcat/apache/shib. Any advice on "hardening" for service all the bits and pieces or am I best just following all the usual google advice.
3) EPTID salt. What kind of thing do you use for the salt in PersistentIDAttributeDefinition. Do you use that, I notice that the documentation for it has vanished from the wiki? Or do you use SAML2PersistentIDAttributeDefinition instead and deliver EPTID using that, I notice that the output it generates is very different, is it compatible?
4) Athens Permission Set. I see that the Eduserv documentation says to use eduPersonEntitlement or that you can use a different attribute name. Which do you use? I see that Cardiff use a different one. If you use ePE doesn't that mean that it gets populated with all kinds of values that are irrelevent elsewhere, although I suppose you restrict the release of values in the ARP?
5) In ScriptletAttributeDefinition how do you find out the definition for the Class "Attribute" as in:
Attributes attributes = dependencies.getConnectorResolution("directory");
Attribute memberOf = attributes.get("groupMembership");
In the examples (which have recently appeared) on the Internet2 Wiki (how I hate Wikis as a means of documentation!) and from my own experiments I've found that
.size() returns the number of values
.get(x) returns a string containing the xth value
.toString() converts the attribute to a string containing "attributetype: attributevalue(s) - comma seperated multiple values
Is there anything else you can do?
I think that'll do for now, sorry if these are dumb questions, I used to think I was beginning to get a handle on this stuff but now seem to be lost again!
OK, who's going to write the "Preparing your IdP for Service" document?
Cheers
Andy
|