SAML Federation /idP registration

[cyork]

LEAN Estimate: 3 days, 2x multiplier

SAML will be required for authentication for the iDC project. For each project domain we will have to generate 1 or more public/private keypairs and coordinate with IT@JH on establishing a trust in the Identity Provider (idP).

This is, also, dependent on HTTPS and DNS being completed.

Tasks

• Determine the SAML attributes needed by the application
• Determine if we will be running one Service Provider (SP) per project domain or many, one for each environment
• For each service provider, we will need to generate a public/private key pair and the associated metadata
• Send each public key and metadata file, along with the required attributes to IT@JH to be configured in the idP
• Configure each SP with IT@JH provided data (link to metadata, idP hostname, etc)
• Configure the required attributes in each SP
• Configure each reverse proxy to talk to each SP and configure the protected locations

Risks

• Dependent on IT@JH for idP configuration. If they are unwilling or unable to fulfill their end of the process, we are blocked
• One single SP is a single source of failure for all environments
• Multiple SP instances require that much more maintenance and public/private key pairs
• Operations will need to perform this configuration
• SAML certificates are 10 years by default

Assumptions

• DNS tasks have been completed
• HTTPS tasks have been completed
• We have determined the number of SPs to run per project domain
• We have determined the attributes required by the application

[derekbelrose]

We will run 1 SP per environment/namespace

[derekbelrose]

Waiting to hear back from #idc regarding required attributes

[derekbelrose]

Blocked by #64 and, possibly, #62

[htpvu]

done by @jhujasonw as par tof setting up the cloud instances.