Work in progress!!!!
...
Provide some context and plan for the transitionservice. What is in place now, what is rough timeline for service: for example reach pilot by time a, run pilot for period p and based on results run the service in production by time c. Give some view on what happens with the technical infrastructure through this - i.e the installation will remain ... Example from managed idp transition bellow:
Relation to pilot
The pilot is running on testing-level virtual machines (Okeanos). A continuation on those VMs is not foreseen. The production system is an installation "from scratch".
Accounts created in the pilot installation remain valid until their expiry, or 01 Dec 2018 (whichever comes FIRST; expiry date of intermediate CA).
For the RADIUS authentication of these pilot-phase accounts, there are two options:
- keep the Okeanos-based RADIUS servers running until 01 Dec 2018 (preferred option)
- add the pilot-phase Client Root CA and Client Intermediate CA as trusted on the production servers, so they can authenticate the pilot users.
We have to keep the management UI and the OCSP responder online until 01 Dec 2018 so that activities such as revocation are still possible.
delivery. Current plan is that the service beta becomes available from 1 July and runs for one year.
The transition generally consist of the following areas of work:
...
Define the people involved:
Teams/people:
- Service Owner: Marina Adomeit
- Member of the Technical Steering committee: Christos Kanellopoulos
- Member of the Governance engagementSteering Committee: Klaas Wierenga
- Lead Architect and member of the Technical Steering Committee: Leif Johanson
- Development team: Leif Johhanson, Fresia Perez Arriagada, Elena Rakhimova
- Operations team: Erik Bergstörm, Maria Haide Haider (Sunet)
- GEANT T&I operation support/Core team: Nicole Harris
- PLM product manager: Not applicable at the moment being this a joint effort between GN4-3/GEANT, Internet2 and the RA21 initiative.
- Test team: ?WP9 - Marcin Wolski (ask what testing can be done)
- IPR: Magdalena Rzaca
- GDPR: Magdalena Rzaca GEANT GDPR team
- WP5 leaders ultimately responsible for the T&I service portfolio delivered through the GEANT project: Licia Florio, Marina Adomeit
| Status | ||
|---|---|---|
|
IN PROGRESS
DONE
No | Work item | Responsible | Comment | Status |
|---|
End date
| 1 | Preparation of documentation | |||
| Service Description | -Development team prepares -SO signs off |
Marina to give a try to document - talk to Outreach person for SPs Laura Paglione. She will be working to adapt the documentation from the github into docs that SPs can use. Marina to peer with her, and give her direct feedback - include Heather in this conversation as well. |
| ||||||
| don | Service policy (Terms of use, SLA) | -Development team prepares -SO signs off |
Terms of use |
are out of scope for service delivered by GEANT. It is responsibility of seamlessaccess.org. Example from InAcademia https://inacademia.org/service-policy/, and eduroam https://www.eduroam.org/wp-content/uploads/2016/05/GN3-12-192_eduroam-policy-service-definition_ver28_26072012.pdf Marina can check if there is something additional in the contract - especially about who responsibility it is to support the end-users. SLA should be defined between seamlesaccess.org and GEANT. The beta service should be best effort (there could be some tension with the publishers though ) For the beta service, there is an MoU which is being signed. (update from 16 July - orcid the last one to sign, it should be done this week) |
This should be done for the production service. The beta service is to test this out. |
| Branding and Visibility | -Development team prepares -SO signs off |
This is probably not relevant to the part of the service delivered by GEANT. It is responsibility of seamlessaccess.org Info from July 2019 from Heather: There will be a website soon - we now have a UX person contracted (Sean, Chicago), and that’s one of the things on his plate |
| ||||||
| Operational Requirements | -Development team prepares -SO signs off |
Seamless Access Operational Requirements Marina to check if anything needs to be updated or what is missing. |
| ||||||
| OLA | -Development team prepares -SO and GEANT T&I operation support/Core team sign off |
Seamless Access Operational Level Agreements - OLA This is between SUNET and GEANT. Draft OLA was defined and is within SUNET NOC for approval |
| |||||||
| Deployment architecture |
-Development team prepares
-SO signs off
-Development team prepares -SO signs off |
Need to define: service order (what happens from point of interest to service availability for a customer) and support process. Marina sent the questionnaire prepared by the Task 4 to Stefan to provide the info and Task 4 can draw the flow charts.
The questionnaire is here.
Not required for production sign-off.
Seamless Access Deployment Architecture Marina to set this up based on the OLA. |
| |||||||
| Operational documentation and processes |
-Development team prepares -SO signs off |
-Development team prepares
-SO signs off
| ||||||||||
| User documentation | Who is responsible for this? |
| ||||||||
| User support | Who is responsible for this? | In scope for seamless access. |
| |||||||
| GDPR - data inventory, privacy notice, DPA | - |
GDPR team +SO + technical architect -GDPR accountable and |
SO signs off |
The main eduroam privacy notice was updated.
Signed off by the GDPR team on 26th of November 2018. Needs to be published in the eduroam site after the official launch.
DPA will be done together with the eduroam service DPA.
GDPR evaluation was done and conclusion is that Seamless Access does not process any personal data. |
|
| 2 | Test and validation | |||
| Make a test plan | Development team and Test team prepares |
Testing of the code was done when new version of CAT v2.0 was tested as there use the same code base - no critical issues.
The testing of the UI and usability was also done. There are no bugs, recommendations for UI improvements were implemented by the Development team.
Pen/Security done by DFN cert. Additional testing could be done as well if skilled javascript testers can be found. |
|
| 3 | IPR compliance checking | |||
| IPR compliance | IPR accountable + SO + technical architect Route the request through GEANT T&I operation support/Core team |
Stefan Winter prepared the IPR request (what are the software components, libraries, tools used) on this page.
Alan confirmed Shaun has approved on 06.11.18
GEANT IPR coordinator has signed off the IPR. Note that was given on 6th December 2019: "Update regarding the scanning of the code provided https://github.com/TheIdentitySelector in most of the files no source/binary files were detected, consequently no licence/vulnerabilities were detected…In the js-storage-master file there were 3 licences detected (MIT licences) – as this is permissive licence, there are no further issues with it." |
|
| 4 | GDPR compliance checking | GDPR accountable | ||
| Data inventory and mapping | -GDPR team +SO + technical architect -GDPR accountable and SO signs off |
Conclusion is that SA doesn't process any personal data, so Data Inventory and Mapping are not needed. |
| |||||||||
| Privacy notice and DPA | -GDPR team +SO + technical architect -GDPR accountable and SO signs off | Not needed. |
|
| 5 | Operational team establishment | |||
| Appoint service owner | WP5 leaders |
It comes under the eduroam service family and existing service manager.
| Done. The service owner is responsible for service as delivered via GEANT project. |
|
| Define roles, skills, manpower needed | Development team |
| We need to check this with what seamlessaccess.org, but if we deliver a service then it is our internal matter. |
| |||||||||
Appoint operational team members | Service Owner | Done |
| |||||||
| 6 | Operational team training | |||||||||
| Training the operational team | Not needed |
| |||||||
| 7 | Support team establishment | ||||||
| Establish the support team |
Level 1 done by the GEANT Service Desk, L2 will be over the eduroam-ot, L3 will be via the development team
Will be provided by seamless access, out of scope for GEANT |
|
| 8 | Support team training | |||
| Training of the support team |
| Will be provided by seamless access, out of scope for GEANT |
| ||||||||
| 9 | Deployment in production environment | ||||||||
| Monitoring set up | Operations team based on the requirements from the |
technical lead and SO SO signs off when implemented |
| ||||||||
| Back-up and restore | Operations team based on the requirements from the |
technical lead and SO SO signs off when implemented |
VM snapshots are backed up by GEANT IT as defined in the GÉANT PoP Backup policy.
Daily database snapshots are additionally kept at monitor.eduroam.org host.
Perform a smoke test to test the restore process as a whole!! The idea is to take a machine down and ask GEANT IT to restore.
Dick Visser is leading. OCSB machine is the best candidate.
Not needed |
| ||||||
| VMs |
Operations team based on the requirements from the |
technical lead and SO SO signs off when implemented |
GEANT IT VMs
Installation of the componentsTwo nodes are provided by SUNET. Two nodes are operated on AWS. |
| |||||||
| Deployment | Operations team based on the requirements from the |
technical lead and SO SO signs off when implemented |
Stefan, Tomasz, Maja
SMS service has been ordered and awaiting payment of bank transfer by GÉANT.
?
GEANT T&I operation support/Core team: can organise the root CA creation ceremony, and safe offline storing of the Raspberry PI (in a safe).
Dick Visser will see if there is a safe in the GEANT AMS office. If not, SA2 can purchase one.
In eduroam IdP Operational Processes page there is detail on setting up the CA.
Karl and Justin
Prepare all in the eduroam PR site, but publish when the production gate is passed. Web page draft at https://www.eduroam.org/eduroam-managed-idp/
Marina Adomeit, Miro and Karl prepared the final version only waiting to be published.
Justin
Added to the partner portal. In staging area ready to go live when service goes into production.
Two communications:
First to the participants who joined the infoshare to say that the gate is passed and service is coming
Second upon launch to the GEANT partner list.
Silvie
Went into October CONNECT
Miro has let the SG know to expect this. There are meetings in November and December.
CBA update
Costs and funding excel
Roadmap
CBA, costs and funding sheet, and roadmap all updated and put on JRA3 PLM staging site. Alan Lewis has reviewed and is content.
JRA3 PLM Staging Area#emidp-production-gate-documents
Marina Adomeit will, after the PLM gate, move the documentation from the JRA3 PLM staging site to the eduroam wiki pages.Deployment is completed on SUNET nodes. In progress is deployment on AWS nodes. |
| |||||||||
| CDN | Provided by Fastly. The bill is currently picked up by SUNET, but this should move to GEANT. |
| ||||||||
| 10 | Service Promotion | |||||||||
| NA, responsibility of the seamless access | Will be provided by seamless access, out of scope for GEANT. Outreach person for SPs Laura Paglione (laura@seamlessaccess.org). Feel free to reach out to her if you have questions or ideas. |
| ||||||||
| 11 | PLM Documentation | |||||||||
| TBD if applicable |
|
Other notes: the success criteria - what do we consider to be the success criteria for the project, from the GEANT side.