Child pages
  • Grouper Call 11-Sep-2013
Skip to end of metadata
Go to start of metadata

Draft Minutes: Grouper call 11-Sept-2013

Attending

Tom Barton, U. Chicago (Chair)
Jim Fox, U. Washington
Bill Thompson, Unicon
Chris Hyzer, U. Penn
Shilen Patel, Duke
Dave Langenberg, U. Chicago
Steve Olshansky, Internet2
Emily Eisbruch, Internet2, scribe

New Action Items

[AI] (Bill) provide a summary of considerations around potentially keeping Grouper software files on GitHub

[AI] (Chris) do additional follow-up on the U. Penn Grouper security analysis.

[AI] (Emily) put Dave's message on supporting and patching previous Grouper releases in the appropriate places on the Grouper website and wiki, with edits as needed. Inform the core group when done.  https://spaces.internet2.edu/pages/viewpage.action?pageId=41582755

Carry Over Action Items

[AI] (Chris) inform the list about the new security form and the Grouper-Announce list.

{AI] (Dave) touch base with TomZ around PSP support issues

[AI] (Andrew) let us know what emerges from the Apereo security notification process work.

[AI] (Shilen) email the Grouper-users lists to ask who is using the legacy attributes and ask how they are using them

DISCUSSION

Internet2 Website Migration

https://blogs.internet2.edu/archives/1783

Internet2's new website is scheduled to go live on Friday, Sept. 20
The new website is built using Django CMS
The plan is that redirects will be put in place from the old Grouper website to the new URLs

TSG (Internet2 Tech Support) suggests that once the new website is place, Grouper software files should still be uploaded to the same location (webprod0). However a reverse proxy may be needed. Chris will follow up on this.

Bill stated it maybe worth looking at using GitHub as the public repository for the Grouper source code
[AI] (Bill) provide a summary of considerations around potentially keeping Grouper software files on GitHub

French Translation of Grouper Admin UI

https://lists.internet2.edu/sympa/arc/grouper-users/2013-08/msg00062.html

Appreciation to Jérémy Gasperowicz of Université d'Artois for providing a French translation of the Grouper UI with well-encoded accents.
 
Tom has asked Sebastian Gagne to validate the French UI and is waiting to hear back if Sebastian is able to do this.

Chris noted that there is a feature that allows Grouper to detect the browser location (country) and use different text for the UI based on that location. We may want to keep this in mind for the future.

Grouper Security

Chris reported on the recent Penetration (Pen) testing of Grouper at U. Penn.  
Testing involved:
-Tested URL modification
 -Testing applications security ( trying to modify groups without correct permissions)
- SQL injection
The testing did not reveal security vulnerabilities.

Another security testing step is to ask the U. Penn Office of Audit and Compliance to run Webinspect. Chris will follow up on WebInspect

[AI] (Chris) do additional follow-up on the U. Penn Grouper security analysis.

In addition Chris will look at a tool suggested by Tom to look at cross site set request forgery and report back.

Security Report Form

The new Security Issue Report form is in place:https://spaces.internet2.edu/display/Grouper/Grouper+Security+Issue+Report+Form

The Grouper-announce list has been established, for security notifications, but it will take time to get users to subscribe to it. In the meantime, the plan is to send security alerts to Grouper-users@internet2.edu and Grouper-dev@internet2.edu and Grouper-announce@internet2.edu

Patch history is found on this page:https://spaces.internet2.edu/display/Grouper/Grouper+security+patches

Policy on Support of Previous Grouper Releases

DaveL drafted this support policy:https://spaces.internet2.edu/pages/viewpage.action?pageId=41582755

Emily will move this to the production area of the wiki and create the appropriate links to it.  

[AI] (Emily) put Dave's message regarding support and patching of previous releases in the appropriate places on the Grouper website and wiki, with edits as needed. Inform the core group when this is done.  https://spaces.internet2.edu/pages/viewpage.action?pageId=41582755
 
OAuth and Grouper

OAuth is a standard that many campuses are investigating.
Should Grouper support OAuth with Grouper Web Services?

Issue: If Javascript is required to send a secret to OAuth to get the access token, this could be seen as a lot of work versus relying on the username and password and using Grouper roles to control access.

-An OAuth advantage is that it's more transparent, and there is no login box in the user's browser.
-Chris: Implementing OAuth is not that hard, but we should wait for a real world use case to emerge.
-SURFnet wants OAuth support in the SCIM work, but beyond that, we can hold off on further work until there is a request.
-Tom noted that OAuth may well become more important at U. Chicago , with the upcoming Workday implementation.

CAS and OAuth and Grouper

Bill noted that CAS has the ability to act as OAuth server and client. See https://wiki.jasig.org/display/CASUM/OAuth
A possible proof of concept is using CAS to deal with the OAuth protocol and Grouper to decide who
(services, people, etc) is able to get access tokens for which services and for what scope.  CAS would delegate the actual authZ
decision to Grouper but would otherwise deal with OAuth protocol. Grouper is the PAP and PDP.  CAS is the OAuth AS.  The target service is the PEP.

Next Grouper call: Wed. 25-Sept-2013 at noon ET

***************************
Upcoming Meetings

-TERENA TF-EMC2 & TF-MNM, Malaga, Spain, Oct 15-17, 2013
*-Identity Week, San Francisco, Nov 11-15, 2013  http://www.incommon.org/idweek/
***************************

  • No labels