eduroam Managed IdP service should transition from its pilot under the JRA3, into the SA2 production operations. The exit pilot gate was approved by the PLM on 25th of June , officially marking the start of transition.What is the relations to pilot - something to move or install from scratch
Relation to pilot The pilot is running on testing-level virtual machines (Okeanos). A continuation on those VMs is not foreseen. The production system is an installation "from scratch". Accounts created in the pilot installation remain valid until their expiry, or 01 Dec 2018 (whichever comes FIRST; expiry date of intermediate CA). For the RADIUS authentication of these pilot-phase accounts, there are two options:
We have to keep the management UI and the OCSP responder online until 01 Dec 2018 so that activities such as revocation are still possible. However, pilot-phase IdP administrators should not create new accounts on the pilot system when the production one is available. |
The transition generally consist of the following areas of work:
...
- Operations accountable: Marina Adomeit, Miroslav Milinović
- Development accountable: Ann Harding
- Development team: Stefan Winter, Justin Knight
- GEANT T&I operation support/Core team: Nicole Harris, Dick Visser
- PLM product manager: Alan Lewis
- Test team: Marcin Wolski
- Service manager (SM): Miroslav Milinović
- IPR accountable: Shaun Cairns
- GDPR accountable: Ana Alves
| Status | ||
|---|---|---|
|
IN PROGRESS
DONE
No | Work item | Responsible | Comment | Status | Start date | End date |
|---|---|---|---|---|---|---|
| 1 | Preparation of documentation - based on the SA2 Service Template | |||||
| Service Description | -Development team prepares -SM signs off | See section 1 of eduroam Managed IdP Service |
IN PROGRESS
(DEV TEAM DONE, awaiting sign-off)| Description |
| 09 July 2018 | SM signed off | ||||||
Service policy (Terms of use, SLA) | -Development team prepares - |
SM signs off | Separte policies for NROs, eduroam Managed IdP administrators and end users are described at eduroam Managed IdP Service Policy. |
Terms of use for NRO admins is published at: Terms of use for IdPs and end users is presented in the web UI of the service, and also at: |
| 09 July 2018 | SM signed off |
IN PROGRESS
(dev team done, awaiting sign-off)| Branding and Visibility | -Development team prepares -SM signs off | Web page text at https://www.eduroam.org/eduroam-managed-idp/ |
| 09 July 2018 | SM signed off |
IN PROGRESS
(dev team done, awaiting sign-off)| Operational Requirements | -Development team prepares - |
SM signs off | documented here |
| Feb 2018 | SM signed off | ||||||
| OLA | -Development team prepares -SM and GEANT T&I operation support/Core team sign off |
| eduroam Managed IdP OLA |
| Sep 2018 | SM signed off GEANT T&I operation signed off | |||||||||
| Operational documentation | -Development team prepares -SM signs off, test team can validate | Dev team prepared this in the corresponding Wiki page |
| 10 July 2018 | SM signed off | |||||||
| Operational processes | -Development team prepares -SM signs off, test team can validate | Need to define: service order (what happens from point of interest to service availability for a customer) and support process |
. Marina |
sent the questionnaire prepared by the Task 4 to Stefan to provide the info and Task 4 can draw the flow charts. The questionnaire is here. Not required for production sign-off. |
| 10 July 2018 | SM signed off | ||||||
| User documentation | -Development team prepares -SM signs off, test team can validate |
| 11 July 2018 | SM signed off | ||||||||||
| User support | -Development team prepares -SM signs off, test team can validate | Prepare the FAQ for the first level support. List is available here. Add them to the current FAQ that service desk uses + enable service desk to check by themselves if a user's IdP is managed eduroam IdP |
| 10 July 2018 | SM signed off | |||||||
| GDPR - data inventory, privacy notice, DPA | -Development team prepares -GDPR accountable and SM signs off |
Data inventory prepared as part of the eduroam one
The main eduroam privacy notice was updated. Signed off by the GDPR team on 26th of November 2018. Needs to be published in the eduroam site after the official launch. DPA will be done together with the eduroam service DPA. |
To be published at the eduroam site after the PLM gate! | June 2018 | GDPR team signed off |
IN PROGRESS
(dev team done, awaiting sign-off)| 2 | Test and validation | |||||
| Make a test plan | Development team and Test team prepares | Testing of the code was done |
when new version of CAT v2.0 was tested as there use the same code base - no critical issues. The testing of the UI and usability was also done. There are no bugs, recommendations for UI improvements were implemented by the Development team. Pen testing done - no critical issues. |
| SA2/Task 1 test team signed off | |||||||
| 3 | IPR compliance checking | ||||||||
| IPR compliance | IPR accountable Route the request through GEANT T&I operation support/Core team |
Stefan Winter prepared the IPR request (what are the software components, libraries, tools used) |
| 11 July 2018 | IPR team signed off |
| 4 | GDPR compliance checking | GDPR accountable | ||||||||||
| Data inventory and mapping | Data inventory is already prepared; with Nicole and Ana to carry out assessment |
| ||||||||||
| Update the privacy notice and DPA |
Look at the 1 - GDPR |
| GEANT T&I operation signed off GDPR team sign off |
| 5 | Operational team establishment | |||||||||||
| Appoint service manager | Operations accountable | It comes under the eduroam service family and existing service manager. |
| SA2 AL signed off | ||||||||
| Define roles, skills, manpower needed | Development team | As per current team for the skills, but additional time would be needed. |
| SM signed off | ||||||||
Appoint operational team members | SM | It could be done by the Srce & Maja/Tomasz team - for GN4-2, for GN4-3 it should be defined and clarified. (Dubravko could be Radius, Dragan for the system upgrades). Anticipating contribution at 0.45FTE from both Tomasz and Maja for GN4-3. The development support will be needed by Stefan&Tomasz |
| SM signed off |
| 6 | Operational team training | |||||
| Training the operational team | Development team prepares eduroam-OT is trained |
| Not needed. | SM signed off | |||||
| 7 | Support team establishment | |||||
| Establish the support team | Level 1 |
done by the |
GEANT Service Desk, L2 will be over the eduroam-ot, L3 will be via the development team Note: After PLM enter production gate, SM to notify L1 that the service production started |
| SM signed off | |||||||
| 8 | Support team training | ||||||||
| Training of the support team | Development team prepares eduroam-OT is trained |
| Not needed. |
| SM signed off | ||||||||
| 9 | Deployment in production environment |
| Monitoring set up | eduroam-OT | Provided by SRCE as part of the eduroam-OT | SM signed off GEANT T&I operation |
signed off | ||||||||||||
| Back-up and restore | eduroam-OT | VM snapshots are backed up by GEANT IT as defined in the GÉANT PoP Backup policy. Daily database snapshots are additionally kept at monitor.eduroam.org host. Perform a smoke test to test the restore process as a whole!! The idea is to take a machine down and ask GEANT IT to restore. Dick Visser is leading. OCSB machine is the best candidate. |
07.12.18 - GEANT IT confirmed machine will be restored. Dick to confirm when complete. | SM signed off GEANT T&I operation signed off |
Plan A : monitoring core team
Plan B can be covered by Miro - Nagios by Srce
Specific monitoring need to be scribed by the development team
| VM provision | GEANT T&I operation support/Core team |
Plan A: GEANT IT VMs (if in place till the end of July)
Plan B: Cloud VMs (if in place till end of August)
Plan C: SURFNet
GEANT IT VMs |
| SM signed off GEANT T&I operation signed off GEANT IT VMs were made available on | ||||||||
| Installation of the components | Stefan, Tomasz, Maja SMS service has been ordered and awaiting payment of bank transfer by GÉANT. |
|
| Raspberry Pi for the root CA | Development team GEANT T&I operation support/Core team |
Needs to be procured - Stefan will buy over Restena and claim over the project JRA3 / SA2
GEANT T&I operation support/Core team: can organise the root CA creation ceremony, and safe offline storing |
of the Raspberry PI (in a safe) |
. Dick Visser will see if there is a safe in the GEANT AMS office. If not, SA2 can purchase one. In eduroam IdP Operational Processes page there is detail on setting up the CA. |
|
. | ||||||
| 10 | Service Promotion | |||||
| Web site update |
PR team
Development team to provide the text
Marina can share a narrative template
Justin to check with Karl what is preparedKarl and Justin | Prepare all in the eduroam PR site, but publish when the production gate is passed. Web page draft at https://www.eduroam.org/eduroam-managed-idp/ |
A new page describing the service offering (similar to CAT).
Link that new page from the NRO page and Institution page.
IN PROGRESS
Justin
Marina Adomeit, Miro and Karl prepared the final version only waiting to be published. |
To be published at the eduroam site after the PLM gate! | SM signed off | ||||||||||
| Add the service to the partner services portfolio | Justin | Added to the partner portal. In staging area ready to go live when service goes into production. |
To be published at the eduroam site after the PLM gate! | SM signed off | ||||||||
| Contact the people/NRENs who took part in the infoshare to update them on service availability | Partner Relations | Two communications: First to the participants who joined the infoshare to say that the gate is passed and service is coming Second upon launch to the GEANT partner list. |
JK arranging with Nathalie 10.12.18 To be published at the eduroam site after the PLM gate! | JRA3 signed off | ||||||||
| Update eduroam flyer with the managed service element | Silvie |
| SM signed off | |||||||||
| Slide deck from the infoshares that can be sent out by Partner Relations to partner NRENs when service is live | Justin | Available |
To be published at the eduroam site after the PLM gate! | JRA3 signed off | ||||||||
| Training/info video to put on the website | Karl | Lower priority; not needed for production. | ||||||||||
| Article for CONNECT | Justin and Karl | Went into October CONNECT |
| JRA3 signed up | ||||||||
| Launch announcement in Tryfon's weekly email when reached | Justin and Tryfon | Arranged with Karl and Nathalie 10.12.18. Karl will prepare text, Marina to confirm when gate approved. |
To be published at the eduroam site after the PLM gate! | JRA3 signed off | ||||||||
| Twitter #love2eduroam upon launch | Karl | Not required for production gate. | ||||||||||
| Promotion via the eduroam-SG, by the service manager |
| Miro | Miro has let the SG know to expect this. There are meetings in November and December. |
| SM signed off | |||||||||
| A slide describing the service for the partner relations team (as part of the general GEANT services slide deck) | Karl |
| JRA3 signed off | |||||||||
| Decision about the geographical scope of the service offer - who can use the service | Klaas | Klaas confirmed 10.09.18 that the service can be offered to non-GEANT partners. The user cap of 10,000 will apply to all. |
| GEANT Chief Community Support Officer signed off. | ||||||||
| 11 | PLM Documentation | |||||||||||
CBA update Costs and funding excel Roadmap | Justin Knight | CBA, costs and funding sheet, and roadmap all updated and put on JRA3 PLM staging site. Alan Lewis has reviewed and is content. JRA3 PLM Staging Area#emidp-production-gate-documents Marina Adomeit will, after the PLM gate, move the documentation from the JRA3 PLM staging site to the eduroam wiki pages. |
| GEANT PLM signed off |