eduroam Managed IdP service should transition from its pilot under the JRA3, into the SA2 production operations. The exit pilot gate was approved by the PLM on 25th of June , officially marking the start of transition.
Relation to pilot The pilot is running on testing-level virtual machines (Okeanos). A continuation on those VMs is not foreseen. The production system is an installation "from scratch". Accounts created in the pilot installation remain valid until their expiry, or 01 Dec 2018 (whichever comes FIRST; expiry date of intermediate CA). For the RADIUS authentication of these pilot-phase accounts, there are two options:
We have to keep the management UI and the OCSP responder online until 01 Dec 2018 so that activities such as revocation are still possible. However, pilot-phase IdP administrators should not create new accounts on the pilot system when the production one is available. |
The transition generally consist of the following areas of work:
- Documentation preparation and signoff
- Test and Validation
- GDPR compliance checking
- IPR compliance checking
- Operational team establishment
- Operational team training
- Support team establishment
- Support team training
- Operational deployment
- Service promotion
Teams/people:
- Operations accountable: Marina Adomeit, Miroslav Milinović
- Development accountable: Ann Harding
- Development team: Stefan Winter, Justin Knight
- GEANT T&I operation support/Core team: Nicole Harris, Dick Visser
- PLM product manager: Alan Lewis
- Test team: Marcin Wolski
- Service manager (SM): Miroslav Milinović
- IPR accountable: Shaun Cairns
- GDPR accountable: Ana Alves
ON HOLD
IN PROGRESS
DONE
No | Work item | Responsible | Comment | Status | Start date | End date |
---|---|---|---|---|---|---|
1 | Preparation of documentation - based on the SA2 Service Template | |||||
Service Description | -Development team prepares -SM signs off | See section 1 of eduroam Managed IdP Service Description | DONE | 09 July 2018 | SM ready to sign off | |
Service policy (Terms of use, SLA) | -Development team prepares -GEANT T&I operation support/Core team signs off | Separte policies for NROs, eduroam Managed IdP administrators and end users are described at eduroam Managed IdP Service Policy. GEANT should sign it off as a legal body that is responsible for the service. | DONE | 09 July 2018 | SM ready to sign off | |
Branding and Visibility | -Development team prepares -SM signs off | Web page text at https://www.eduroam.org/eduroam-managed-idp/ | DONE | 09 July 2018 | SM ready to sign off | |
Operational Requirements | -Development team prepares -SM and core team sign off | documented here | DONE | Feb 2018 | SM ready to sign off | |
OLA | -Development team prepares -SM and GEANT T&I operation support/Core team sign off | https://docs.google.com/document/d/1ZlRTAEIjyd3wXiK4d0XnUJpFwRuXfWRniRRiYht21x8/edit | IN PROGRESS (dev team done, awaiting sign-off) Nicole also asked Tryfon and Matthew for a steer for GN4-3 approach, but got no answer. The aim is to standardize across the T&I services. | Sep 2018 | ? | |
Operational documentation | -Development team prepares -SM signs off, test team can validate | Dev team prepared this in the corresponding Wiki page | DONE | 10 July 2018 | SM ready to sign off | |
Operational processes | -Development team prepares -SM signs off, test team can validate | Need to define: service order (what happens from point of interest to service availability for a customer) and support process. Marina sent the questionnaire prepared by the Task 4 to Stefan to provide the info and Task 4 can draw the flow charts. The questionnaire is here. | IN PROGRESS (dev team done, awaiting sign-off) | 10 July 2018 | ? | |
User documentation | -Development team prepares -SM signs off, test team can validate | DONE | 11 July 2018 | SM ready to sign off | ||
User support | -Development team prepares -SM signs off, test team can validate | Prepare the FAQ for the first level support. List is available here. Add them to the current FAQ that service desk uses + enable service desk to check by themselves if a user's IdP is managed eduroam IdP | DONE | 10 July 2018 | SM ready to sign off | |
GDPR - data inventory, privacy notice, DPA | -Development team prepares -GDPR accountable and SM signs off - DPA? | Data inventory prepared as part of the eduroam one | IN PROGRESS (dev team done, awaiting sign-off) | June 2018 | ? | |
2 | Test and validation | |||||
Make a test plan | Development team and Test team prepares | Testing of the code was done Penetration testing on the production deployment infrastructure (VMs) before "cutting the ribbon". To be scheduled when the production deployment is ready. - 26.10 2018 - the web front is ready for the pen testing Marina Adomeit to send a request to Marcin Wolski The testing of the UI and usability was also done. There are no bugs, improvements to be feeded for the next releases. | PEN IN PROGRESSDONE UI DONE | |||
3 | IPR compliance checking | |||||
IPR compliance | IPR accountable Route the request through GEANT T&I operation support/Core team | Alan confirmed Shaun Cairns is responsible. Alan Lewis to speak to Shaun. Stefan Winter prepared the IPR request (what are the software components, libraries, tools used) on this page. Alan Lewis will review this. | IN PROGRESS (dev team done, awaiting sign-off) | 11 July 2018 | ||
4 | GDPR compliance checking | GDPR accountable | ||||
Data inventory and mapping | Data inventory is already prepared; with Nicole and Ana to carry out assessment | DONE | ||||
Update the privacy notice | Stefan Winter to update the eduroam privacy notice (Nicole shared location via email) to include the managed eduroam IdP as well and Miroslav Milinović to check and approve. Publish once the production gate is passed. | Privacy notice to be sent to GDPR team to sign off Marina Adomeit on 29th of September. 26 October sent reminder email as no follow up happened | ||||
Prepare the data processing agreement | Should be part of the OLA. Nicole Harris has a template data processing agreement she can share. | |||||
5 | Operational team establishment | |||||
Appoint service manager | Operations accountable | It comes under the eduroam service family and existing service manager. | DONE(Miroslav Milinović) | |||
Define roles, skills, manpower needed | Development team | As per current team for the skills, but additional time would be needed. | DONE | |||
Appoint operational team members | SM | It could be done by the Srce & Maja/Tomasz team - for GN4-2, for GN4-3 it should be defined and clarified. (Dubravko could be Radius, Dragan for the system upgrades). Anticipating contribution at 0.45FTE from both Tomasz and Maja for GN4-3. The development support will be needed by Stefan&Tomasz | IN PROGRESS | |||
6 | Operational team training | |||||
Training the operational team | Development team prepares eduroam-OT is trained | TBD,over couple of VC should suffice | ||||
7 | Support team establishment | |||||
Establish the support team | Level 1 will done by the SD, L2 will be over the eduroam-ot, L3 will be via the development team | DONE | ||||
8 | Support team training | |||||
Training of the support team | Development team prepares eduroam-OT is trained | TBD,over couple of VC should suffice | ||||
9 | Deployment in production environment | |||||
Central monitoring set up | GEANT T&I operation support/Core team | Plan A : monitoring core team Plan B can be covered by Miro - Nagios by Srce Specific monitoring need to be scribed by the development team | ON HOLD | |||
Back-up and restore | core team | should be provided by the GEANT IT Perform a smoke test to test the restore process as a whole!! The idea is to take a machine down and ask GEANT IT to restore. Dick Visser is leading. OCSB machine is the best candidate. | IN PROGRESS | |||
Resource inventory configured | core team | when available by the core team, not a requirement for production | ON HOLD | |||
VM provision | GEANT T&I operation support/Core team | Plan A: GEANT IT VMs - going ahead with this option. Plan B: Cloud VMs Plan C: SURFNet | GEANT IT VMs were made available on DONE | |||
Installation of the components | IN PROGRESS | |||||
Raspberry Pi for the root CA | Development team GEANT T&I operation support/Core team | GEANT T&I operation support/Core team: can organise the root CA creation ceremony, and safe offline storing of the Raspberry PI (in a safe). Dick Visser will see if there is a safe in the GEANT AMS office. If not, SA2 can purchase one. In eduroam IdP Operational Processes page there is detail on setting up the CA. | IN PROGRESS in RESTENA offices, still wrapped, awaiting details for key ceremony. From the 3rd October, the key ceremony can take place. Stefan Winter and Dick Visser will carry out the ceremony. Klaas or Nicole or Erik will need to attend in person; and Miro remotely. | |||
stefan/miro needs to write up this in details ... | ||||||
10 | Service Promotion | |||||
Web site update | Karl and Justin | Prepare all in the eduroam PR site, but publish when the production gate is passed. Web page draft at https://www.eduroam.org/eduroam-managed-idp/ On the eduroam Managed IdP webpage add that the service is free of charge for up to 10,000 user accounts per NRO, and that it is up to the NRO how those 10,000 accounts are spread across their institutions. The page should then go under the Support menu, underneath CAT. To be linked from the eduroam for NRO page and eduroam for institutions. On the institutions’ page, note that the institution needs to talk to their NRO to get the service, as the relationship is between GEANT and the NRO. Will need to add how to sign up to the service. | IN PROGRESS | |||
Add the service to the partner services portfolio | Justin | Talk to Silvie Francisci silvie.Francisci@geant.org about the Partner Portal and getting the service in there. Note with partner portal that it also shows what services NRENs have taken, so whenever an NREN adopts the service the partner relations team should be updated by the Service Manager (Miro) so they can update the NREN's specific portal page. Build this into the service management flow. | Working with Silvie and Karl to provide text to add. | |||
Contact the people/NRENs who took part in the infoshare to update them on service availability | Partner Relations | Two communications: First to the participants who joined the infoshare to say that the gate is passed and service is coming Second upon launch to the GEANT partner list. | DONE | |||
Update the eduroam flyer with the managed service element | Silvie | Justin contact silvie.Francisci@geant.org | DONE | |||
Slide deck from the infoshares that can be sent out by Partner Relations to partner NRENs when service is live | Justin | Available | DONE | |||
Training/info video to put on the website | Karl | Lower priority. | ||||
Article for CONNECT | Justin and Karl | Requested 500 words space from Paul 18.07.18. Call with Karl 23.07.18. Main points to hit: the service is coming soon, what the benefits are, who it’s aimed at and who to contact for more details. Could also put the #love2eduroam at the bottom. | DONE | |||
Launch announcement in Tryfon's weekly email when reached | Justin and Tryfon | Silvie will help co-ordinate. | ||||
Twitter #love2eduroam upon launch | Karl | |||||
Promotion via the eduroam-SG, by the service manager | Miro | Miro has let the SG know to expect this. There are meetings in November and December. | ||||
A slide describing the service for the partner relations team (as part of the general GEANT services slide deck) | Karl | DONE | ||||
Decision about the geographical scope of the service offer - who can use the service | Klaas confirmed 10.09.18 that the service can be offered to non-GEANT partners. The user cap of 10,000 will apply to all. | DONE | ||||
11 | PLM Documentation | |||||
CBA update | Marina Adomeit | Marina Adomeit will, after the PLM gate, move the documentation from the JRA3 PLM staging site to the eduroam wiki pages. | ||||
Review other documentation |