Versions Compared

Old Version 5

changes.mady.by.user Marina Adomeit

Saved on

compared with

New Version 6

changes.mady.by.user Marina Adomeit

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Provide some context for the transition. What is in place now, what is rough timeline for service: for example reach pilot by time a, run pilot for period p and based on results run the service in production by time c. Give some view on what happens with the technical infrastructure through this  - i.e the installation will remain ... Example from managed idp transition bellow:

Relation to pilot

...


...

The

...

Accounts created in the pilot installation remain valid until their expiry, or 01 Dec 2018 (whichever comes FIRST; expiry date of intermediate CA).

For the RADIUS authentication of these pilot-phase accounts, there are two options:

  • keep the Okeanos-based RADIUS servers running until 01 Dec 2018 (preferred option)
  • add the pilot-phase Client Root CA and Client Intermediate CA as trusted on the production servers, so they can authenticate the pilot users.

We have to keep the management UI and the OCSP responder online until 01 Dec 2018 so that activities such as revocation are still possible.

However, pilot-phase IdP administrators should not create new accounts on the pilot system when the production one is available.

The transition generally consist of the following areas of work:

...

Define the people involved:
Teams/people:

  • Service Owner and member of the Technical Steering committee: Christos Kanellopoulos 
  • Member of the Governance engagementSteering Committee: Klaas Wierenga
  • Lead Architect and member of the Technical Steering Committee: Leif Johanson
  • Development team: Leif Johhanson, Fresia Perez Arriagada, Elena Rakhimova
  • Operations team: Erik Bergstörm, Maria Haide (Sunet)
  • GEANT T&I operation support/Core team:   Nicole HarrisPLM product manager: Not applicable at the moment being this a joint effort between GN4-3/GEANT, Internet2 and the RA21 initiative.
  • Test team: ?WP9 - Marcin Wolski (ask what testing can be done)
  • IPR: Magdalena Rzaca
  • GDPR: Magdalena Rzaca GEANT GDPR team

Status
titleon HOLD

IN PROGRESS

DONE

No

Work item

Responsible

Comment

Status

Start date

End date

eduroam Managed IdP
1Preparation of documentation





Service Description

-Development team prepares

-SO signs off

RA21 Discovery Service Description



Service policy (Terms of use, SLA)

-Development team prepares

-SO signs off

Separte policies for NROs, eduroam Managed IdP administrators and end users are described at
RA21 Discovery Service Policy
.
Terms of use
for NRO admins is published at:
A guide to eduroam CAT 2.0 and eduroam Managed IdP for National Roaming Operator administrators
Terms of use for IdPs and end users is presented in the web UI of the service, and also at:
A guide to eduroam Managed IdP for IdP administrators
are out of scope for service delivered by GEANT. It is responisbility of seamlessaccess.org
SLA should be defined between seamlesaccess.org and GEANT.


Branding and Visibility

-Development team prepares

-SO signs off

Web page text at https://www.eduroam.org/eduroam-managed-idp/

This is probably not relevant to the part of the service delivered by GEANT. It is responisbility of seamlessaccess.org



Operational Requirements

-Development team prepares

-SO signs off

RA21 Discovery Operational Requirements

OLA

-Development team prepares

-SO and GEANT T&I operation support/Core team sign off

eduroam Managed IdP OLA

RA21 RA21 Discovery Operational Level Agreements (OLA)

This is between SUNET and GEANT



Operational documentation

-Development team prepares

-SO signs off

Dev team prepared this in the corresponding Wiki page
RA21 RA21 Discovery Operational Documentation

Operational processes

-Development team prepares

-SO signs off

Need to define: service order (what happens from point of interest to service availability for a customer) and support process. Marina sent the questionnaire prepared by the Task 4 to Stefan to provide the info and Task 4 can draw the flow charts.

The questionnaire is here.

Not required for production sign-off.

User documentation

-Development team prepares

-SO signs off

A guide to eduroam Managed IdP for federation administrators was created in the eduroam wiki (common to eduroam CAT and eduroam Managed IdP as their NRO-level appearance is nearly identical)

A guide to eduroam Managed IdP for institution administrators - to be created in the eduroam wiki (similar like for CAT)

A guide for the end users is not needed, it is embedded in the GUI.

User support

-Development team prepares

-SO signs off

Prepare the FAQ for the first level support. List is available here.  Add them to the current FAQ that service desk uses + enable service desk to check by themselves if a user's IdP is managed eduroam IdP

RA21 RA21 Discovery Operational Processes

Change management, Incident response, ... 



User documentation

Who is responsible for this?




User support

Who is responsible for this? 




GDPR - data inventory, privacy notice, DPA

-

Development team prepares

GDPR team +SO + technical architect

-GDPR accountable and

SM eduroam Privacy Notices - Changes for Managed IdP

SO signs off

The main eduroam privacy notice was updated.

Signed off by the GDPR team on 26th of November 2018. Needs to be published in the eduroam site after the official launch.

DPA will be done together with the eduroam service DPA.

Pen testing done - no critical issues.

We should clarify the roles regarding the GDPR.  We thing that  GEANT and SUNET are data controller, and then probably no DPA is needed. CDNs are data processors. But we would to provide the privacy notice.  


2Test and validation



Make a test plan

Development team and Test team prepares

Testing of the code was done when new version of CAT v2.0 was tested as there use the same code base - no critical issues.

The testing of the UI and usability was also done. There are no bugs, recommendations for UI improvements were implemented by the Development team.

Talk to Marcin and understand the requirements for testing first


3IPR compliance checking



IPR compliance

IPR accountable + SO + technical architect 

Route the request through GEANT T&I operation support/Core team

Stefan Winter prepared the IPR request (what are the software components, libraries, tools used) on this page.

Alan confirmed Shaun has approved on 06.11.18

Documentation: eduroam Managed IdP - IPR

To whoom the IPR belongs to ? Needs discussion. 


4GDPR compliance checkingGDPR accountable


Data inventory and mapping
Data inventory is already prepared; with Nicole and Ana to carry out assessment

-GDPR team +SO + technical architect

-GDPR accountable and SO signs off




 Privacy notice and DPA

-GDPR team +SO + technical architect

-GDPR accountable and SO signs off

Update the privacy notice and DPALook at the 1 - GDPR



5Operational team establishment



Appoint service ownerWP5 leaders

It comes under the eduroam service family and existing service manager.

(Miroslav Milinović)

Done. The service owner is responsible for service as delivered via GEANT project.

Define roles, skills, manpower neededDevelopment team
As per current team for the skills, but additional time would be needed
We need to check this with what seamlessaccess.org, but if we deliver a service then it is our internal matter.

Appoint operational team members

Service Owner

Done


6Operational team training



Training the operational team


Not needed
.

7Support team establishment



Establish the support team

Level 1 done by the GEANT Service Desk, L2 will be over the eduroam-ot, L3 will be via the development team

Note: After PLM enter production gate, SM to notify L1 that the service production started

We need to understand who provides support


8Support team training



Training of the support team
Not needed.


We need to understand who provides support
9Deployment in production environment



Monitoring set up

Operations team based on the requirements from the

development team

technical lead and SO

SO signs off when implemented

Provided by SRCE as part of the eduroam-OT




Back-up and restore

Operations team based on the requirements from the

development teamVM provision

technical lead and SO

SO signs off when implemented

VM snapshots are backed up by GEANT IT as defined in the GÉANT PoP Backup policy.

Daily database snapshots are additionally kept at monitor.eduroam.org host.

Perform a smoke test to test the restore process as a whole!! The idea is to take a machine down and ask GEANT IT to restore.

Dick Visser is leading. OCSB machine is the best candidate.




VMs

Operations team based on the requirements from the

development team

technical lead and SO

SO signs off when implemented

GEANT IT VMs

Installation of the components

One PoP is provided by SUNET.

Second PoP will be deployed on AWS, in two different regions. 



Deployment

Operations team based on the requirements from the

development team

technical lead and SO

SO signs off when implemented

Stefan, Tomasz, Maja

SMS service has been ordered and awaiting payment of bank transfer by GÉANT.




CDN

?

GEANT T&I operation support/Core team: can organise the root CA creation ceremony, and safe offline storing of the Raspberry PI (in a safe).

Dick Visser will see if there is a safe in the GEANT AMS office. If not, SA2 can purchase one.

In eduroam IdP Operational Processes page there is detail on setting up the CA.

?


10Service Promotion
Web site update

Karl and Justin

Prepare all in the eduroam PR site, but publish when the production gate is passed. Web page draft at https://www.eduroam.org/eduroam-managed-idp/

Marina Adomeit, Miro and Karl prepared the final version only waiting to be published.

Add the service to the partner services portfolio

Justin

Added to the partner portal. In staging area ready to go live when service goes into production.

Contact the people/NRENs who took part in the infoshare to update them on service availabilityPartner Relations

Two communications:

First to the participants who joined the infoshare to say that the gate is passed and service is coming

Second upon launch to the GEANT partner list.

Update eduroam flyer with the managed service element

Silvie

Slide deck from the infoshares that can be sent out by Partner Relations to partner NRENs when service is liveJustinAvailable




NA, responsibility of the seamless access


11PLM Documentation



TBD if applicable
Training/info video to put on the websiteKarlLower priority; not needed for production.Article for CONNECTJustin and Karl

Went into October CONNECT

Launch announcement in Tryfon's weekly email when reachedJustin and TryfonArranged with Karl and Nathalie 10.12.18. Karl will prepare text, Marina to confirm when gate approved.Twitter #love2eduroam upon launchKarlNot required for production gate.Promotion via the eduroam-SG, by the service managerMiro

Miro has let the SG know to expect this. There are meetings in November and December.

A slide describing the service for the partner relations team (as part of the general GEANT services slide deck)KarlDecision about the geographical scope of the service offer - who can use the serviceKlaasKlaas confirmed 10.09.18 that the service can be offered to non-GEANT partners. The user cap of 10,000 will apply to all.11PLM Documentation

CBA update

Costs and funding excel

Roadmap

Justin Knight

CBA, costs and funding sheet, and roadmap all updated and put on JRA3 PLM staging site. Alan Lewis has reviewed and is content.

JRA3 PLM Staging Area#emidp-production-gate-documents

Marina Adomeit will, after the PLM gate, move the documentation from the JRA3 PLM staging site to the eduroam wiki pages.