TIER Reference Implementations are designed to enable rapid evaluation of a component or set of interconnected components and provide a starting point for a full campus deployment.  Reference Implementations are developed for Docker Swarm but dependencies are minimized within the containers in order to facilitate the use of other container orchestration mechanisms.

A production deployment of COmanage that is designed to support a large-scale virtual organization typically consists of (a) a web server to operate the application itself, (b) the application's database, (c) LDAP infrastructure, and (d) a SAML IdP/SP proxy.  Many other environments are possible.  Of these elements, LDAP and the SAML proxy are typically operated in high availability mode since they are usually directly involved with most authorization flows.  COmanage itself is generally operated in standard availability mode since enrollment flows and organization management activities are not usually needed to be highly available.  The database needs backups but not high availability.

  1. Logistics
    1. Leverage the Docker container provided by the COmanage team
      1. https://github.com/Internet2/comanage-registry-docker
      2. Includes
        1. Basic application on apache web server
        2. Shibboleth Service Provider
      3. Note for initial build build: export COMANAGE_REGISTRY_VERSION=3.0.0-rc1
      4. Pre-built containers in DockerHub - https://hub.docker.com/r/sphericalcowgroup/comanage-registry/https://hub.docker.com/r/sphericalcowgroup/comanage-registry-slapd/
        1. Initial version to use the Release Candidate versions: 3.0.0-rc1-shibboleth-sp/sphericalcowgroup/comanage-registry:3.0.0-rc1-shibboleth-sp
        2. Look at: https://github.com/Internet2/comanage-registry-docker/blob/master/docs/advanced-configuration.md for configuration options, examples, defaults, etc.
    2. Database – MARIA DB
      1. We use the “TIER” MARIA DB container.
      2. This database is suitable for evaluation and prototyping purposes but no attempt has been made to configure it for production services.
    3. LDAP
      1. OpenLDAP
      2. Either the TIER OpenLDAP or COmanage OpenLDAP container will work
      3. The COmanage LDAP includes eduPerson and openssh-lpk.ldif (as does a version of the TIER LDAP)
    4. IdP/SP SAML Proxy
      1. SATOSA
    5. Logging
      1. All logs will be sent to stdout using the TIER container logging definition.
  2. High Availability
    1. This would be typically implemented for the SAML proxy and LDAP only.  
      1. OpenLDAP (master/slave)
      2. Two SATOSA containers
    2. We do not presently implement high availability in Reference Implementations.
  3. Post Install
    1. Users should view the COmanage documentation for initial steps after the startup of the system.
  4. Configuration and demonstration tools provided in this implementation
    1. COmanage will use the LDAP provisioner
    2. Mediawiki will be bundled as a demonstration application through the SATOSA proxy
  • No labels