InCommon TAC Meeting Minutes - Sept. 17, 2015
Attending: David Walker, Tom Barton, Steve Carmody, Ian Young, Michael Gettes, Jim Jokl, Chris Misra, Scott Cantor
With: Nick Roy, Ann West, Dean Woodbeck, Tom Scavo, IJ Kim, Steve Zoppi
Action Items
(AI) Tom Scavo will draft a note to the ops and participants lists and recommend that Shib IdP deployers configure at least 1GB of heap in the JVM.
(AI) TAC is asked to provide feedback on the draft charter for the Containerization/Ease of Deployment Working Group and ensure that it meets the needs of the federation.
(AI) Tom Barton will sketch some comments about how to approach the proposed draft TAC charter.
Minutes from September 3, 2015 are approved
Let’s Encrypt
This is a service that provides free short-lived server certs. How will such a service impact the InCommon Certificate Service? What is the value of the InCommon service when considered alongside this free service? A main benefit of the InCommon service is the enterprise-wide implementation and control available. Many schools (at least larger ones) routinely pay more for a service that provides such enterprise-level benefits. We should also consider how this might impact smaller schools that join InCommon only for the certificates.
REFEDS Entity Category Consultation: Academia
The consultation period for this entity category ends September 23. There was discussion whether TAC should offer a coordinated response. The consensus is that the category definition has become somewhat narrow and would likely not meet InCommon’s needs. There doesn’t seem to be a need for a TAC coordinated response. Nick Roy will contact Nicole about next steps for this category after the consultation period ends.
Shibboleth IdP Memory Issue
Tom Scavo summarized reports of Shibboleth IdP metadata refresh failures that seem to be related to the size of the aggregate. Scott Cantor has confirmed that the IdP's metadata refresh process works correctly as long as sufficient heap space is allocated to the JVM. Insufficient heap can lead to a failed metadata refresh process, and moreover, the process will fail silently (unless DEBUG level logging is enabled, or a specific log category tuned for this message is enabled). The logging issue has been fixed and is scheduled for release in IdP V3.2.
The logging categories that reveal the out of memory error on DEBUG in V2 and V3 are org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider and org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver respectively. Deployers are advised to enable these logging categories on production servers.
Scott's testing indicates that at least 1GB of heap will be required when InCommon starts importing eduGAIN metadata. (AI) Tom Scavo will draft a note to the ops and participants lists and recommend that Shib IdP deployers configure at least 1GB of heap in the JVM. The Shibboleth development team will also discuss the possibility of some kind of announcement to make people aware they may be running into some issues as the files get larger, and to document a log category for this DEBUG level log entry so that it can get individually enabled.
This is also a reason to push harder on deploying per-entity metadata.
Containerization/Ease of Deployment Working Group
Jim Jokl has developed a draft charter for a working group, likely housed under TIER, to address the problems related to the complexity of deploying and operating a campus Shibboleth environment. One solution may be developing a set of of pre-configured containerized, virtualized, and/or cloud software distributions that are curated for longer-term support.
This charter focuses on Shib, but Grouper and other software are in scope for TIER, as well, and may require a similar approach. (AI)TAC is asked to provide feedback on the draft charter and ensure that it meets the needs of the federation.
Proposed TAC Charter
There was a brief discussion of the draft TAC charter that is available for comment. Given the lack of time on this call, the next TAC call will include a high-level discussion of the concepts to be included in the charter. (AI) Tom Barton will sketch some comments about how to approach this.
TAC F2F
The TAC face-to-face is Wednesday, Oct. 7, at TechEx. A draft agenda is available and TAC members are encouraged to add items.
Next Meetings
Thursday, Oct. 1 - 1 pm ET - regular call
Wednesday, Oct. 7 - 12:30 pm - 2:30 pm @ TechEx