In January 2017, InCommon began to plan for a series of much-needed updates to this application, in partnership with talented business analysts, software developers, engineers and project managers at several firms. The work has resulted in the following roadmap.

Archived Information

Past Federation Manager Releases

Table of Contents

Sequence_Z8N / Theme: Adding to_saml method to models

Phase I

Currently the metadata is constructed through class methods on the Idp/Sp and then completed in a new Entity. This does not allow for previewing metadata until the is is submitted for approval.

To add this functionality, a to_saml method should be added to each model that represents a piece of the metadata. This method will puts the ownership of metadata construction on the model that represents that part of the metadata. Models will also collect the metadata nodes from their nested models (key_info will nest the cert, idp_sso will nest the key_info, etc.)

The following modules with need to be build in a models/concerns/saml/ directory:

• • • artifact_resolution_service assertion_consumer_service attribute_authority_descriptor attribute_consuming_service attribute_service certificate contact_person discovery_response entity_attribute idp idp_sso_descriptor key_info organization requested_attribute single_logout_service single_sign_on_service sp sp_sso_descriptor ui_info
    • Each module will supply an insert_saml_nodes! method that can inject the model’s metadata nodes into an xml tree that is passed down through the models. They will share a common method that also allows .to_saml to be called on each model directly, to inspect that portion of the metadata.
    • Each module will have an accompanying spec file that tests that portion of metadata creation. The Idp and Sp files will have additional tests to verify complete metadata creation.

Once complete, these methods will need to be compared against the current method of metadata creation. This will require:

• • A rake task that compares published metadata against the results of calling to_saml on an Idp/Sp
  • An (temporary) RA route that shows the diff between any IdP/Sp metadata generated vs. that on the current entity
  • Documentation on any historical changes that we encounter that we won’t fix
  • Iterative fixes to the metadata construction until we are satisfied with the result
    
    

Phase II

Once we are satisfied with the methods, integration can be accomplished in parallel with other features, and the pacing of the roll out can remain flexible. This would include but not be limited to:

• Using the new method within the “Metadata to Publish” section to shows changes while an Idp/Sp is in editing status.
• Any other UI changes that allow SAs or RAs to take advantage of a more accurate metadata picture during editing
• Using the metadata diff to assist with determining if metadata can be auto-approved
• Replacing the current metadata construction with the new process on Entity submission
• Removing the Idp/Sp and Entity models metadata methods
• Reducing the Entity model until it bears no responsibility for metadata construction
  
  

Technical Debt Targeted:

Complexity (1-10, 10 is highest): 5  

Effort (Person-weeks): 6 weeks Dev

Extra Resources Needed: RA training ( NOTE : This phase should drive down RA staff time managing roles over time, but has some up-front overhead)

Status: Start early-November 2018  / targeted completion middle of December 2018

Sequence_2GZ / Theme: Rework RA functions - Auto-Approve Metadata

 Federation Manager Sequence_1KJ - Rework RA functions - Auto-Approve Metadata:

• • Provide new metadata approval process: 
    
    • Automatic Approval for Metadata
    • Metadata changes not needing review
    • Metadata changes for Steward

Technical Debt Targeted:

Complexity (1-10, 10 is highest): 5  

Effort (Person-weeks): 5  / 8 weeks Dev

Extra Resources Needed: RA training ( NOTE : This phase should drive down RA staff time managing roles over time, but has some up-front overhead)

Status: Start end of December 2018  / targeted completion end of February 2019

************************************

Sequence_7OC   / Theme: Entity Attribute Handling Overhaul   Implementation Requirements:  Entity Attributes

       Federation Manager Sequence_7OC - Entity Attribute Handling Overhaul (SA self-service, RA assert any RA-controlled value without asking SA to resubmit metadata)

Technical Debt Targeted:

• • Update Rails to v5.x and resolve any resulting dependency issues.
    

Complexity: (1-10, 10 is highest): 6

Effort: (Person-weeks): 9 weeks (~11 weeks clock time, including vacation time and holiday)

Resources: 80 hours BA, 20 hours business process owner, 4-9 weeks development, 1-week testing

Status: Start beginning of March 2019 / targeted completion middle of May 2019

Supports Project: Baseline Expectations, general community requests, and improved customer service

Note: THIS FEATURE REQUIRES that we have automated metadata approval and hard edits for baseline expectations in place.

Note: JG / Would like more information / Refactoring the state-machine needed for some of these requirements

************************

Notes on current state:

Have done quite a bit of work across these sets of deliverables

Have CI, but not CD. Reason: Issues with Shibboleth SP in containers. Most expedient thing would be to go with a vanilla approach - vanilla Ruby on Rails app. There were enough integration issues with the app that focusing on that helped us do CI. Now we need to integrate Shibboleth or something - some kind of SP. Nothing really right fit out there. So Shibboleth is as good a foundation as anything else. MDQ makes this a lot easier - then we don't have to worry about the memory footprint and startup time for the SP. Need prod MDQ. Enhancements in SP 3 also gives us more options that will likely help.

Guesstimate: 2 solid weeks of uninterrupted time for test. Production move would be less. Two weeks for prod. One complication with production is moving the signing process along with the prod FM, or decoupling those things and transporting metadata back to on-prem to sign, as well as all the subsidiary process such as production of the JSON feed that feeds the all-entities / all-orgs beta pages, and the eduGAIN export.

Next step: We will want to change the hostname for the Federation Manager as part of the production move: fm.incommon.org, no /siteadmin. Could make that change any time and point it at the current on-premises service. Can ask TSG to put a long-lived redirect on service1.internet2.edu as well.

Sequence_3DQ  / Theme:  Docker container in AWS (test/acceptance)

Federation Manager Sequence_3DQ - Running in a Docker container in AWS (test/acceptance)

Technical Debt Targeted:

Complexity: (1-10, 10 is highest): 3

Effort: (Person-weeks): ~4-5 weeks clock time

Resources: 85 hours DevOps

Status: Start mid-November/end late-December 2018

Supports Project: InCommon DevOps Scaling

************************

************************

Sequence_ODC  / Theme: Docker Container Production

Federation Manager Sequence_ODC - Running in a Docker container in AWS (production)

Technical Debt Targeted:

Complexity: (1-10, 10 is highest): 7

Effort: (Person-weeks): ~4-5 weeks clock time

Resources: 85 hours DevOps

Status: Start early-January/end mid-February 2019

Supports Project: InCommon DevOps Scaling

Note: This is more complex than the test containerized version(s) because we have to plumb metadata signing and distribution out from the new environment

************************

Sequence_7B3 / Theme: New Update Functions for Site Admins  Implementation Requirements:  Update IdP and SP

Federation Manager Sequence_7B3 - New Update Functions for Site Admins (Provides a new update process and associated update pages for IdP/SP to simplify the update process for SAs)

Technical Debt Targeted:

Complexity: (1-10, 10 is highest): 6

Effort: (Person-weeks): 8 weeks (~10 weeks clock time, including vacation time and holiday)

Resources: 80 hours BA, 20 hours business process owner, 5-7 weeks development, 1-week testing

Status: Start during the end of May 2019 / targeted completion end of July 2019

Supports Project: Improved and simplified SA functionality

Sequence_9DF / Theme: New Add Functions for Site Admins  Implementation Requirements:  Add Identity Provider  Add Service Provider

Federation Manager Sequence_7DF - New Add Functions for Site Admins (Provides a new wireframe process for adding new IdP/SP information to provide a more directed add approach for the SAs)

Technical Debt Targeted:

Complexity: (1-10, 10 is highest): 6

Effort: (Person-weeks): 10 weeks (~12 weeks clock time, including vacation time and holiday)

Resources: 80 hours BA, 20 hours business process owner, 5-7 weeks development, 1-week testing

Status: Start during the beginning of August 2019 / targeted completion middle of October 2019

Supports Project: Improved and simplified SA functionality

Sequence_OKR / Theme: Baseline Expectations - SA Dashboard  Implementation Requirements:  Baseline Expectations - Dashboard

Federation Manager Sequence_OKR - Define and implement an additional tab on the SA Dashboard for Baseline Expectations to show current status for meeting the expectations as defined in: Implementing Baseline Expectations in InCommon Metadata 

Technical Debt Targeted:

Complexity: (1-10, 10 is highest): 6

Effort: (Person-weeks): 4 weeks (~3 weeks clock time, including vacation time and holiday)

Resources: 20 hours BA, 10 hours business process owner, 10 hours designer, 2 weeks development, 1-week testing

Status: Start during the end of October 2019 / targeted completion end of November 2019

Supports Project: Baseline Expectations

Sequence_N9O   / Theme: Executive Functions/SA/RAO  Implementation Requirements:  New Executive Functions

  Federation Manager Sequence_N9O - Provide the following functions for Executive/SA/RAO modifications:  

• • Executive Portal providing the executive the ability to:
    • Add, Update and Deactivate SAs and RAOs
    • Modify Executive data including title, email, and phone
  • Executive Update providing the RA the ability to:
    • Replace a current Executive
    • Modify email and/or phone for the Executive
    • Deactivate an Executive

Technical Debt Targeted :

Complexity (1-10, 10 is highest): 7

Effort (Person-weeks): 16 / 8 Dev weeks  (~11 weeks clock time, including vacation time and holiday)

Extra Resources Needed: A message delivery system for emails and SMS messages, set up by T&I DevOps, Community vetting, communications campaign/webinar, RA staff time to transition to new business processes and work with customers (NOTE: This phase should drive down RA staff time managing roles over time, but has some up-front overhead)

Status: Start during the beginning of December 2019 / targeted completion middle of February 2020

Supports Project: Baseline Expectations

Rework RA Functions

The development work for the redesign and development of the updated RA administration function will consist of the following 5 development phases:

• Phase 1 - Organization/People - Implements the search and display for the organization and people information
• Phase 2 - Intake - Implements simplification of the intake process for the RA.
• Phase 3 - Other Requestor Functions - Implements the addition of requests from external users in the Federation Manager.  This will provide action item notification on the RA Dashboard and integrated web pages to replace the current smart forms.

Sequence_2AK  /  Theme: Rework Phase 1 (RA functions - Organization Details)  Implementation Requirements:  Organization

Federation Manager Sequence_2AK - Rework Phase 1 (RA functions - Organization/People):

• • Provide the new look and feel for the SA Admin application: 
    
    • Organization Details
    • All sections included on the organization details page and any additional pages displayed on this page

Technical Debt Targeted :

Complexity (1-10, 10 is highest): 3  

Effort (Person-weeks): 7 / 8-10 weeks Dev

Extra Resources Needed: RA training (NOTE: This phase should drive down RA staff time managing roles over time, but has some up-front overhead)  

Status: Start during the end of February 2020 / targeted completion during the middle of May 2020

Sequence_IIY  / Theme: Rework Phase 2 (RA functions - Intake)   Implementation Requirements:  Intake  – NOTE: Nick to review with Ann West to see if this needs to get moved up

Federation Manager Sequence_IIY - Rework Phase 3 RA functions - Intake: 

• • Provide the functionality to support the newly defined intake process
    • Organization creation
    • New executive review
    • Executive creation
  • Implement the executive vetting list for the RA Homepage
  • Implement the external request functionality for executive changes 

Technical Debt Targeted :

Complexity (1-10, 10 is highest): 4  

Effort (Person-weeks): 5 / 8-12 Weeks Dev

Extra Resources Needed: RA training (NOTE: This phase should drive down RA staff time managing roles over time, but has some up-front overhead) 

Status: Start during the end of May 2020 / targeted completion during the end of August 2020

Sequence_V9U  / Theme: Rework Phase 3 (RA functions - Other Requestor Functions)  Implementation Requirements:  External Change Requests

Federation Manager Sequence_V9U - Rework Phase 2 RA functions - Other Requestor Functions: 

• • The following functions will be implemented to allow external requests to be made and have notification provided on the RA Dashboard
    • Site Administrator Changes
    • Registration Authority Officer Changes
    • Organization Termination
      
  • New web pages will be added for these functions
  • Current smart sheet functions will be replaced with web pages
  • Action Item List will be added to the RA Dashboard
  • Notifications for each change requested will be provided in the Action Item Section

Technical Debt Targeted :

Complexity (1-10, 10 is highest): 4  

Effort (Person-weeks): 6-7  / 8-10 weeks Dev

Extra Resources Needed: RA training (NOTE: This phase should drive down RA staff time managing roles over time, but has some up-front overhead)  

Status: Start during the beginning of September 2020 / targeted completion during the middle of November 2020

Follow-On Work

Sequence_45S  /  Theme: Delegated Metadata Administration Overhaul (Must wait until FM is behind I2 Collab Platform)

Federation Manager Sequence_45S - Delegated Metadata Administration Overhaul.

Change Delegated Admin to Include:

• • Self-provisioning by delegated administrators
  • The ability for delegated administrators to administer both Identity Provider and Service Provider metadata
  • Remove delegated administrator provisioning/assignment by the SAs
  • Provide a dashboard for delegated administrators displaying Identity Provider and Service Provider lists

Technical Debt Targeted:

Complexity (1-10, 10 is highest): 7

Effort (Person-weeks): 6-7 / 8 Weeks Dev  (~10 weeks clock time, including vacation time and holiday)

Extra Resources Needed: Community vetting, communications campaign/webinar

Status: Start during the end of November 2020 / targeted completion during the end of January 2021

Supports Project: Baseline Expectations, Steward Program, general community requests and improved customer service

Sequence_59S / Theme: Automate Domain Control Validation

Federation Manager Sequence_59S - Automate Domain Control Validation (DCV) for entityIDs and scopes

Technical Debt Targeted:

Complexity: (1-10, 10 is highest): 5

Effort: (Person-weeks): 9 weeks (~11 weeks clock time, including vacation time and holiday)

Resources: 60 hours BA, 20 hours business process owner, 20 hours designer, 5 weeks DevOps, 4 weeks development, 1-week testing

Status: Start during the beginning of February 2021 / targeted completion during the middle of April 2021

Supports Project: general community requests and improved customer service

Note: need additional input from developers