Skip to main content

Zoom Logo

IAM Online - Shared screen with speaker view
Dave Shafer
13:36
*waves* Welcome everyone!
Dave Shafer
24:01
You should be seeing slide 12 now.
Dean Woodbeck
24:47
Ah - you are seeing Nick’s avatar. Not sure why that happened
Janemarie Duh
25:17
I’ve been seeing the slide.
Scott Cantor
27:16
By HSM you presumably mean AWS' web service into an HSM, not an actual hardware solution?
Nick Roy
28:18
Correct, AWS CloudHSM, which is actually a real hardware HSM that was designed to support multiple tenants.
Scott Cantor
28:55
right, but the security of it is basically some other security layer over a REST call, which I have yet to fully grok beyond a lot of hand waving about its wonderfulness
Nick Roy
29:33
The middleware is actually a Cavium-supplied library that can interface with the JCE/etc.
Nick Roy
29:53
Ian wrote an extension for us to the Shibboleth MDA that interacts with that Cavium library.
Nick Roy
30:00
Could be REST or something else.
Nick Roy
30:21
The setup of this HSM is very non-AWS-y.
Scott Cantor
31:03
plus it's offline signing, which I had forgotten
Nick Roy
31:13
Yep
Dean Woodbeck
31:27
I’ll post these slides at incommon.org/iamonline after the session. Unfortunately, I can’t connect with the web server right now.
John Morton
34:20
Is your ECS container running on EC2 or Fargate?
Nick Roy
35:00
Thanks for the question John, I will ask Dave to answer after Shannon finishes.
Dave Shafer
36:33
We’ve been using Fargate, which I really like. There are still a few questions we’re working on answering before committing to Fargate for the final production service. If necessary, we’ll bring up EC2 instances in the ECS cluster.
gettes@ufl.edu
39:49
All people with the shards will report to the same person/people?
Nick Roy
40:34
I'll tee this up with Shannon after he's finished, thank you for the question, Michael.
Nick Roy
40:53
I'll go through the questions here at the end and we'll answer verbally so that everyone can hear
John Morton
42:38
The underlying hardware is single tenant
John Morton
42:53
From what I understand
Jerry Shipman (Cornell Identity Management)
42:59
Can we talk about what the process of deciding what I want my per-entity aggregate to contain looks like? Like from the user side? Do I give a whitelist, or a blacklist, or a combination, or what? or is it something different than that? Or is it documented somewhere that I should have read before asking? ha
gettes@ufl.edu
43:25
Maybe I missed it - but I am not seeing how this overall architecture supports the running of Campus level MDQ. Will this be addressed?
Jerry Shipman (Cornell Identity Management)
46:43
yep - thank you
Dan Schwartz (Lehigh)
47:27
Will the shards have redundancy, in case one site is corrupted?
John Morton
47:59
Thank you for your fargate answers. You’ve probably already saw, but Fargate seems to have checked off a lot of the compliance regimes as other AWS services: https://aws.amazon.com/about-aws/whats-new/2018/03/aws-fargate-supports-container-workloads-regulated-by-iso-pci-soc-and-hipaa/
Paul Fardy
49:29
Does MDQ within InCommon affect interfed/international metadata flow?
Dean Woodbeck
50:22
I’ll put in an early plug - please take a couple of minutes to complete a quick evaluation of today’s session. https://www.surveymonkey.com/r/IAMOnline-Jan2019
gettes@ufl.edu
50:32
So you could distribute the shards outside of internet2 staff to have resiliency to mgmt issues of obtaining a quorum. This could address the “do this or you’re fired” issues, yes?
Shannon Roddy
51:54
We could. Happy to entertain discussion on the shard custodians.
Tom Barton
53:30
To be clear, will non-InCommon entitites in eduGAIN also be available through the new MDQ service? Ie, and entity does not need to go here for InC entities and elsewhere for non-InC entities?
Tom Barton
54:44
danke schoen!
Maurice Willoughby
55:11
Can we get a copy of this deck?
Ann West
55:25
Yes it’s will be on the IAM Online site.
Ann West
56:05
Thanks for joining folks!!
Qiang (Chang) Cao
56:09
Thank you!