Skip to content

Raven SAML2

[Team | Wilson Team] [Tech Lead | rjg21] [Service Owner | vkhs1] [Service Manager | TBC] [Product Manager | TBC]

This page gives an overview of the Raven SAML2 service, describing its current status, where and how it's developed and deployed, and who is responsible for maintaining it.

Service Description

The Raven service provides a self-service, web-based interactive sign in service for the University. It has several parts. Raven SAML2 provides a standard SAML 2.0 interface for sites around the University.

There is a dedicated documentation site for Raven including its SAML2 interface.

Service Status

The Raven SAML2 service is currently live. There are no plans to decommission the service as we need to run a SAML2 service to operate within the UK Access Management Federation.

Contact

Technical queries and support should be directed to raven-support@uis.cam.ac.uk and will be picked up by a member of the team working on the service. To ensure that you receive a response, always direct requests to raven-support@uis.cam.ac.uk rather than reaching out to team members directly.

Issues discovered in the service or new feature requests should be opened as GitLab issues in the appropriate project within the Shibboleth group or Raven Infrastructure project (both DevOps only).

Environments

Raven SAML2 is currently deployed to the following environments:

Name Main Application URL GCP Project
Production https://shib.raven.cam.ac.uk/ Raven Core IdP - production
https://shibboleth.prod.raven-core.gcp.uis.cam.ac.uk/
Staging https://shib-test.raven.cam.ac.uk/ Raven Core IdP - staging
https://shibboleth.test.raven-core.gcp.uis.cam.ac.uk/
Development https://shibboleth.devel.raven-core.gcp.uis.cam.ac.uk/ Raven Core IdP - development

All environments access a meta project (Raven Core Idp meta) for shared secrets and monitoring.

Tip

Public-facing documentation for testing Raven SAML2 can be found on the UIS webpage.

Notification channel(s) for environments

Environment Display name Email
Production Raven core IdP - Wilson DevOps team email channel devops-wilson@uis.cam.ac.uk
Staging Raven core IdP - Wilson DevOps team email channel devops-wilson@uis.cam.ac.uk

Source code

Source code for Raven SAML2 is spread over the following repositories:

Repository Description
Shibboleth External repository holding the Shibboleth source code itself
IdP Frontend Container2 Containerised Apache2 frontend which handles interactive authentication
Shib Idp Container2 Containerised Shibboleth
Dev Docker Compose1 Docker-compose configuration for local development
Raven Infrastructure1 Terraform configuration for infrastructure and deployment
IdP Resolver Test2 Testing of attribute release
Shib Usage Stats2 Log analysis and stats production

1 DevOps only

2 GitLab users only

Technologies used

The following gives an overview of the technologies that Raven SAML2 is built on.

Category Language Framework(s)
Shibboleth IdP Java, XML and JavaScript Many
GCP deployment Terraform

Operational documentation

There is a dedicated operational documentation folder in the infrastructure Gitlab project (DevOps only).

How and where the service is deployed

The GCP deployment follows our standard deployment practice for Google cloud with the exact container versions are specified in the infrastructure deployment and so deployment follows a "gitops" model.

The non-production deployments can be used as an alternative to production Raven SAML2 by means of a change to /etc/hosts as documented in the testing page.

Monitoring

The monitoring and alerting system is based on Cloud Monitoring. Alert policies and metrics can be views in the Raven Core IdP meta project (DevOps only).

Our standard alerts have been configured:

  • Service uptime check from various geographic regions
  • SSL expiry checks
  • Check for excessive k8s storage volume usage
  • Check for excessive CPU, memory or disk pressure on nodes
  • Check for excessive CPU, memory or storage use by pods

In addition, the GCP deployment has the following monitoring:

  • Check that University and UK Federation metadata sources are correctly imported according to their refresh schedule.

Debugging

A full environment may be run locally using the Dev Docker Compose project (DevOps only). This allows configuration changes to be debugged locally without affecting any deployed service.

Service Management

The Team responsible for this service is Wilson Team.

The Tech Lead for this service is rjg21.

The Service Owner for this service is vkhs1.

The Service Manager for this service is TBC.

The Product Manager for this service is TBC.

The following engineers have operational experience with this service and are able to respond to support requests or incidents: