Raven SAML2¶
[Team | Wilson Team] [Tech Lead | rjg21] [Service Owner | vkhs1] [Service Manager | rc118] [Product Manager | TBC]
This page gives an overview of the Raven SAML2 service, describing its current status, where and how it's developed and deployed, and who is responsible for maintaining it.
Service Description¶
The Raven service provides a self-service, web-based interactive sign in service for the University. It has several parts. Raven SAML2 provides a standard SAML 2.0 interface for sites around the University.
There is a dedicated documentation site for Raven including its SAML2 interface.
Service Status¶
The Raven SAML2 service is currently live. There are no plans to decommission the service as we need to run a SAML2 service to operate within the UK Access Management Federation.
Contact¶
Technical queries and support should be directed to raven-support@uis.cam.ac.uk and will be picked up by a member of the team working on the service. To ensure that you receive a response, always direct requests to raven-support@uis.cam.ac.uk rather than reaching out to team members directly.
Issues discovered in the service or new feature requests should be opened as GitLab issues in the appropriate project within the Shibboleth group or Raven Infrastructure project (both DevOps only).
Environments¶
Raven SAML2 is currently deployed to the following environments:
Name | Main Application URL | GCP Project |
---|---|---|
Production | https://shib.raven.cam.ac.uk/ | Raven Core IdP - production |
https://shibboleth.prod.raven-core.gcp.uis.cam.ac.uk/ | ||
Staging | https://shib-test.raven.cam.ac.uk/ | Raven Core IdP - staging |
https://shibboleth.test.raven-core.gcp.uis.cam.ac.uk/ | ||
Development | https://shibboleth.devel.raven-core.gcp.uis.cam.ac.uk/ | Raven Core IdP - development |
All environments access a meta project (Raven Core Idp meta) for shared secrets and monitoring.
Tip
Public-facing documentation for testing Raven SAML2 can be found on the UIS webpage.
Notification channel(s) for environments¶
Environment | Display name | |
---|---|---|
Production | Raven core IdP - Wilson DevOps team email channel | devops-wilson@uis.cam.ac.uk |
Staging | Raven core IdP - Wilson DevOps team email channel | devops-wilson@uis.cam.ac.uk |
Source code¶
Source code for Raven SAML2 is spread over the following repositories:
Repository | Description |
---|---|
Shibboleth | External repository holding the Shibboleth source code itself |
IdP Frontend Container2 | Containerised Apache2 frontend which handles interactive authentication |
Shib Idp Container2 | Containerised Shibboleth |
Dev Docker Compose1 | Docker-compose configuration for local development |
Raven Infrastructure1 | Terraform configuration for infrastructure and deployment |
IdP Resolver Test2 | Testing of attribute release |
Shib Usage Stats2 | Log analysis and stats production |
1 DevOps only
2 GitLab users only
Technologies used¶
The following gives an overview of the technologies that Raven SAML2 is built on.
Category | Language | Framework(s) |
---|---|---|
Shibboleth IdP | Java, XML and JavaScript | Many |
GCP deployment | Terraform |
Operational documentation¶
There is a dedicated operational documentation folder in the infrastructure Gitlab project (DevOps only).
How and where the service is deployed¶
The GCP deployment follows our standard deployment practice for Google cloud with the exact container versions are specified in the infrastructure deployment and so deployment follows a "gitops" model.
The non-production deployments can be used as an alternative to production Raven
SAML2 by means of a change to /etc/hosts
as documented in the testing
page.
Monitoring¶
The monitoring and alerting system is based on Cloud Monitoring. Alert policies and metrics can be views in the Raven Core IdP meta project (DevOps only).
Our standard alerts have been configured:
- Service uptime check from various geographic regions
- SSL expiry checks
- Check for excessive k8s storage volume usage
- Check for excessive CPU, memory or disk pressure on nodes
- Check for excessive CPU, memory or storage use by pods
In addition, the GCP deployment has the following monitoring:
- Check that University and UK Federation metadata sources are correctly imported according to their refresh schedule.
Debugging¶
A full environment may be run locally using the Dev Docker Compose project (DevOps only). This allows configuration changes to be debugged locally without affecting any deployed service.
Service Management¶
The Team responsible for this service is Wilson Team.
The Tech Lead for this service is rjg21.
The Service Owner for this service is vkhs1.
The Service Manager for this service is rc118.
The Product Manager for this service is TBC.
The following engineers have operational experience with this service and are able to respond to support requests or incidents: