[Drupal] pro

Jason Little Jason_Little at engadmin.ohio-state.edu
Tue May 18 08:59:58 EDT 2010 

I like the new site too.  Great job Mitchell.

Our approach for shib/ssl is nothing special.  We use site alternate name certificates from Geotrust.  We had to set up our own account with them to do this.  They gave us the "education" rate of $500 for 5 domains + $29 / domain up to 25 total.  So if you've got a lot of sites, you're looking at around $43 per domain.  Although others offer much cheaper SANs, that's at least competitive with low end single site ssl certificates, and I think the renewal rate may be lower.  You can change your certs around or add new ones at any time.  You just need to regen the certificate.  Because it's a single cert, it only requires one ip address.  SANS are licensed per server.

With a lot of osu.edu sites in our org, it's tempting to just get a wildcard, but that would probably be excessive and a security liability.  The SAN approach also has the benefit of being able to handle non-osu.edu domains.

We use geotrust because they were the official supplier recommended by OIT and we once had trouble with another vendor.  Compared to others, they are extremely expensive and have a propensity for messing up our orders.  That said, I've found that our service rep, Dennis Hopp (dhopp at verisign.com<mailto:dhopp at verisign.com>), has been pleasant to deal with and helpful in sorting out the messes.

I think you can use shibboleth without SSL, but I'm not sure if Scott supports such configurations.  Personally, I like the idea of having SSL on anything that requires authentication.  In the end, a cost of around $43 per domain is trivial compared to the overall expenditure that goes into producing and maintaining a site.

We use the secure pages module to force SSL for some sections (admin, ecommerce) but not others (normal content).  This minimizes load caused by ssl and eliminates those pesky IE warnings when loading insecure content (ie from youtube).

Best,
Jason Little
College of Engineering


From: drupal-bounces at lists.service.ohio-state.edu [mailto:drupal-bounces at lists.service.ohio-state.edu] On Behalf Of Shelton, Mitchell
Sent: Tuesday, May 18, 2010 7:48 AM
To: Drupal at lists.service.ohio-state.edu
Subject: Re: [Drupal] pro

Hello Vedu,

We discussed adding Shibboleth to the login and we like the idea, but are going to hold off for now. There are a few hiccups with setting up Shibboleth on Drupal, mostly having a secure certificate for each site (or perhaps server, sorry, outside of my field). I don't know the details of this but we are looking at our options now because it is a problem we will need to resolve on many other sites. Jason Little has had this problem and I think he is aware of the kinks, not sure if he worked everything out or not.

Speaking of Jason Little, he has also mentioned how helpful it would be to install the Drupal module "Project" on the site to host modules built for the university. I think once we get the shibboleth issue sorted that will really be able to take off. I will probably go ahead and get it installed in the next week or so anyway, just to see how much use it gets. I imagine some folks would be more comfortable sharing things behind shib.

Thanks for the support. Please feel free to offer any advice, at this stage absolutely everything is useful as we try to figure out how to build out this community. I am hopefully that it will take on a life of its own very quickly. I think there are a lot of Drupalers out there at OSU, they just seem to be kind of shy.

Thank you,
-Mitchell

From: drupal-bounces+shelton.5=osu.edu at lists.service.ohio-state.edu [mailto:drupal-bounces+shelton.5=osu.edu at lists.service.ohio-state.edu] On Behalf Of Hariths, Vedu
Sent: Monday, May 17, 2010 3:09 PM
To: Drupal at lists.service.ohio-state.edu
Subject: [Drupal] OSU:pro

Firstly, great Job guys.
I am impressed by this effort.  I was wondering if a) we should shibbolethize the login? And b) if modules should be made available for folks trying to start new development. Two modules that come to mind are a) Shibboleth, and b) Making the OSU:pro module available.

That said: sorry if both of these are already out there.

Thanks!

Vedu Hariths
Sr. Systems Consultant
OSU:pro<http://pro.osu.edu/>
Center for Knowledge Management
Email:  vedu.hariths at osumc.edu
Phone: (614) 688 - 5318

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osu.edu/pipermail/drupal/attachments/20100518/1a27a37c/attachment.html>

More information about the Drupal mailing list