openconext workshop tnc2014

Report

Post on 05-Jul-2015

219 Views

Category:

Software

0 Downloads

Preview:

Click to see full reader

DESCRIPTION

During the 2014 TERENA Networking Conference (TNC2014) in Dublin, SURFnet will provide a workshop on OpenConext on Monday 19/05 (09:00 - 12:00). Participants can explore the possibilities of OpenConext themselves. This hands-on workshop introduces you to the concepts and components of OpenConext and its example use cases. In addition participants will install the platform and be able configure the platform with the management tools, connect services or identity providers to explore the potential of the platform yourself. Experts of SURFnet, Jisc and AARnet will be available to assist you and there will plenty of time for all of your questions as well as discussion on functionality, features and more. Join us for an interactive hands-on session and experience OpenConext yourself! As users or people who are interested in OpenConext you are especially welcome to share your use-cases, knowledge and experiences.

TRANSCRIPT

“Open for Collaboration”

Terena Networking Conference 2014, Dublin

Agenda

I: Introduction

(Niels)

II: Hands-on

(Niels)

III: Community and Future

(Frans)

Welcome & introductions

Use cases

OpenConext explained

Features

Components

Installing OpenConext VM

Basic activities

Working with SAML

Working with Groups

Roadmap

Community

Governance

Discussion

Break (15 min) Break (15 min) Lunch

2

I: Introduction

I: Introduction

(Niels)

II: Hands-on

(Niels)

III: Community and Future

(Frans)

Welcome & introductions

Use cases

OpenConext explained

Features

Components

Installing OpenConext VM

Basic activities

Working with SAML

Working with Groups

Roadmap

Community

Governance

Discussion

Break (15 min) Break (15 min) Lunch

2

Welcome & introductions

Introduction

Who are you, and why are you here?

4

Nielsvan Dijk

FransWard

AlexanderBlanc

A bit of History

SURFgroepen platform (2006-2012)

~100.000 users, 13.000 groups

Any user can start a team

Sharepoint (docsharing) + Adobe Connect Webconferencing

Backend integration (LDAP)

BUT:

Hard/expensive to extend (No open standards!)

No Federated Login

Many feature requests from campus

5

SURFconext Vision (2009)

Create a coherent infrastructure of loosely

coupled collaborative services, based on

(emerging) Open Standards and enabled by

access federations

6

OpenConext

7

http://www.youtube.com/watch?v=kUpn568NSl0
http://www.youtube.com/watch?v=kUpn568NSl0

Use Cases – Federation Hub

8

Use Cases – SURFconext

9

Use Cases – Service Delivery

10

Use Cases – Collab Platform

11

Use Cases – Collab Platform

12

OpenConext Building blocks

Identity Federations, SAML and attributes

Create and manage Groups

OpenSocial (VOOT) API and oAuth

A piece of middleware (a hub or proxy) that allows centrally managing

interconnects and facilitates application integration

13

Identity federation

14

Identity federation

15

Identity federation

16

Identity federation

17

Attributes

18

Groups

Any collaboration involves groups, either ‘AdHoc’, or ‘Institutional’

OpenConext facilitates the creation of groups of federated users

Adhoc Groups are managed centrally (Teams)

Any acceptable user can become a group 'admin‘

Invite any other users

Build groups from other groups

Institutional Groups (Campus or VO) can be provided by external sources

Groups provide context for applications (but applications decide on AuthZ!)

Groups feature (only) 3 roles (admin, collabmin, member)

Group + VO Registry -> VO IdP

19

Attribute exchange

Attribute & Group information can be provided at logon

Many scenarios require out of band exchange

VOOT (http://openvoot.org/voot-2.0.html) REST API, based on OpenSocial

oAuth2 & oAuth 1 (deprecated)

Draft SCIM implementation expected in 2014

SAML attribute query support on the way (both AA and client)

20

http://openvoot.org/voot-2.0.html

OpenConext platform (2009)

Do not start from Scratch

Add (a lot of) Glue

SAML Groups Management

Shibboleth SP(Shibboleth Consortium)

Grouper(Internet2)

Janus(WAYF)

SimpleSAMLphp SP(Feide.no)

Shindig (Apache)

Corto(WAYF)

21

Openconext platform (Q1 2014)

Do not start from Scratch

Add (a lot of) Glue and more Glue

SAML Groups Management

Shibboleth SP(Shibboleth Consortium)

Grouper(Internet2)

Janus(SURFnet)

SimpleSAMLphp SP(Feide.no)

Shindig(Apache)Group Proxy, API & APIS

Manage

Corto(WAYF/SURFnet)SSP libraries

Teams Log handlingStatisticsOpenConext VM

22

Components

23

Engine

SAML2.0 (WebSSO profile, saml2int.org) authentication proxy capable of

acting as an IdP or SP

Engine relies on ServiceRegistry (SR) for configuring the entities.

SAML2 Metadata generation

WAYF Service

End user consent

Privacy and Authorization enforcement (ACL, ARP, vIdP)

Attribute Management

ARP

Persistent/Transient NameID management

Attribute Manipulation & Mapping

urn:oid and urn:mace-dir attributes

24

Service Registry

A web-based registry for managing SAML2 SP and IdP metadata, ARP and

ACL information and oAuth key management

Based on JANUS (WAYF/SURFnet)

Features include

Versioning

Metadata import and export,

Storing non SAML data (e.g. oAuth)

Storing ‘business’ data, like e.g. policy information

25

Teams (& Grouper)

A federated end-user tool for self-service management of group

relationships

Teams backend is Internet2's Grouper

Features include:

create teams: invite and re-invite, request membership

manage team members, assign basic roles

combine groups from connected group providers into new (virtual) teams

26

OpenSocial/VOOT API,

APIs & API Playground API

Exchange groups and person info using a standardized REST API

Authorization based on oAuth v2 and oAuth v1 (deprecated)

A group proxy (connect multiple group providers)

The API supports three calls:

Groups the user is a member of

List other members of a group

Attributes of a user

APIs

OAuth2 authorization server that can handle multiple authorization servers and clients.

API Playground

Testbed for application development and testing27

Mujina & Profile

Mujina

Mujina mocks a SAML2 Identity and Service Provider (IdP & SP)

Almost all characteristics of either the IdP or SP can be configured on-the-fly using a REST API

Profile

View profile information (Attributes) that are currently registered at the OpenConext platform for the use;

View the group providers and teams a user is a member of;

Connect to addition group providers if these have been made available to the user;

View and optionally revoke consent on released attributes;

View EULA and privacy statements of connected Services

28

Components

29

Break!

See you in 15 min!

30

I: Introduction

(Niels)

II: Hands-on

(Niels)

III: Community and Future

(Frans)

Welcome & introductions

Use cases

OpenConext explained

Features

Components

Installing OpenConext VM

Basic activities

Working with SAML

Working with Groups

Roadmap

Community

Governance

Discussion

Break (15 min) Break (15 min) Lunch

II: Hands-on

31

I: Introduction

(Niels)

II: Hands-on

(Niels)

III: Community and Future

(Frans)

Welcome & introductions

Use cases

OpenConext explained

Features

Components

Installing OpenConext VM

Basic activities

Working with SAML

Working with Groups

Roadmap

Community

Governance

Discussion

Break (15 min) Break (15 min) Lunch

Installing OpenConext VM Work from a standard OpenConext VM

https://github.com/OpenConext/OpenConext-vm

Slightly prepped CentOS 6.5 (yum dependencies preinstalled)

OpenStack based VMs, 1 vCPUs, 2 Gb ram, 40 Gb Disk

Add key to your ssh client: “ssh-add OCworkshopTNC2014.pem”

Login to your VM using ssh: “ssh centos@145.100.180.XYZ”

Become root: “sudo su –”

Start install “bash OpenConext-vm-62/scripts/install_openconext.sh –i”

Follow the instructions, select defaults everywhere (also: create Certificates)

Add hostnames and IP to your hosts file

Go to https://welcome.demo.openconext.org

Accept self signed certificates & CA 32

https://github.com/OpenConext/OpenConext-vm
https://welcome.demo.openconext.org/

Welcome to OpenConext

33

Basic activities

Login to Profile via Mujina IdP; learn a bit about Profile

Create a team and invite members; learn about Teams

Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry

Inspect SAML metadata, learn about Engine

Get debug login from Feide OpenIDP using Engine

Accept team invite using Feide OpenIDP

Inspect group config in Grouper

See group ACLs using Manage

Get oAuth config from ServiceRegistry

Query API in API playground to see group and person data

34

Basic activities

Login to Profile via Mujina IdP; learn a bit about Profile

Create a team and invite members; learn about Teams

Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry

Inspect SAML metadata, learn about Engine

Get debug login from Feide OpenIDP using Engine

Accept team invite using Feide OpenIDP

Inspect group config in Grouper

See group ACLs using Manage

Get oAuth config from ServiceRegistry

Query API in API playground to see group and person data

35

Profile, Mujina and Teams

36

OpenConext WAYF

37

Mujina IdP

38

End-user Consent

39

Profile

40

Teams - Login

41

Teams – Create new Team

42

Teams – Create new Team

43

Teams and members

44

Inviting members

45

Inviting members

46

Login via OpenIdP

47

Oeps!

48

Simple activities

Login to Profile via Mujina IdP; learn a bit about Profile

Create a team and invite members; learn about Teams

Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry

Inspect SAML metadata, learn about Engine

Get debug login from Feide OpenIDP using Engine

Accept team invite using Feide OpenIDP

Inspect group config in Grouper

See group ACLs using Manage

Get oAuth config from ServiceRegistry

Query API in API playground to see group and person data

49

ServiceRegistry and Engine

50

ServiceRegistry

51

ServiceRegistry

52

ServiceRegistry

53

ServiceRegistry

54

ServiceRegistry

55

ServiceRegistry

56

Engine - Testing IdPs

57

Simple activities

Login to Profile via Mujina IdP; learn a bit about Profile

Create a team and invite members; learn about Teams

Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry

Inspect SAML metadata, learn about Engine

Get debug login from Feide OpenIDP using Engine

Accept team invite using Feide OpenIDP

Inspect group config in Grouper

See group ACLs using Manage

Get oAuth config from ServiceRegistry

Query API in API playground to see group and person data

58

Ok, back to my Team

59

Ok, back to my Team

60

Teams – Accept Invite

61

Teams – Accept Invite

62

Teams – Accept Invite

63

Teams – Accept Invite

64

Grouper – Behind the Scenes

65

Grouper - details

66

Manage - Group ACLs

67

Manage – Setting Group ACLs

68

Manage – Add new group providers

69

Simple activities

Login to Profile via Mujina IdP; learn a bit about Profile

Create a team and invite members; learn about Teams

Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry

Inspect SAML metadata, learn about Engine

Get debug login from Feide OpenIDP using Engine

Accept team invite using Feide OpenIDP

Inspect group config in Grouper

See group ACLs using Manage

Get oAuth config from ServiceRegistry

Query API in API playground to see group and person data

70

ServiceRegisty – oAuth keys

71

API Playground

72

API Playground

73

Authorization Grant

74

API Playground

75

My Groups!

76

Simple activities

Login to Profile via Mujina IdP; learn a bit about Profile

Create a team and invite members; learn about Teams

Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry

Inspect SAML metadata, learn about Engine

Get debug login from Feide OpenIDP using Engine

Accept team invite using Feide OpenIDP

Inspect group config in Grouper

See group ACLs using Manage

Get oAuth config from ServiceRegistry

Query API in API playground to see group and person data

77

Keep Calm and

REMOVE

the OpenConext CA

from your browser!(it is publicly available in GitHub)

78

Break!

See you in 15 min!

79

I: Introduction

(Niels)

II: Hands-on

(Niels)

III: Community and Future

(Frans)

Welcome & introductions

Use cases

OpenConext explained

Features

Components

Installing OpenConext VM

Basic activities

Working with SAML

Working with Groups

Roadmap

Community

Governance

Discussion

Break (15 min) Break (15 min) Lunch

III: Community and Future

80

I: Introduction

(Niels)

II: Hands-on

(Niels)

III: Community and Future

(Frans)

Welcome & introductions

Use cases

OpenConext explained

Features

Components

Installing OpenConext VM

Basic activities

Working with SAML

Working with Groups

Roadmap

Community

Governance

Discussion

Break (15 min) Break (15 min) Lunch

Roadmap

Release 68 (SR/Janus):

Unification of WAYF and SURFnet forks, keeping full history

Introduced composer for dependencies

Introduced doctrine for data access layer

Add automated upgrade from last Janus (WAYF release) DB schema

Explicitly keep track of the last revision of each entity in the DB to improve

performance when having many entities and revisions.

Get rid of separate ARPs. Move ARP to SP configuration

Introduce wildcard matching of ARP values

Introduce new r/w API for Janus.

81

Roadmap

Release 70 (Engine):

Replace corto and old libxml with SimpleSAMLphp library as SAML library

Reduce the time SAML signing key is kept memory

Improved support for multiple SAML signing keys. Facilitate fast "hands off"

rollover by allowing the SP to select the signing key to use

Reduce writes to LDAP

New GUI for Teams (Twitter Bootstrap)

82

Roadmap

Unplanned:

OpenConext VM with credentials and other key config parameters in 1 file

Introduce APIS as AuthZ service for public APIs

Experimental support for OpenIdConect

Experimental support for SCIM

Experimental support for SAML AA and client

83

Open Source is…

License

Product

Community

84

‘The realization of an

open source

project

does not guarantee

the creation of a

community’

85

Community

Boosting the full potential of the OpenConext open

source ecosystem

Goals:

Create an active community

Exchange ideas

Promotion

Learn from different use cases

86

87

http://openconext.org

88

http://openconext.org

Governance

Why does a project like OpenConext need a

governance model?

Every open source project has its own

management strategy

It is therefore critical to have clear

communication about its politics and strategies

…to potential users and developers

Sustainability!

89

Governance Model

Describes roles that project participants can

take on

Describes the process for decision making

within the project

Describes the ground rules for participation in

the project

Describes the processes for communicating

and sharing with project team and community

90

Governance Models

91

Governance Options

Do nothing aka leave it as it is

(SURFnet as benevolent dictator)

Create an independent entity out of

OpenConext

(like the MediaMosa Foundation)

Define a custom governance model

(like the MediaMosa Foundation)

92

MediaMosa Governance

93

Governance Barriers

the process is perceived as ‘red tape’

there is a concern that the project will lose its

sense of direction

it is felt that control of the project’s strategy will

be lost

the project is thought to be too young or to

small to attract active users or developers

94

Community Options

Join the Apereo Foundation

DIY (based om MediaMosa)

What about Terena Greenhouse?

95

Discussion

Given what you have seen, what usecase

would you have for OpenConext? What is

usefull, what is missing?

How important is formal governance

What kind of support tools would you expect?

What are your plans with OpenConext?

Would you consider using OpenConext and

become active member of the community?

96

Resources

Source code

All of OpenConext is hosted at https://github.com/openconext

OpenConext support tools and compatible services are available at

https://github.com/openconextapps

Community Website, including documentation

https://www.openconext.org

Support

Mailinglists: openconext-users@list.surfnet.nl and openconext-

dev@list.surfnet.nl

97

https://github.com/openconext
https://github.com/openconextapps
https://www.openconext.org/
mailto:openconext-users@list.surfnet.nl
mailto:openconext-dev@list.surfnet.nl

info@openconext.org

98

top related

workshop lean startup (open workshop)
Education
feide connect tnc2014
Technology
  · web view2017 : conference. workshop . schedule....
Documents
workshop name workshop location workshop date workshop time...
Documents
liturgical ministry workshop lectors workshop
Documents
workshop on configuration - ceur workshop proceedings
Documents
la nrens pr network the elcira project tania altamirano l....
Documents
laporan hasil laporan hasil workshop workshop
Documents
aims'99 workshop aims'99 workshop
Technology
workshop workshop meeting guidlines
Documents
workshop description - greyc · i workshop description
Documents
feide connect tnc2014
Technology
openconext - japanese delegation - 28 october 2013
Technology
dirlabas 2019 conference planningworkshop1 workshop 2...
Documents
hrl parent workshop: self-esteem · hrl parent workshop:...
Documents
professional furniture lighting hengjie new...smt workshop,...
Documents
workshop manual - porter 1.3 16v - workshop
Documents
bootcamp. first thing first goals – workshop names list...
Documents
innovate together!...- pitch training - sales training -...
Documents
1 extended training workshop glyn elwyn. workshop outline...
Documents