Download - OpenConext Workshop TNC2014
“Open for Collaboration”
Terena Networking Conference 2014, Dublin
Agenda
I: Introduction
(Niels)
II: Hands-on
(Niels)
III: Community and Future
(Frans)
Welcome & introductions
Use cases
OpenConext explained
Features
Components
Installing OpenConext VM
Basic activities
Working with SAML
Working with Groups
Roadmap
Community
Governance
Discussion
Break (15 min) Break (15 min) Lunch
2
I: Introduction
I: Introduction
(Niels)
II: Hands-on
(Niels)
III: Community and Future
(Frans)
Welcome & introductions
Use cases
OpenConext explained
Features
Components
Installing OpenConext VM
Basic activities
Working with SAML
Working with Groups
Roadmap
Community
Governance
Discussion
Break (15 min) Break (15 min) Lunch
2
Welcome & introductions
Introduction
Who are you, and why are you here?
4
Nielsvan Dijk
FransWard
AlexanderBlanc
A bit of History
SURFgroepen platform (2006-2012)
~100.000 users, 13.000 groups
Any user can start a team
Sharepoint (docsharing) + Adobe Connect Webconferencing
Backend integration (LDAP)
BUT:
Hard/expensive to extend (No open standards!)
No Federated Login
Many feature requests from campus
5
SURFconext Vision (2009)
Create a coherent infrastructure of loosely
coupled collaborative services, based on
(emerging) Open Standards and enabled by
access federations
6
Use Cases – Federation Hub
8
Use Cases – SURFconext
9
Use Cases – Service Delivery
10
Use Cases – Collab Platform
11
Use Cases – Collab Platform
12
OpenConext Building blocks
Identity Federations, SAML and attributes
Create and manage Groups
OpenSocial (VOOT) API and oAuth
A piece of middleware (a hub or proxy) that allows centrally managing
interconnects and facilitates application integration
13
Identity federation
14
Identity federation
15
Identity federation
16
Identity federation
17
Attributes
18
Groups
Any collaboration involves groups, either ‘AdHoc’, or ‘Institutional’
OpenConext facilitates the creation of groups of federated users
Adhoc Groups are managed centrally (Teams)
Any acceptable user can become a group 'admin‘
Invite any other users
Build groups from other groups
Institutional Groups (Campus or VO) can be provided by external sources
Groups provide context for applications (but applications decide on AuthZ!)
Groups feature (only) 3 roles (admin, collabmin, member)
Group + VO Registry -> VO IdP
19
Attribute exchange
Attribute & Group information can be provided at logon
Many scenarios require out of band exchange
VOOT (http://openvoot.org/voot-2.0.html) REST API, based on OpenSocial
oAuth2 & oAuth 1 (deprecated)
Draft SCIM implementation expected in 2014
SAML attribute query support on the way (both AA and client)
20
OpenConext platform (2009)
Do not start from Scratch
Add (a lot of) Glue
SAML Groups Management
Shibboleth SP(Shibboleth Consortium)
Grouper(Internet2)
Janus(WAYF)
SimpleSAMLphp SP(Feide.no)
Shindig (Apache)
Corto(WAYF)
21
Openconext platform (Q1 2014)
Do not start from Scratch
Add (a lot of) Glue and more Glue
SAML Groups Management
Shibboleth SP(Shibboleth Consortium)
Grouper(Internet2)
Janus(SURFnet)
SimpleSAMLphp SP(Feide.no)
Shindig(Apache)Group Proxy, API & APIS
Manage
Corto(WAYF/SURFnet)SSP libraries
Teams Log handlingStatisticsOpenConext VM
22
Components
23
Engine
SAML2.0 (WebSSO profile, saml2int.org) authentication proxy capable of
acting as an IdP or SP
Engine relies on ServiceRegistry (SR) for configuring the entities.
SAML2 Metadata generation
WAYF Service
End user consent
Privacy and Authorization enforcement (ACL, ARP, vIdP)
Attribute Management
ARP
Persistent/Transient NameID management
Attribute Manipulation & Mapping
urn:oid and urn:mace-dir attributes
24
Service Registry
A web-based registry for managing SAML2 SP and IdP metadata, ARP and
ACL information and oAuth key management
Based on JANUS (WAYF/SURFnet)
Features include
Versioning
Metadata import and export,
Storing non SAML data (e.g. oAuth)
Storing ‘business’ data, like e.g. policy information
25
Teams (& Grouper)
A federated end-user tool for self-service management of group
relationships
Teams backend is Internet2's Grouper
Features include:
create teams: invite and re-invite, request membership
manage team members, assign basic roles
combine groups from connected group providers into new (virtual) teams
26
OpenSocial/VOOT API,
APIs & API Playground API
Exchange groups and person info using a standardized REST API
Authorization based on oAuth v2 and oAuth v1 (deprecated)
A group proxy (connect multiple group providers)
The API supports three calls:
Groups the user is a member of
List other members of a group
Attributes of a user
APIs
OAuth2 authorization server that can handle multiple authorization servers and clients.
API Playground
Testbed for application development and testing27
Mujina & Profile
Mujina
Mujina mocks a SAML2 Identity and Service Provider (IdP & SP)
Almost all characteristics of either the IdP or SP can be configured on-the-fly using a REST API
Profile
View profile information (Attributes) that are currently registered at the OpenConext platform for the use;
View the group providers and teams a user is a member of;
Connect to addition group providers if these have been made available to the user;
View and optionally revoke consent on released attributes;
View EULA and privacy statements of connected Services
28
Components
29
Break!
See you in 15 min!
30
I: Introduction
(Niels)
II: Hands-on
(Niels)
III: Community and Future
(Frans)
Welcome & introductions
Use cases
OpenConext explained
Features
Components
Installing OpenConext VM
Basic activities
Working with SAML
Working with Groups
Roadmap
Community
Governance
Discussion
Break (15 min) Break (15 min) Lunch
II: Hands-on
31
I: Introduction
(Niels)
II: Hands-on
(Niels)
III: Community and Future
(Frans)
Welcome & introductions
Use cases
OpenConext explained
Features
Components
Installing OpenConext VM
Basic activities
Working with SAML
Working with Groups
Roadmap
Community
Governance
Discussion
Break (15 min) Break (15 min) Lunch
Installing OpenConext VM Work from a standard OpenConext VM
https://github.com/OpenConext/OpenConext-vm
Slightly prepped CentOS 6.5 (yum dependencies preinstalled)
OpenStack based VMs, 1 vCPUs, 2 Gb ram, 40 Gb Disk
Add key to your ssh client: “ssh-add OCworkshopTNC2014.pem”
Login to your VM using ssh: “ssh [email protected]”
Become root: “sudo su –”
Start install “bash OpenConext-vm-62/scripts/install_openconext.sh –i”
Follow the instructions, select defaults everywhere (also: create Certificates)
Add hostnames and IP to your hosts file
Go to https://welcome.demo.openconext.org
Accept self signed certificates & CA 32
Welcome to OpenConext
33
Basic activities
Login to Profile via Mujina IdP; learn a bit about Profile
Create a team and invite members; learn about Teams
Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry
Inspect SAML metadata, learn about Engine
Get debug login from Feide OpenIDP using Engine
Accept team invite using Feide OpenIDP
Inspect group config in Grouper
See group ACLs using Manage
Get oAuth config from ServiceRegistry
Query API in API playground to see group and person data
34
Basic activities
Login to Profile via Mujina IdP; learn a bit about Profile
Create a team and invite members; learn about Teams
Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry
Inspect SAML metadata, learn about Engine
Get debug login from Feide OpenIDP using Engine
Accept team invite using Feide OpenIDP
Inspect group config in Grouper
See group ACLs using Manage
Get oAuth config from ServiceRegistry
Query API in API playground to see group and person data
35
Profile, Mujina and Teams
36
OpenConext WAYF
37
Mujina IdP
38
End-user Consent
39
Profile
40
Teams - Login
41
Teams – Create new Team
42
Teams – Create new Team
43
Teams and members
44
Inviting members
45
Inviting members
46
Login via OpenIdP
47
Oeps!
48
Simple activities
Login to Profile via Mujina IdP; learn a bit about Profile
Create a team and invite members; learn about Teams
Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry
Inspect SAML metadata, learn about Engine
Get debug login from Feide OpenIDP using Engine
Accept team invite using Feide OpenIDP
Inspect group config in Grouper
See group ACLs using Manage
Get oAuth config from ServiceRegistry
Query API in API playground to see group and person data
49
ServiceRegistry and Engine
50
ServiceRegistry
51
ServiceRegistry
52
ServiceRegistry
53
ServiceRegistry
54
ServiceRegistry
55
ServiceRegistry
56
Engine - Testing IdPs
57
Simple activities
Login to Profile via Mujina IdP; learn a bit about Profile
Create a team and invite members; learn about Teams
Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry
Inspect SAML metadata, learn about Engine
Get debug login from Feide OpenIDP using Engine
Accept team invite using Feide OpenIDP
Inspect group config in Grouper
See group ACLs using Manage
Get oAuth config from ServiceRegistry
Query API in API playground to see group and person data
58
Ok, back to my Team
59
Ok, back to my Team
60
Teams – Accept Invite
61
Teams – Accept Invite
62
Teams – Accept Invite
63
Teams – Accept Invite
64
Grouper – Behind the Scenes
65
Grouper - details
66
Manage - Group ACLs
67
Manage – Setting Group ACLs
68
Manage – Add new group providers
69
Simple activities
Login to Profile via Mujina IdP; learn a bit about Profile
Create a team and invite members; learn about Teams
Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry
Inspect SAML metadata, learn about Engine
Get debug login from Feide OpenIDP using Engine
Accept team invite using Feide OpenIDP
Inspect group config in Grouper
See group ACLs using Manage
Get oAuth config from ServiceRegistry
Query API in API playground to see group and person data
70
ServiceRegisty – oAuth keys
71
API Playground
72
API Playground
73
Authorization Grant
74
API Playground
75
My Groups!
76
Simple activities
Login to Profile via Mujina IdP; learn a bit about Profile
Create a team and invite members; learn about Teams
Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry
Inspect SAML metadata, learn about Engine
Get debug login from Feide OpenIDP using Engine
Accept team invite using Feide OpenIDP
Inspect group config in Grouper
See group ACLs using Manage
Get oAuth config from ServiceRegistry
Query API in API playground to see group and person data
77
Keep Calm and
REMOVE
the OpenConext CA
from your browser!(it is publicly available in GitHub)
78
Break!
See you in 15 min!
79
I: Introduction
(Niels)
II: Hands-on
(Niels)
III: Community and Future
(Frans)
Welcome & introductions
Use cases
OpenConext explained
Features
Components
Installing OpenConext VM
Basic activities
Working with SAML
Working with Groups
Roadmap
Community
Governance
Discussion
Break (15 min) Break (15 min) Lunch
III: Community and Future
80
I: Introduction
(Niels)
II: Hands-on
(Niels)
III: Community and Future
(Frans)
Welcome & introductions
Use cases
OpenConext explained
Features
Components
Installing OpenConext VM
Basic activities
Working with SAML
Working with Groups
Roadmap
Community
Governance
Discussion
Break (15 min) Break (15 min) Lunch
Roadmap
Release 68 (SR/Janus):
Unification of WAYF and SURFnet forks, keeping full history
Introduced composer for dependencies
Introduced doctrine for data access layer
Add automated upgrade from last Janus (WAYF release) DB schema
Explicitly keep track of the last revision of each entity in the DB to improve
performance when having many entities and revisions.
Get rid of separate ARPs. Move ARP to SP configuration
Introduce wildcard matching of ARP values
Introduce new r/w API for Janus.
81
Roadmap
Release 70 (Engine):
Replace corto and old libxml with SimpleSAMLphp library as SAML library
Reduce the time SAML signing key is kept memory
Improved support for multiple SAML signing keys. Facilitate fast "hands off"
rollover by allowing the SP to select the signing key to use
Reduce writes to LDAP
New GUI for Teams (Twitter Bootstrap)
82
Roadmap
Unplanned:
OpenConext VM with credentials and other key config parameters in 1 file
Introduce APIS as AuthZ service for public APIs
Experimental support for OpenIdConect
Experimental support for SCIM
Experimental support for SAML AA and client
83
Open Source is…
License
Product
Community
84
‘The realization of an
open source
project
does not guarantee
the creation of a
community’
85
Community
Boosting the full potential of the OpenConext open
source ecosystem
Goals:
Create an active community
Exchange ideas
Promotion
Learn from different use cases
86
87
Governance
Why does a project like OpenConext need a
governance model?
Every open source project has its own
management strategy
It is therefore critical to have clear
communication about its politics and strategies
…to potential users and developers
Sustainability!
89
Governance Model
Describes roles that project participants can
take on
Describes the process for decision making
within the project
Describes the ground rules for participation in
the project
Describes the processes for communicating
and sharing with project team and community
90
Governance Models
91
Governance Options
Do nothing aka leave it as it is
(SURFnet as benevolent dictator)
Create an independent entity out of
OpenConext
(like the MediaMosa Foundation)
Define a custom governance model
(like the MediaMosa Foundation)
92
MediaMosa Governance
93
Governance Barriers
the process is perceived as ‘red tape’
there is a concern that the project will lose its
sense of direction
it is felt that control of the project’s strategy will
be lost
the project is thought to be too young or to
small to attract active users or developers
94
Community Options
Join the Apereo Foundation
DIY (based om MediaMosa)
What about Terena Greenhouse?
95
Discussion
Given what you have seen, what usecase
would you have for OpenConext? What is
usefull, what is missing?
How important is formal governance
What kind of support tools would you expect?
What are your plans with OpenConext?
Would you consider using OpenConext and
become active member of the community?
96
Resources
Source code
All of OpenConext is hosted at https://github.com/openconext
OpenConext support tools and compatible services are available at
https://github.com/openconextapps
Community Website, including documentation
https://www.openconext.org
Support
Mailinglists: [email protected] and openconext-
97