openconext workshop tnc2014

“Open for Collaboration”

Terena Networking Conference 2014, Dublin

Agenda

I: Introduction

(Niels)

II: Hands-on

(Niels)

III: Community and Future

(Frans)

Welcome & introductions

Use cases

OpenConext explained

Features

Components

Installing OpenConext VM

Basic activities

Working with SAML

Working with Groups

Roadmap

Community

Governance

Discussion

Break (15 min) Break (15 min) Lunch

2

I: Introduction

I: Introduction

(Niels)

II: Hands-on

(Niels)


(Frans)


Use cases


Features

Components


Basic activities

Working with SAML

Working with Groups

Roadmap

Community

Governance

Discussion


2


Introduction

Who are you, and why are you here?

4

Nielsvan Dijk

FransWard

AlexanderBlanc

A bit of History

SURFgroepen platform (2006-2012)

~100.000 users, 13.000 groups

Any user can start a team

Sharepoint (docsharing) + Adobe Connect Webconferencing

Backend integration (LDAP)

BUT:

Hard/expensive to extend (No open standards!)

No Federated Login

Many feature requests from campus

5

SURFconext Vision (2009)

Create a coherent infrastructure of loosely

coupled collaborative services, based on

(emerging) Open Standards and enabled by

access federations

6

OpenConext

7

http://www.youtube.com/watch?v=kUpn568NSl0

http://www.youtube.com/watch?v=kUpn568NSl0

Use Cases – Federation Hub

8

Use Cases – SURFconext

9

Use Cases – Service Delivery

10

Use Cases – Collab Platform

11

Use Cases – Collab Platform

12

OpenConext Building blocks

Identity Federations, SAML and attributes

Create and manage Groups

OpenSocial (VOOT) API and oAuth

A piece of middleware (a hub or proxy) that allows centrally managing

interconnects and facilitates application integration

13

Identity federation

14

Identity federation

15

Identity federation

16

Identity federation

17

Attributes

18

Groups

Any collaboration involves groups, either ‘AdHoc’, or ‘Institutional’

OpenConext facilitates the creation of groups of federated users

Adhoc Groups are managed centrally (Teams)

Any acceptable user can become a group 'admin‘

Invite any other users

Build groups from other groups

Institutional Groups (Campus or VO) can be provided by external sources

Groups provide context for applications (but applications decide on AuthZ!)

Groups feature (only) 3 roles (admin, collabmin, member)

Group + VO Registry -> VO IdP

19

Attribute exchange

Attribute & Group information can be provided at logon

Many scenarios require out of band exchange

VOOT (http://openvoot.org/voot-2.0.html) REST API, based on OpenSocial

oAuth2 & oAuth 1 (deprecated)

Draft SCIM implementation expected in 2014

SAML attribute query support on the way (both AA and client)

20

http://openvoot.org/voot-2.0.html

OpenConext platform (2009)

Do not start from Scratch

Add (a lot of) Glue

SAML Groups Management

Shibboleth SP(Shibboleth Consortium)

Grouper(Internet2)

Janus(WAYF)

SimpleSAMLphp SP(Feide.no)

Shindig (Apache)

Corto(WAYF)

21

Openconext platform (Q1 2014)

Do not start from Scratch

Add (a lot of) Glue and more Glue

SAML Groups Management

Shibboleth SP(Shibboleth Consortium)

Grouper(Internet2)

Janus(SURFnet)

SimpleSAMLphp SP(Feide.no)

Shindig(Apache)Group Proxy, API & APIS

Manage

Corto(WAYF/SURFnet)SSP libraries

Teams Log handlingStatisticsOpenConext VM

22

Components

23

Engine

SAML2.0 (WebSSO profile, saml2int.org) authentication proxy capable of

acting as an IdP or SP

Engine relies on ServiceRegistry (SR) for configuring the entities.

SAML2 Metadata generation

WAYF Service

End user consent

Privacy and Authorization enforcement (ACL, ARP, vIdP)

Attribute Management

ARP

Persistent/Transient NameID management

Attribute Manipulation & Mapping

urn:oid and urn:mace-dir attributes

24

Service Registry

A web-based registry for managing SAML2 SP and IdP metadata, ARP and

ACL information and oAuth key management

Based on JANUS (WAYF/SURFnet)

Features include

Versioning

Metadata import and export,

Storing non SAML data (e.g. oAuth)

Storing ‘business’ data, like e.g. policy information

25

Teams (& Grouper)

A federated end-user tool for self-service management of group

relationships

Teams backend is Internet2's Grouper

Features include:

create teams: invite and re-invite, request membership

manage team members, assign basic roles

combine groups from connected group providers into new (virtual) teams

26

OpenSocial/VOOT API,

APIs & API Playground API

Exchange groups and person info using a standardized REST API

Authorization based on oAuth v2 and oAuth v1 (deprecated)

A group proxy (connect multiple group providers)

The API supports three calls:

Groups the user is a member of

List other members of a group

Attributes of a user

APIs

OAuth2 authorization server that can handle multiple authorization servers and clients.

API Playground

Testbed for application development and testing27

Mujina & Profile

Mujina

Mujina mocks a SAML2 Identity and Service Provider (IdP & SP)

Almost all characteristics of either the IdP or SP can be configured on-the-fly using a REST API

Profile

View profile information (Attributes) that are currently registered at the OpenConext platform for the use;

View the group providers and teams a user is a member of;

Connect to addition group providers if these have been made available to the user;

View and optionally revoke consent on released attributes;

View EULA and privacy statements of connected Services

28

Components

29

Break!

See you in 15 min!

30

I: Introduction

(Niels)

II: Hands-on

(Niels)


(Frans)


Use cases


Features

Components


Basic activities

Working with SAML

Working with Groups

Roadmap

Community

Governance

Discussion


II: Hands-on

31

I: Introduction

(Niels)

II: Hands-on

(Niels)


(Frans)


Use cases


Features

Components


Basic activities

Working with SAML

Working with Groups

Roadmap

Community

Governance

Discussion


Installing OpenConext VM Work from a standard OpenConext VM

https://github.com/OpenConext/OpenConext-vm

Slightly prepped CentOS 6.5 (yum dependencies preinstalled)

OpenStack based VMs, 1 vCPUs, 2 Gb ram, 40 Gb Disk

Add key to your ssh client: “ssh-add OCworkshopTNC2014.pem”

Login to your VM using ssh: “ssh [email protected]”

Become root: “sudo su –”

Start install “bash OpenConext-vm-62/scripts/install_openconext.sh –i”

Follow the instructions, select defaults everywhere (also: create Certificates)

Add hostnames and IP to your hosts file

Go to https://welcome.demo.openconext.org

Accept self signed certificates & CA 32

https://github.com/OpenConext/OpenConext-vm

https://welcome.demo.openconext.org/

Welcome to OpenConext

33

Basic activities

Login to Profile via Mujina IdP; learn a bit about Profile

Create a team and invite members; learn about Teams

Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry

Inspect SAML metadata, learn about Engine

Get debug login from Feide OpenIDP using Engine

Accept team invite using Feide OpenIDP

Inspect group config in Grouper

See group ACLs using Manage

Get oAuth config from ServiceRegistry

Query API in API playground to see group and person data

34

Basic activities











35

Profile, Mujina and Teams

36

OpenConext WAYF

37

Mujina IdP

38

End-user Consent

39

Profile

40

Teams - Login

41

Teams – Create new Team

42

Teams – Create new Team

43

Teams and members

44

Inviting members

45

Inviting members

46

Login via OpenIdP

47

Oeps!

48

Simple activities











49

ServiceRegistry and Engine

50

ServiceRegistry

51

ServiceRegistry

52

ServiceRegistry

53

ServiceRegistry

54

ServiceRegistry

55

ServiceRegistry

56

Engine - Testing IdPs

57

Simple activities











58

Ok, back to my Team

59

Ok, back to my Team

60

Teams – Accept Invite

61


62


63


64

Grouper – Behind the Scenes

65

Grouper - details

66

Manage - Group ACLs

67

Manage – Setting Group ACLs

68

Manage – Add new group providers

69

Simple activities











70

ServiceRegisty – oAuth keys

71

API Playground

72

API Playground

73

Authorization Grant

74

API Playground

75

My Groups!

76

Simple activities











77

Keep Calm and

REMOVE

the OpenConext CA

from your browser!(it is publicly available in GitHub)

78

Break!

See you in 15 min!

79

I: Introduction

(Niels)

II: Hands-on

(Niels)


(Frans)


Use cases


Features

Components


Basic activities

Working with SAML

Working with Groups

Roadmap

Community

Governance

Discussion



80

I: Introduction

(Niels)

II: Hands-on

(Niels)


(Frans)


Use cases


Features

Components


Basic activities

Working with SAML

Working with Groups

Roadmap

Community

Governance

Discussion


Roadmap

Release 68 (SR/Janus):

Unification of WAYF and SURFnet forks, keeping full history

Introduced composer for dependencies

Introduced doctrine for data access layer

Add automated upgrade from last Janus (WAYF release) DB schema

Explicitly keep track of the last revision of each entity in the DB to improve

performance when having many entities and revisions.

Get rid of separate ARPs. Move ARP to SP configuration

Introduce wildcard matching of ARP values

Introduce new r/w API for Janus.

81

Roadmap

Release 70 (Engine):

Replace corto and old libxml with SimpleSAMLphp library as SAML library

Reduce the time SAML signing key is kept memory

Improved support for multiple SAML signing keys. Facilitate fast "hands off"

rollover by allowing the SP to select the signing key to use

Reduce writes to LDAP

New GUI for Teams (Twitter Bootstrap)

82

Roadmap

Unplanned:

OpenConext VM with credentials and other key config parameters in 1 file

Introduce APIS as AuthZ service for public APIs

Experimental support for OpenIdConect

Experimental support for SCIM

Experimental support for SAML AA and client

83

Open Source is…

License

Product

Community

84

‘The realization of an

open source

project

does not guarantee

the creation of a

community’

85

Community

Boosting the full potential of the OpenConext open

source ecosystem

Goals:

Create an active community

Exchange ideas

Promotion

Learn from different use cases

86

http://openconext.org

88

http://openconext.org

Governance

Why does a project like OpenConext need a

governance model?

Every open source project has its own

management strategy

It is therefore critical to have clear

communication about its politics and strategies

…to potential users and developers

Sustainability!

89

Governance Model

Describes roles that project participants can

take on

Describes the process for decision making

within the project

Describes the ground rules for participation in

the project

Describes the processes for communicating

and sharing with project team and community

90

Governance Models

91

Governance Options

Do nothing aka leave it as it is

(SURFnet as benevolent dictator)

Create an independent entity out of

OpenConext

(like the MediaMosa Foundation)

Define a custom governance model

(like the MediaMosa Foundation)

92

MediaMosa Governance

93

Governance Barriers

the process is perceived as ‘red tape’

there is a concern that the project will lose its

sense of direction

it is felt that control of the project’s strategy will

be lost

the project is thought to be too young or to

small to attract active users or developers

94

Community Options

Join the Apereo Foundation

DIY (based om MediaMosa)

What about Terena Greenhouse?

95

Discussion

Given what you have seen, what usecase

would you have for OpenConext? What is

usefull, what is missing?

How important is formal governance

What kind of support tools would you expect?

What are your plans with OpenConext?

Would you consider using OpenConext and

become active member of the community?

96

Resources

Source code

All of OpenConext is hosted at https://github.com/openconext

OpenConext support tools and compatible services are available at

https://github.com/openconextapps

Community Website, including documentation

https://www.openconext.org

Support

Mailinglists: [email protected] and openconext-

[email protected]

97

https://github.com/openconext

https://github.com/openconextapps

https://www.openconext.org/

mailto:[email protected]

mailto:[email protected]

[email protected]

98

openconext workshop tnc2014

Software