sur fnet open-conext-apereo2014

OpenConext: Open for Collaboration

Niels van Dijk

Technical Product Manager

SURFnet: the Dutch NREN

• SURFnet is the Dutch National Research & Education Network (NREN)

– Services, innovation, knowledge

– Not for profit

– Task organisation of Stichting SURF = ICT collaboration of higher education & research

• A small operation serving a large community:

– 85 employees

– 160 connected institutions

– 1 million end-users

– Turnover 35 million Euro; 1/3 innovation subsidies

SURFnet - We make innovation work 1

OpenConext


http://www.youtube.com/embed/kUpn568NSl0?hd=1

http://www.youtube.com/embed/kUpn568NSl0?hd=1

OpenConext Vision (2009)


Create a coherent infrastructure of loosely coupled

collaborative services, based on (emerging) Open

Standards and enabled by access federations

OpenConext Building blocks


Identity Federations, SAML and attributes

Create and manage Groups

OpenSocial (VOOT) API and oAuth

A piece of middleware (a hub or proxy) that allows centrally managing interconnects and facilitates application integration

OpenConext Use cases


• Collaboration Platform

• Service Delivery Platform

• Identity Federation hub

United Kingdom – JISCconext (JISC)

A Collabortion platform around email groups, will support about 1

million endusers

Australia (AARnet)

A service delivery for AARnet services in Australia and New Zealand

The Netherlands – SURFconext (SURFnet)

The middleware platform for the national hub-n-spoke Identity

Federation

JISCconext


https://tnc2014.terena.org/core/presentation/15

AARNet


https://tnc2014.terena.org/core/presentation/15

SURFconext


A next generation collaboration

infrastructure that creates new

opportunities to collaborate online

based on a combination of applications

from different providers.

Researchers, educators and students wish to select the tools that best

fit their online collaboration needs. Institutions and Collaborative

Organizations struggle with the integration of self-hosted services

with commercial cloud services. Service providers seek for ways to

make their services easily accessible for users in higher research

and education.

SURFconext is the platform to facilitate these needs.

Collaboration Platform


• Federated Authentication

• Centralized Groups

• Portals

Federated Authentication

Leverages secure, trusted authentication and Single Sign on for

Campus and Cloud applications

Centralized groups

Used for Adhoc collaborations and institutional groups

Portals

Bring together distributed services to provide end-users with a

coherent set of services

Service Delivery Platform


• Federated Authentication

• Attribute based Authorization

• National Procurement & Licencing

Create Trusted Services

By combining Identity Federation, privacy and data protection

regulations and license deal in one contract between Service

Provider and (all) Dutch institutions

Services Dashboard


Commercial Services


eScience Services


Collaborative Organisations


• Groups

• Distributes Services

• Attributes, roles and rights

Groups are core to collaboration

Any collaboration is based on groups. In R&E these groups are

dynamic and international;

Distributed Services

COs collaborate around distributes services. Managing and

maintaining many SP IdP interconnections is tough;

Attributes, roles and rights

Roles and rights are based on Attributes. COs need very different

attributes as compared to the attributes provided by the IdPs.

Example Cases


• WeNMR

• Virtual Campus Hub

WeNMR

Bringing together research teams in the structural biology and life

science area. The project offers a platform integrating services and

streamlining the computational approaches necessary for data

analysis and structural modelling.

Virtual Campus Hub

Create a virtual education portal for a joint programme, consisting

of applications made available by the partners involved in that

programme, and to which all relevant users have seamless access.

WeNMR


• Connect HPC to federation

• Federated Portal

WeNMR and eduGAIN


Partners in Virtual Campus Hub

Concept: virtual education portal for joint

programs

Components of Virtual Campus Hub

1. Inventory of the most important ICT barriers for international

collaboration in education.

2. Demo platform to prove that some of these barriers can be removed:

Easy access to partners’ applications (FIM)

More efficient and more flexible setup of online activities or online

participation in regular activities (UC hub)

Easier collaboration with industry (non-HE IdPs)

3. Vision on how to apply these insights and experiences in concrete

collaboration initiatives (e.g. international joint programs)

Demo portal (proof of concept)

Functionality:

• Access with your own account

to partners’ applications

• Create international groups

(virtual organizations)

• Single sign-on access through

simple website

(https://vch.tue.nl)

12-06-2013

https://vch.tue.nl/

IdPs connected to VCH

2204-10-2012

Enabling international collaboration:

National (NRENs) and European (Géant)

12-06-2013

Results

• Connections realized for several identity providers (IdPs)

and applications (SPs).

• Cloud service (DTU itslearning) connected to VCH

• Scalability of concept shown (by adding extra IdPs)

• Knowledge and experience with respect to using Géant-

eduGAIN

2412-06-2013

OpenConext Building blocks


Identity Federations, SAML and attributes

Create and manage Groups

OpenSocial (VOOT) API and Oauth

A piece of middleware (a hub or proxy) that allows centrally managing interconnects and facilitates application integration

Identity Federation


Groups


Any collaboration involves groups, either ‘AdHoc’, or ‘Institutional’

OpenConext facilitates the creation of groups of federated users

Adhoc Groups are managed centrally (Teams) Any acceptable user can become a group 'admin‘

Invite any other users

Build groups from other groups

Institutional Groups (Campus or VO) can be provided by external sources

Groups provide context for applications (but applications decide on AuthZ!)

Groups feature (only) 3 roles (admin, collabmin, member)

Group + VO Registry -> VO IdP

Attributes


Attribute & Group information can be provided at logon

Many scenarios require out of band exchange

VOOT (http://openvoot.org/voot-2.0.html) REST API, based on OpenSocial

oAuth2 & oAuth 1 (deprecated)

Draft SCIM implementation expected in 2014

SAML attribute query support on the way (both AA and client)

http://openvoot.org/voot-2.0.html

OpenConext – The platform (2009)


Do not start from Scratch

Add (a lot of) Glue

SAML Groups Management

Shibboleth SP(Shibboleth Consortium)

Grouper(Internet2)

Janus(WAYF)

SimpleSAMLphp SP(Feide.no)

Shindig (Apache)

Corto(WAYF)

Teams

OpenConext – The platform (Q1 2014)


Do not start from Scratch

Add (a lot of) Glue and even more Glue

SAML Groups Management

Shibboleth SP(Shibboleth Consortium)

Grouper(Internet2)

Janus(SURFnet)

SimpleSAMLphp SP(Feide.no)

Shindig(Apache)Group Proxy, API & APIS

Manage

Corto(WAYF/SURFnet)SSP libraries

Teams (v2) Log handling & StatisticsOpenConext VM

OpenConext – Overview


OpenConext – Meshing a Hub


Source: Neil Witheridge, AARNet

How OpenConext helps


• Groups

• Distributed Services

• Attributes, roles and rights

Manage and share Groups

OpenConext provides a centralized group provider and allows

linking external group providers;

Centrally manage services and identity stores

SP and IdP connections can be manage centrally, including Access

and Attribute Release Policies;

Use Attributes, roles and rights for Authorization

Manage, transform and filter attributes and group (membership)

both at logon as well as when queried out-of-band.

OpenConext VM


• Run your own OpenConext platform

• CentOS/Redhat, 10 min setup

• For demo, development and playing around

https://github.com/OpenConext/OpenConext-vm

https://github.com/OpenConext/OpenConext-vm

More information


• SURFconext

• OpenConext

SURFconext

http://www.surf.nl/en/services-and-products/surfconext/index.html

OpenConext

All of OpenConext is hosted at https://github.com/openconext

OpenConext support tools and compatible services are available at

https://github.com/openconextapps

Community Website, including documentation

https://www.openconext.org

Support

Mailinglists: [email protected] and [email protected]

https://github.com/openconext

https://github.com/openconextapps

https://www.openconext.org/

mailto:[email protected]

mailto:[email protected]

niels.vandijk[at]surfnet.nl

@cdr80

cdr80

www.surfnet.nl

+31 30 2 305 305

Creative Commons “Attribution” license:

http://creativecommons.org/licenses/by/3.0/

W