During the 2014 TERENA Networking Conference (TNC2014) in Dublin, SURFnet will provide a workshop on OpenConext on Monday 19/05 (09:00 - 12:00). Participants can explore the possibilities of OpenConext themselves. This hands-on workshop introduces you to the concepts and components of OpenConext and its example use cases. In addition participants will install the platform and be able configure the platform with the management tools, connect services or identity providers to explore the potential of the platform yourself. Experts of SURFnet, Jisc and AARnet will be available to assist you and there will plenty of time for all of your questions as well as discussion on functionality, features and more. Join us for an interactive hands-on session and experience OpenConext yourself! As users or people who are interested in OpenConext you are especially welcome to share your use-cases, knowledge and experiences.

1. “Open for Collaboration”
Terena Networking Conference 2014, Dublin

2. Agenda
I: Introduction
(Niels)
II: Hands-on
(Niels)
III: Community and Future
(Frans)
 Welcome & introductions
 Use cases
 OpenConext explained
 Features
 Components
 Installing OpenConext VM
 Basic activities
 Working with SAML
 Working with Groups
 Roadmap
 Community
 Governance
 Discussion
Break (15 min) Break (15 min) Lunch
2

3. I: Introduction
I: Introduction
(Niels)
II: Hands-on
(Niels)
III: Community and Future
(Frans)
 Welcome & introductions
 Use cases
 OpenConext explained
 Features
 Components
 Installing OpenConext VM
 Basic activities
 Working with SAML
 Working with Groups
 Roadmap
 Community
 Governance
 Discussion
Break (15 min) Break (15 min) Lunch
2

4. Welcome & introductions
 Introduction
 Who are you, and why are you here?
4
Niels
van Dijk
Frans
Ward
Alexander
Blanc

5. A bit of History
 SURFgroepen platform (2006-2012)
 ~100.000 users, 13.000 groups
 Any user can start a team
 Sharepoint (docsharing) + Adobe Connect Webconferencing
 Backend integration (LDAP)
BUT:
 Hard/expensive to extend (No open standards!)
 No Federated Login
 Many feature requests from campus
5

6. SURFconext Vision (2009)
 Create a coherent infrastructure of loosely
coupled collaborative services, based on
(emerging) Open Standards and enabled by
access federations
6

7. OpenConext
7

8. Use Cases – Federation Hub
8

9. Use Cases – SURFconext
9

10. Use Cases – Service Delivery
10

11. Use Cases – Collab Platform
11

12. Use Cases – Collab Platform
12

13. OpenConext Building blocks
 Identity Federations, SAML and attributes
 Create and manage Groups
 OpenSocial (VOOT) API and oAuth
 A piece of middleware (a hub or proxy) that allows centrally managing
interconnects and facilitates application integration
13

14. Identity federation
14

15. Identity federation
15

16. Identity federation
16

17. Identity federation
17

18. Attributes
18

19. Groups
 Any collaboration involves groups, either ‘AdHoc’, or ‘Institutional’
 OpenConext facilitates the creation of groups of federated users
 Adhoc Groups are managed centrally (Teams)
 Any acceptable user can become a group 'admin‘
 Invite any other users
 Build groups from other groups
 Institutional Groups (Campus or VO) can be provided by external sources
 Groups provide context for applications (but applications decide on AuthZ!)
 Groups feature (only) 3 roles (admin, collabmin, member)
 Group + VO Registry -> VO IdP
19

20. Attribute exchange
 Attribute & Group information can be provided at logon
 Many scenarios require out of band exchange
 VOOT (http://openvoot.org/voot-2.0.html) REST API, based on OpenSocial
 oAuth2 & oAuth 1 (deprecated)
 Draft SCIM implementation expected in 2014
 SAML attribute query support on the way (both AA and client)
20

21. OpenConext platform (2009)
 Do not start from Scratch
 Add (a lot of) Glue
SAML Groups Management
Shibboleth SP
(Shibboleth Consortium)
Grouper
(Internet2)
Janus
(WAYF)
SimpleSAMLphp SP
(Feide.no)
Shindig
(Apache)
Corto
(WAYF)
21

22. Openconext platform (Q1 2014)
 Do not start from Scratch
 Add (a lot of) Glue and more Glue
SAML Groups Management
Shibboleth SP
(Shibboleth Consortium)
Grouper
(Internet2)
Janus
(SURFnet)
SimpleSAMLphp SP
(Feide.no)
Shindig
(Apache)
Group Proxy, API & APIS
Manage
Corto
(WAYF/SURFnet)
SSP libraries
Teams Log handling
Statistics
OpenConext VM
22

23. Components
23

24. Engine
 SAML2.0 (WebSSO profile, saml2int.org) authentication proxy capable of
acting as an IdP or SP
 Engine relies on ServiceRegistry (SR) for configuring the entities.
 SAML2 Metadata generation
 WAYF Service
 End user consent
 Privacy and Authorization enforcement (ACL, ARP, vIdP)
 Attribute Management
 ARP
 Persistent/Transient NameID management
 Attribute Manipulation & Mapping
 urn:oid and urn:mace-dir attributes
24

25. Service Registry
 A web-based registry for managing SAML2 SP and IdP metadata, ARP and
ACL information and oAuth key management
 Based on JANUS (WAYF/SURFnet)
 Features include
 Versioning
 Metadata import and export,
 Storing non SAML data (e.g. oAuth)
 Storing ‘business’ data, like e.g. policy information
25

26. Teams (& Grouper)
 A federated end-user tool for self-service management of group
relationships
 Teams backend is Internet2's Grouper
 Features include:
 create teams: invite and re-invite, request membership
 manage team members, assign basic roles
 combine groups from connected group providers into new (virtual)
teams
26

27. OpenSocial/VOOT API,
APIs & API Playground
 API
 Exchange groups and person info using a standardized REST API
 Authorization based on oAuth v2 and oAuth v1 (deprecated)
 A group proxy (connect multiple group providers)
 The API supports three calls:
 Groups the user is a member of
 List other members of a group
 Attributes of a user
 APIs
 OAuth2 authorization server that can handle multiple authorization
servers and clients.
 API Playground
 Testbed for application development and testing
27

28. Mujina & Profile
 Mujina
 Mujina mocks a SAML2 Identity and Service Provider (IdP & SP)
 Almost all characteristics of either the IdP or SP can be configured on-
the-fly using a REST API
 Profile
 View profile information (Attributes) that are currently registered at the
OpenConext platform for the use;
 View the group providers and teams a user is a member of;
 Connect to addition group providers if these have been made available to the
user;
 View and optionally revoke consent on released attributes;
 View EULA and privacy statements of connected Services
28

29. Components
29

30. Break!
 See you in 15 min!
30
I: Introduction
(Niels)
II: Hands-on
(Niels)
III: Community and Future
(Frans)
 Welcome & introductions
 Use cases
 OpenConext explained
 Features
 Components
 Installing OpenConext VM
 Basic activities
 Working with SAML
 Working with Groups
 Roadmap
 Community
 Governance
 Discussion
Break (15 min) Break (15 min) Lunch

31. II: Hands-on
31
I: Introduction
(Niels)
II: Hands-on
(Niels)
III: Community and Future
(Frans)
 Welcome & introductions
 Use cases
 OpenConext explained
 Features
 Components
 Installing OpenConext VM
 Basic activities
 Working with SAML
 Working with Groups
 Roadmap
 Community
 Governance
 Discussion
Break (15 min) Break (15 min) Lunch

32. Installing OpenConext VM
 Work from a standard OpenConext VM
https://github.com/OpenConext/OpenConext-vm
 Slightly prepped CentOS 6.5 (yum dependencies preinstalled)
 OpenStack based VMs, 1 vCPUs, 2 Gb ram, 40 Gb Disk
 Add key to your ssh client: “ssh-add OCworkshopTNC2014.pem”
 Login to your VM using ssh: “ssh centos@145.100.180.XYZ”
 Become root: “sudo su –”
 Start install “bash OpenConext-vm-62/scripts/install_openconext.sh –i”
 Follow the instructions, select defaults everywhere (also: create Certificates)
 Add hostnames and IP to your hosts file
 Go to https://welcome.demo.openconext.org
 Accept self signed certificates & CA 32

33. Welcome to OpenConext
33

34. Basic activities
 Login to Profile via Mujina IdP; learn a bit about Profile
 Create a team and invite members; learn about Teams
 Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry
 Inspect SAML metadata, learn about Engine
 Get debug login from Feide OpenIDP using Engine
 Accept team invite using Feide OpenIDP
 Inspect group config in Grouper
 See group ACLs using Manage
 Get oAuth config from ServiceRegistry
 Query API in API playground to see group and person data
34

35. Basic activities
 Login to Profile via Mujina IdP; learn a bit about Profile
 Create a team and invite members; learn about Teams
 Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry
 Inspect SAML metadata, learn about Engine
 Get debug login from Feide OpenIDP using Engine
 Accept team invite using Feide OpenIDP
 Inspect group config in Grouper
 See group ACLs using Manage
 Get oAuth config from ServiceRegistry
 Query API in API playground to see group and person data
35

36. Profile, Mujina and Teams
36

37. OpenConext WAYF
37

38. Mujina IdP
38

39. End-user Consent
39

40. Profile
40

41. Teams - Login
41

42. Teams – Create new Team
42

43. Teams – Create new Team
43

44. Teams and members
44

45. Inviting members
45

46. Inviting members
46

47. Login via OpenIdP
47

48. Oeps!
48

49. Simple activities
 Login to Profile via Mujina IdP; learn a bit about Profile
 Create a team and invite members; learn about Teams
 Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry
 Inspect SAML metadata, learn about Engine
 Get debug login from Feide OpenIDP using Engine
 Accept team invite using Feide OpenIDP
 Inspect group config in Grouper
 See group ACLs using Manage
 Get oAuth config from ServiceRegistry
 Query API in API playground to see group and person data
49

50. ServiceRegistry and Engine
50

51. ServiceRegistry
51

52. ServiceRegistry
52

53. ServiceRegistry
53

54. ServiceRegistry
54

55. ServiceRegistry
55

56. ServiceRegistry
56

57. Engine - Testing IdPs
57

58. Simple activities
 Login to Profile via Mujina IdP; learn a bit about Profile
 Create a team and invite members; learn about Teams
 Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry
 Inspect SAML metadata, learn about Engine
 Get debug login from Feide OpenIDP using Engine
 Accept team invite using Feide OpenIDP
 Inspect group config in Grouper
 See group ACLs using Manage
 Get oAuth config from ServiceRegistry
 Query API in API playground to see group and person data
58

59. Ok, back to my Team
59

60. Ok, back to my Team
60

61. Teams – Accept Invite
61

62. Teams – Accept Invite
62

63. Teams – Accept Invite
63

64. Teams – Accept Invite
64

65. Grouper – Behind the Scenes
65

66. Grouper - details
66

67. Manage - Group ACLs
67

68. Manage – Setting Group ACLs
68

69. Manage – Add new group providers
69

70. Simple activities
 Login to Profile via Mujina IdP; learn a bit about Profile
 Create a team and invite members; learn about Teams
 Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry
 Inspect SAML metadata, learn about Engine
 Get debug login from Feide OpenIDP using Engine
 Accept team invite using Feide OpenIDP
 Inspect group config in Grouper
 See group ACLs using Manage
 Get oAuth config from ServiceRegistry
 Query API in API playground to see group and person data
70

71. ServiceRegisty – oAuth keys
71

72. API Playground
72

73. API Playground
73

74. Authorization Grant
74

75. API Playground
75

76. My Groups!
76

77. Simple activities
 Login to Profile via Mujina IdP; learn a bit about Profile
 Create a team and invite members; learn about Teams
 Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry
 Inspect SAML metadata, learn about Engine
 Get debug login from Feide OpenIDP using Engine
 Accept team invite using Feide OpenIDP
 Inspect group config in Grouper
 See group ACLs using Manage
 Get oAuth config from ServiceRegistry
 Query API in API playground to see group and person data
77

78. Keep Calm and
REMOVE
the OpenConext CA
from your browser!
(it is publicly available in GitHub)
78

79. Break!
 See you in 15 min!
79
I: Introduction
(Niels)
II: Hands-on
(Niels)
III: Community and Future
(Frans)
 Welcome & introductions
 Use cases
 OpenConext explained
 Features
 Components
 Installing OpenConext VM
 Basic activities
 Working with SAML
 Working with Groups
 Roadmap
 Community
 Governance
 Discussion
Break (15 min) Break (15 min) Lunch

80. III: Community and Future
80
I: Introduction
(Niels)
II: Hands-on
(Niels)
III: Community and Future
(Frans)
 Welcome & introductions
 Use cases
 OpenConext explained
 Features
 Components
 Installing OpenConext VM
 Basic activities
 Working with SAML
 Working with Groups
 Roadmap
 Community
 Governance
 Discussion
Break (15 min) Break (15 min) Lunch

81. Roadmap
Release 68 (SR/Janus):
 Unification of WAYF and SURFnet forks, keeping full history
 Introduced composer for dependencies
 Introduced doctrine for data access layer
 Add automated upgrade from last Janus (WAYF release) DB schema
 Explicitly keep track of the last revision of each entity in the DB to improve
performance when having many entities and revisions.
 Get rid of separate ARPs. Move ARP to SP configuration
 Introduce wildcard matching of ARP values
 Introduce new r/w API for Janus.
81

82. Roadmap
Release 70 (Engine):
 Replace corto and old libxml with SimpleSAMLphp library as SAML library
 Reduce the time SAML signing key is kept memory
 Improved support for multiple SAML signing keys. Facilitate fast "hands off"
rollover by allowing the SP to select the signing key to use
 Reduce writes to LDAP
 New GUI for Teams (Twitter Bootstrap)
82

83. Roadmap
Unplanned:
 OpenConext VM with credentials and other key config parameters in 1 file
 Introduce APIS as AuthZ service for public APIs
 Experimental support for OpenIdConect
 Experimental support for SCIM
 Experimental support for SAML AA and client
83

84. Open Source is…
License
Product
Community
84

85. ‘The realization of an
open source
project
does not guarantee
the creation of a
community’
85

86. Community
Boosting the full potential of the OpenConext open
source ecosystem
Goals:
 Create an active community
 Exchange ideas
 Promotion
 Learn from different use cases
86

87. 87

88. http://openconext.org
88

89. Governance
Why does a project like OpenConext need a
governance model?
 Every open source project has its own
management strategy
 It is therefore critical to have clear
communication about its politics and strategies
 …to potential users and developers
 Sustainability!
89

90. Governance Model
 Describes roles that project participants can
take on
 Describes the process for decision making
within the project
 Describes the ground rules for participation in
the project
 Describes the processes for communicating
and sharing with project team and community
90

91. Governance Models
91

92. Governance Options
 Do nothing aka leave it as it is
(SURFnet as benevolent dictator)
 Create an independent entity out of
OpenConext
(like the MediaMosa Foundation)
 Define a custom governance model
(like the MediaMosa Foundation)
92

93. MediaMosa Governance
93

94. Governance Barriers
 the process is perceived as ‘red tape’
 there is a concern that the project will lose its
sense of direction
 it is felt that control of the project’s strategy will
be lost
 the project is thought to be too young or to
small to attract active users or developers
94

95. Community Options
 Join the Apereo Foundation
 DIY (based om MediaMosa)
 What about Terena Greenhouse?
95

96. Discussion
 Given what you have seen, what usecase
would you have for OpenConext? What is
usefull, what is missing?
 How important is formal governance
 What kind of support tools would you expect?
 What are your plans with OpenConext?
 Would you consider using OpenConext and
become active member of the community?
96

97. Resources
Source code
 All of OpenConext is hosted at https://github.com/openconext
 OpenConext support tools and compatible services are available at
https://github.com/openconextapps
Community Website, including documentation
 https://www.openconext.org
 Support
 Mailinglists: openconext-users@list.surfnet.nl and openconext-
dev@list.surfnet.nl
97

98. info@openconext.org
98