During the 2014 TERENA Networking Conference (TNC2014) in Dublin, SURFnet will provide a workshop on OpenConext on Monday 19/05 (09:00 - 12:00).
Participants can explore the possibilities of OpenConext themselves.
This hands-on workshop introduces you to the concepts and components of OpenConext and its example use cases. In addition participants will install the platform and be able configure the platform with the management tools, connect services or identity providers to explore the potential of the platform yourself. Experts of SURFnet, Jisc and AARnet will be available to assist you and there will plenty of time for all of your questions as well as discussion on functionality, features and more. Join us for an interactive hands-on session and experience OpenConext yourself!
As users or people who are interested in OpenConext you are especially welcome to share your use-cases, knowledge and experiences.
2. Agenda
I: Introduction
(Niels)
II: Hands-on
(Niels)
III: Community and Future
(Frans)
Welcome & introductions
Use cases
OpenConext explained
Features
Components
Installing OpenConext VM
Basic activities
Working with SAML
Working with Groups
Roadmap
Community
Governance
Discussion
Break (15 min) Break (15 min) Lunch
2
3. I: Introduction
I: Introduction
(Niels)
II: Hands-on
(Niels)
III: Community and Future
(Frans)
Welcome & introductions
Use cases
OpenConext explained
Features
Components
Installing OpenConext VM
Basic activities
Working with SAML
Working with Groups
Roadmap
Community
Governance
Discussion
Break (15 min) Break (15 min) Lunch
2
4. Welcome & introductions
Introduction
Who are you, and why are you here?
4
Niels
van Dijk
Frans
Ward
Alexander
Blanc
5. A bit of History
SURFgroepen platform (2006-2012)
~100.000 users, 13.000 groups
Any user can start a team
Sharepoint (docsharing) + Adobe Connect Webconferencing
Backend integration (LDAP)
BUT:
Hard/expensive to extend (No open standards!)
No Federated Login
Many feature requests from campus
5
6. SURFconext Vision (2009)
Create a coherent infrastructure of loosely
coupled collaborative services, based on
(emerging) Open Standards and enabled by
access federations
6
13. OpenConext Building blocks
Identity Federations, SAML and attributes
Create and manage Groups
OpenSocial (VOOT) API and oAuth
A piece of middleware (a hub or proxy) that allows centrally managing
interconnects and facilitates application integration
13
19. Groups
Any collaboration involves groups, either ‘AdHoc’, or ‘Institutional’
OpenConext facilitates the creation of groups of federated users
Adhoc Groups are managed centrally (Teams)
Any acceptable user can become a group 'admin‘
Invite any other users
Build groups from other groups
Institutional Groups (Campus or VO) can be provided by external sources
Groups provide context for applications (but applications decide on AuthZ!)
Groups feature (only) 3 roles (admin, collabmin, member)
Group + VO Registry -> VO IdP
19
20. Attribute exchange
Attribute & Group information can be provided at logon
Many scenarios require out of band exchange
VOOT (http://openvoot.org/voot-2.0.html) REST API, based on OpenSocial
oAuth2 & oAuth 1 (deprecated)
Draft SCIM implementation expected in 2014
SAML attribute query support on the way (both AA and client)
20
21. OpenConext platform (2009)
Do not start from Scratch
Add (a lot of) Glue
SAML Groups Management
Shibboleth SP
(Shibboleth Consortium)
Grouper
(Internet2)
Janus
(WAYF)
SimpleSAMLphp SP
(Feide.no)
Shindig
(Apache)
Corto
(WAYF)
21
22. Openconext platform (Q1 2014)
Do not start from Scratch
Add (a lot of) Glue and more Glue
SAML Groups Management
Shibboleth SP
(Shibboleth Consortium)
Grouper
(Internet2)
Janus
(SURFnet)
SimpleSAMLphp SP
(Feide.no)
Shindig
(Apache)
Group Proxy, API & APIS
Manage
Corto
(WAYF/SURFnet)
SSP libraries
Teams Log handling
Statistics
OpenConext VM
22
24. Engine
SAML2.0 (WebSSO profile, saml2int.org) authentication proxy capable of
acting as an IdP or SP
Engine relies on ServiceRegistry (SR) for configuring the entities.
SAML2 Metadata generation
WAYF Service
End user consent
Privacy and Authorization enforcement (ACL, ARP, vIdP)
Attribute Management
ARP
Persistent/Transient NameID management
Attribute Manipulation & Mapping
urn:oid and urn:mace-dir attributes
24
25. Service Registry
A web-based registry for managing SAML2 SP and IdP metadata, ARP and
ACL information and oAuth key management
Based on JANUS (WAYF/SURFnet)
Features include
Versioning
Metadata import and export,
Storing non SAML data (e.g. oAuth)
Storing ‘business’ data, like e.g. policy information
25
26. Teams (& Grouper)
A federated end-user tool for self-service management of group
relationships
Teams backend is Internet2's Grouper
Features include:
create teams: invite and re-invite, request membership
manage team members, assign basic roles
combine groups from connected group providers into new (virtual)
teams
26
27. OpenSocial/VOOT API,
APIs & API Playground
API
Exchange groups and person info using a standardized REST API
Authorization based on oAuth v2 and oAuth v1 (deprecated)
A group proxy (connect multiple group providers)
The API supports three calls:
Groups the user is a member of
List other members of a group
Attributes of a user
APIs
OAuth2 authorization server that can handle multiple authorization
servers and clients.
API Playground
Testbed for application development and testing
27
28. Mujina & Profile
Mujina
Mujina mocks a SAML2 Identity and Service Provider (IdP & SP)
Almost all characteristics of either the IdP or SP can be configured on-
the-fly using a REST API
Profile
View profile information (Attributes) that are currently registered at the
OpenConext platform for the use;
View the group providers and teams a user is a member of;
Connect to addition group providers if these have been made available to the
user;
View and optionally revoke consent on released attributes;
View EULA and privacy statements of connected Services
28
30. Break!
See you in 15 min!
30
I: Introduction
(Niels)
II: Hands-on
(Niels)
III: Community and Future
(Frans)
Welcome & introductions
Use cases
OpenConext explained
Features
Components
Installing OpenConext VM
Basic activities
Working with SAML
Working with Groups
Roadmap
Community
Governance
Discussion
Break (15 min) Break (15 min) Lunch
31. II: Hands-on
31
I: Introduction
(Niels)
II: Hands-on
(Niels)
III: Community and Future
(Frans)
Welcome & introductions
Use cases
OpenConext explained
Features
Components
Installing OpenConext VM
Basic activities
Working with SAML
Working with Groups
Roadmap
Community
Governance
Discussion
Break (15 min) Break (15 min) Lunch
32. Installing OpenConext VM
Work from a standard OpenConext VM
https://github.com/OpenConext/OpenConext-vm
Slightly prepped CentOS 6.5 (yum dependencies preinstalled)
OpenStack based VMs, 1 vCPUs, 2 Gb ram, 40 Gb Disk
Add key to your ssh client: “ssh-add OCworkshopTNC2014.pem”
Login to your VM using ssh: “ssh centos@145.100.180.XYZ”
Become root: “sudo su –”
Start install “bash OpenConext-vm-62/scripts/install_openconext.sh –i”
Follow the instructions, select defaults everywhere (also: create Certificates)
Add hostnames and IP to your hosts file
Go to https://welcome.demo.openconext.org
Accept self signed certificates & CA 32
34. Basic activities
Login to Profile via Mujina IdP; learn a bit about Profile
Create a team and invite members; learn about Teams
Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry
Inspect SAML metadata, learn about Engine
Get debug login from Feide OpenIDP using Engine
Accept team invite using Feide OpenIDP
Inspect group config in Grouper
See group ACLs using Manage
Get oAuth config from ServiceRegistry
Query API in API playground to see group and person data
34
35. Basic activities
Login to Profile via Mujina IdP; learn a bit about Profile
Create a team and invite members; learn about Teams
Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry
Inspect SAML metadata, learn about Engine
Get debug login from Feide OpenIDP using Engine
Accept team invite using Feide OpenIDP
Inspect group config in Grouper
See group ACLs using Manage
Get oAuth config from ServiceRegistry
Query API in API playground to see group and person data
35
49. Simple activities
Login to Profile via Mujina IdP; learn a bit about Profile
Create a team and invite members; learn about Teams
Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry
Inspect SAML metadata, learn about Engine
Get debug login from Feide OpenIDP using Engine
Accept team invite using Feide OpenIDP
Inspect group config in Grouper
See group ACLs using Manage
Get oAuth config from ServiceRegistry
Query API in API playground to see group and person data
49
58. Simple activities
Login to Profile via Mujina IdP; learn a bit about Profile
Create a team and invite members; learn about Teams
Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry
Inspect SAML metadata, learn about Engine
Get debug login from Feide OpenIDP using Engine
Accept team invite using Feide OpenIDP
Inspect group config in Grouper
See group ACLs using Manage
Get oAuth config from ServiceRegistry
Query API in API playground to see group and person data
58
70. Simple activities
Login to Profile via Mujina IdP; learn a bit about Profile
Create a team and invite members; learn about Teams
Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry
Inspect SAML metadata, learn about Engine
Get debug login from Feide OpenIDP using Engine
Accept team invite using Feide OpenIDP
Inspect group config in Grouper
See group ACLs using Manage
Get oAuth config from ServiceRegistry
Query API in API playground to see group and person data
70
77. Simple activities
Login to Profile via Mujina IdP; learn a bit about Profile
Create a team and invite members; learn about Teams
Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry
Inspect SAML metadata, learn about Engine
Get debug login from Feide OpenIDP using Engine
Accept team invite using Feide OpenIDP
Inspect group config in Grouper
See group ACLs using Manage
Get oAuth config from ServiceRegistry
Query API in API playground to see group and person data
77
78. Keep Calm and
REMOVE
the OpenConext CA
from your browser!
(it is publicly available in GitHub)
78
79. Break!
See you in 15 min!
79
I: Introduction
(Niels)
II: Hands-on
(Niels)
III: Community and Future
(Frans)
Welcome & introductions
Use cases
OpenConext explained
Features
Components
Installing OpenConext VM
Basic activities
Working with SAML
Working with Groups
Roadmap
Community
Governance
Discussion
Break (15 min) Break (15 min) Lunch
80. III: Community and Future
80
I: Introduction
(Niels)
II: Hands-on
(Niels)
III: Community and Future
(Frans)
Welcome & introductions
Use cases
OpenConext explained
Features
Components
Installing OpenConext VM
Basic activities
Working with SAML
Working with Groups
Roadmap
Community
Governance
Discussion
Break (15 min) Break (15 min) Lunch
81. Roadmap
Release 68 (SR/Janus):
Unification of WAYF and SURFnet forks, keeping full history
Introduced composer for dependencies
Introduced doctrine for data access layer
Add automated upgrade from last Janus (WAYF release) DB schema
Explicitly keep track of the last revision of each entity in the DB to improve
performance when having many entities and revisions.
Get rid of separate ARPs. Move ARP to SP configuration
Introduce wildcard matching of ARP values
Introduce new r/w API for Janus.
81
82. Roadmap
Release 70 (Engine):
Replace corto and old libxml with SimpleSAMLphp library as SAML library
Reduce the time SAML signing key is kept memory
Improved support for multiple SAML signing keys. Facilitate fast "hands off"
rollover by allowing the SP to select the signing key to use
Reduce writes to LDAP
New GUI for Teams (Twitter Bootstrap)
82
83. Roadmap
Unplanned:
OpenConext VM with credentials and other key config parameters in 1 file
Introduce APIS as AuthZ service for public APIs
Experimental support for OpenIdConect
Experimental support for SCIM
Experimental support for SAML AA and client
83
85. ‘The realization of an
open source
project
does not guarantee
the creation of a
community’
85
86. Community
Boosting the full potential of the OpenConext open
source ecosystem
Goals:
Create an active community
Exchange ideas
Promotion
Learn from different use cases
86
89. Governance
Why does a project like OpenConext need a
governance model?
Every open source project has its own
management strategy
It is therefore critical to have clear
communication about its politics and strategies
…to potential users and developers
Sustainability!
89
90. Governance Model
Describes roles that project participants can
take on
Describes the process for decision making
within the project
Describes the ground rules for participation in
the project
Describes the processes for communicating
and sharing with project team and community
90
92. Governance Options
Do nothing aka leave it as it is
(SURFnet as benevolent dictator)
Create an independent entity out of
OpenConext
(like the MediaMosa Foundation)
Define a custom governance model
(like the MediaMosa Foundation)
92
94. Governance Barriers
the process is perceived as ‘red tape’
there is a concern that the project will lose its
sense of direction
it is felt that control of the project’s strategy will
be lost
the project is thought to be too young or to
small to attract active users or developers
94
95. Community Options
Join the Apereo Foundation
DIY (based om MediaMosa)
What about Terena Greenhouse?
95
96. Discussion
Given what you have seen, what usecase
would you have for OpenConext? What is
usefull, what is missing?
How important is formal governance
What kind of support tools would you expect?
What are your plans with OpenConext?
Would you consider using OpenConext and
become active member of the community?
96
97. Resources
Source code
All of OpenConext is hosted at https://github.com/openconext
OpenConext support tools and compatible services are available at
https://github.com/openconextapps
Community Website, including documentation
https://www.openconext.org
Support
Mailinglists: openconext-users@list.surfnet.nl and openconext-
dev@list.surfnet.nl
97