feide connect

«Feide Connect»Next generation service platform for advanced services and collaboration services for higher education.

andreas.solberg@uninett.noAndreas Åkre Solberg

!2

Web Single Sign-On with Feide was sufficient to provide a seamless user experience across services.

Once upon a time

Collaboration on Internet

✤ A dynamic working groups spanning multiple organizations, work together using digital collaboration tools:

✤ A wiki

✤ Document sharing tool

✤ Meeting planner and calendar

✤ A Web meeting tool

✤ A web forum or mailinglist

!3

Authentication

Feide based upon SAML 2.0

Rather complex results in relatively high integration cost for Service Providers.

Limited opportunities to the «login request -> response»-flow.

!Trends in consumer markets (Facebook, Google, Twitter, Linkedin, Salesforce)

From enterprise protocols towards APIs / REST and OAuth

Providers needs to offer APIs and third party integration anyway; OAuth

Easy to establish a simple authentication protocol (userinfo) on top of that

OpenID Connect

Built-in support for cross-federation (eduGAIN, Kalmar) and guest users.

oktober 23, 2013 5

oktober 23, 2013

Feide Connect

New architecture

API-based instead of SSO-flow

OAuth + authentication

Makes use of Feide (without changes)

Offers additional services

Better support for mobile, desktop etc.

API Authorization Management

Extremely simple integration for Service Providers

Low-bar of entry (for students, non-commercial, etc)

!6

Feide ConnectFeide

Feidetjeneste

Tredjepartsklient /integrasjon

Tjenestebackend

API

Web appMobil app

lagringpersonsøkgrupper API authzaktivitetstr

Groups and roles

!7

Groups and roles

!8

API Service

Base layer: builds groups from Feide attributes

Connector to FS:emner, studieretning med mer.

Support for Ad-Hoc groupsAnyone can create groups for their collaboration needs. Cross-organizational groups.

Support for custom external connectors to an institutions authoritative source of group data.

Feide ConnectFeide

Feidetjeneste

Tredjepartsklient /integrasjon

FS

Web appMobil app

lagringpersonsøkGroups API authzaktivitetstr

AdHocExt Connectors

Ad-hoc group management front-end

!9

People Search

!10

Separate People Search API

Authenticated API

Also available as a JS library

And as a Federated Widget

Relies on already public information

Better user experience to search for real user names, than to add userids.

Activity Streams

!11

!12

One activity stream per group.

Generic information model

Acitivites posted to one or more groups

!User interfaces

WebApp frontend

Mobile app frontend

Widgets

API

Activity Streams

Andr

eas c

reate

d a w

iki pa

ge

«welc

ome!»

at A

gora

Armaz

shar

ed a

file «a

rchite

cture

.pdf»

at C

louds

tor

Simon

sch

edule

d a ne

w mee

ting

Andr

eas c

onfirm

ed an

d

will a

ttend

mee

ting

A ne

w us

er Th

orlei

f is

adde

d to t

he gr

oup

!13

!14

The most important activity updates

Email and mobile push notifications

Personal preferences

Notifications

Federated Widgets

!15

Federated Widgets

!16

Embed content on remote site

Challenge:

secure environment

authentication

adopt context

Widgets adopts context

!17

Widgets in a separate security domain

Communicates with the surroundings

Harmonized references; activities, users and groups. As well as time and location.

!18

Federated Widgets

Webmeeting using

Adobe ConnectJoin meeting

!19

Feed Widget"Shows an aggregated feed of activities for the current

selected group across all collaboration tools.

Share widget"Can be easily integrated anywhere. Will share a link to the current web page

to the activity stream for the current user in a selected group context.

Open Data

!20

!21

Universities increasing interest to share their data using APIs.

Motivates growth of new innovative, and better services for the employees and students.

!Privacy very important!

Complex to provide authentication model for delegated access to personal data.

Open Data

API Authorization Management

!22

!23

Registering a new API Gatekeeper

!24

Managing an API !› Trust › Scope management › Statistics !› Authorization workflow

!25

Public API Information Page !› OAuth Connection details › Link to register, and request access

!26

Registration of new clients !Third parties register new clients, and requests access to API scopes.

!27

API Authorization workflow !API owner grants access to new clients. › Clients bounded to authenticated users / organizations

!28

The platform will make sure end users accessing the clients are authenticated (using Feide). !API owner does not have to think about Feide.

!29

API Authorization Dialog

!30

Feide Connect established a trusted channel with your API › Adds information in HTTP headers, with › User info › Groups › Client info and scopes

Self-Service and Scalability

!31

!32

Priority #1 Everything is self-service

Well-designed authorization work-flows. Focus on «one-click» grant, when moderation is needed at all.

Will run on HA infrastructure

Self-Service and Scalability

International Collaboration

!33

!34

Any student or employee in Europe should be able to login with their local credentials on the through the platform.

Established cross-federation connections through eduGAIN and Kalmar.

!Collaboration on harmonizing group definitions and exchange protocols with other countries.Collaboration through GÉANT, Terena and NordForum.

!Standardization OAuth, OpenID Connect, SCIM, OpenSocial, ActivityStreams, Misc W3C

International Collaboration

Piloting with Institutions

!35

!36

Allow access to login through Feide

Setup access for Person Search. Directory access

Register a set of test users with additional privileges

Integration with FS for groups and roles

Integration with external connectors

Testing of API authorization

Real users testing of collaboration tools

Piloting with Institutions

Plans forward

!37