Embed Size (px)
DESCRIPTION
Next Generation Service Platform for Advanced Services for Higher Education in Norway.
Citation preview
«Feide Connect»Next generation service platform for advanced services and collaboration services for higher education.
[email protected] Åkre Solberg
!2
Web Single Sign-On with Feide was sufficient to provide a seamless user experience across services.
Once upon a time
Collaboration on Internet
✤ A dynamic working groups spanning multiple organizations, work together using digital collaboration tools:
✤ A wiki
✤ Document sharing tool
✤ Meeting planner and calendar
✤ A Web meeting tool
✤ A web forum or mailinglist
!3
Authentication
Feide based upon SAML 2.0
Rather complex results in relatively high integration cost for Service Providers.
Limited opportunities to the «login request -> response»-flow.
!Trends in consumer markets (Facebook, Google, Twitter, Linkedin, Salesforce)
From enterprise protocols towards APIs / REST and OAuth
Providers needs to offer APIs and third party integration anyway; OAuth
Easy to establish a simple authentication protocol (userinfo) on top of that
OpenID Connect
Built-in support for cross-federation (eduGAIN, Kalmar) and guest users.
oktober 23, 2013 5
oktober 23, 2013
Feide Connect
New architecture
API-based instead of SSO-flow
OAuth + authentication
Makes use of Feide (without changes)
Offers additional services
Better support for mobile, desktop etc.
API Authorization Management
Extremely simple integration for Service Providers
Low-bar of entry (for students, non-commercial, etc)
!6
Feide ConnectFeide
Feidetjeneste
Tredjepartsklient /integrasjon
Tjenestebackend
API
Web appMobil app
lagringpersonsøkgrupper API authzaktivitetstr
Groups and roles
!7
Groups and roles
!8
API Service
Base layer: builds groups from Feide attributes
Connector to FS:emner, studieretning med mer.
Support for Ad-Hoc groupsAnyone can create groups for their collaboration needs. Cross-organizational groups.
Support for custom external connectors to an institutions authoritative source of group data.
Feide ConnectFeide
Feidetjeneste
Tredjepartsklient /integrasjon
FS
Web appMobil app
lagringpersonsøkGroups API authzaktivitetstr
AdHocExt Connectors
Ad-hoc group management front-end
!9
People Search
!10
Separate People Search API
Authenticated API
Also available as a JS library
And as a Federated Widget
Relies on already public information
Better user experience to search for real user names, than to add userids.
Activity Streams
!11
!12
One activity stream per group.
Generic information model
Acitivites posted to one or more groups
!User interfaces
WebApp frontend
Mobile app frontend
Widgets
API
Activity Streams
Andr
eas c
reate
d a w
iki pa
ge
«welc
ome!»
at A
gora
Armaz
shar
ed a
file «a
rchite
cture
.pdf»
at C
louds
tor
Simon
sch
edule
d a ne
w mee
ting
Andr
eas c
onfirm
ed an
d
will a
ttend
mee
ting
A ne
w us
er Th
orlei
f is
adde
d to t
he gr
oup
!13
!14
The most important activity updates
Email and mobile push notifications
Personal preferences
Notifications
Federated Widgets
!15
Federated Widgets
!16
Embed content on remote site
Challenge:
secure environment
authentication
adopt context
Widgets adopts context
!17
Widgets in a separate security domain
Communicates with the surroundings
Harmonized references; activities, users and groups. As well as time and location.
!18
Federated Widgets
Webmeeting using
Adobe ConnectJoin meeting
!19
Feed Widget"Shows an aggregated feed of activities for the current
selected group across all collaboration tools.
Share widget"Can be easily integrated anywhere. Will share a link to the current web page
to the activity stream for the current user in a selected group context.
Open Data
!20
!21
Universities increasing interest to share their data using APIs.
Motivates growth of new innovative, and better services for the employees and students.
!Privacy very important!
Complex to provide authentication model for delegated access to personal data.
Open Data
API Authorization Management
!22
!23
Registering a new API Gatekeeper
!24
Managing an API !› Trust › Scope management › Statistics !› Authorization workflow
!25
Public API Information Page !› OAuth Connection details › Link to register, and request access
!26
Registration of new clients !Third parties register new clients, and requests access to API scopes.
!27
API Authorization workflow !API owner grants access to new clients. › Clients bounded to authenticated users / organizations
!28
The platform will make sure end users accessing the clients are authenticated (using Feide). !API owner does not have to think about Feide.
!29
API Authorization Dialog
!30
Feide Connect established a trusted channel with your API › Adds information in HTTP headers, with › User info › Groups › Client info and scopes
Self-Service and Scalability
!31
!32
Priority #1 Everything is self-service
Well-designed authorization work-flows. Focus on «one-click» grant, when moderation is needed at all.
Will run on HA infrastructure
Self-Service and Scalability
International Collaboration
!33
!34
Any student or employee in Europe should be able to login with their local credentials on the through the platform.
Established cross-federation connections through eduGAIN and Kalmar.
!Collaboration on harmonizing group definitions and exchange protocols with other countries.Collaboration through GÉANT, Terena and NordForum.
!Standardization OAuth, OpenID Connect, SCIM, OpenSocial, ActivityStreams, Misc W3C
International Collaboration
Piloting with Institutions
!35
!36
Allow access to login through Feide
Setup access for Person Search. Directory access
Register a set of test users with additional privileges
Integration with FS for groups and roles
Integration with external connectors
Testing of API authorization
Real users testing of collaboration tools
Piloting with Institutions
Plans forward
!37
