«Feide Connect»Next generation service platform for advanced services and collaboration services for higher education.

andreas.solberg@uninett.noAndreas Åkre Solberg

!2

Web Single Sign-On with Feide was sufficient to provide a seamless user experience across services.

Once upon a time

Collaboration on Internet

✤ A dynamic working groups spanning multiple organizations, work together using digital collaboration tools:

✤ A wiki

✤ Document sharing tool

✤ Meeting planner and calendar

✤ A Web meeting tool

✤ A web forum or mailinglist

!3

Feide Connect

5

HTTP API

Authentication

Groupsand

Roles

OAuthAuthorization Engine

Activity streams

Peoplesearch

APIAuthz

Mngmnt

SelfService

oktober 23, 2013

Feide Connect

New architecture

API-based instead of SSO-flow

OAuth + authentication

Makes use of Feide (without changes)

Offers additional services

Better support for mobile, desktop etc.

API Authorization Management

Extremely simple integration for Service Providers

Low-bar of entry (for students, non-commercial, etc)

!6

Feide ConnectFeide

Feidetjeneste

Tredjepartsklient /integrasjon

Tjenestebackend

API

Web appMobil app

lagringpersonsøkgrupper API authzaktivitetstr

Authentication

Feide based upon SAML 2.0

Rather complex results in relatively high integration cost for Service Providers.

Limited opportunities to the «login request -> response»-flow.

!Trends in consumer markets (Facebook, Google, Twitter, Linkedin, Salesforce)

From enterprise protocols towards APIs / REST and OAuth

Providers needs to offer APIs and third party integration anyway; OAuth

Easy to establish a simple authentication protocol (userinfo) on top of that

OpenID Connect

Built-in support for cross-federation (eduGAIN, Kalmar) and guest users.

oktober 23, 2013 7

Groups and roles

!8

Groups and roles

!9

API Service

Base layer: builds groups from Feide attributes

Connector to FS:emner, studieretning med mer.

Support for Ad-Hoc groupsAnyone can create groups for their collaboration needs. Cross-organizational groups.

Support for custom external connectors to an institutions authoritative source of group data.

Feide ConnectFeide

Feidetjeneste

Tredjepartsklient /integrasjon

FS

Web appMobil app

lagringpersonsøkGroups API authzaktivitetstr

AdHocExt Connectors

Ad-hoc group management front-end

!10

People Search

!11

Separate People Search API

Authenticated API

Also available as a JS library

And as a Federated Widget

Relies on already public information

Better user experience to search for real user names, than to add userids.

Modell for grupper

!12

Superenkel, men utvidbar, informasjonsmodell

!!!!!Protokoll for:

hente ut liste over grupper for gjeldende bruker (fra FeideID)

hente ut liste over medlemmer for en gitt gruppe (fra gruppeID)

Utvidet modell

!13

Standardisering per gruppe-type for utvidede egenskaper.

Subscriptions

!14

Content associated with public groups. Users may subscribe.

Activity Streams

!15

!16

One activity stream per group.

Generic information model

Acitivites posted to one or more groups

!User interfaces

WebApp frontend

Mobile app frontend

Widgets

API

Activity Streams

Andr

eas c

reate

d a w

iki pa

ge

«welc

ome!»

at A

gora

Armaz

shar

ed a

file «a

rchite

cture

.pdf»

at C

louds

tor

Simon

sch

edule

d a ne

w mee

ting

Andr

eas c

onfirm

ed an

d

will a

ttend

mee

ting

A ne

w us

er Th

orlei

f is

adde

d to t

he gr

oup

!17

!18

The most important activity updates

Email and mobile push notifications

Personal preferences

Notifications

Open Data

!19

!20

Universities increasing interest to share their data using APIs.

Motivates growth of new innovative, and better services for the employees and students.

!Privacy very important!

Complex to provide authentication model for delegated access to personal data.

Open Data

Self-service

!21

!22

Registration of new clients !Third parties register new clients, and requests access to API scopes.

!23

Managing clients !› Trust › Scope management › Statistics !› Authorization workflow

!24

API Authorization workflow !API owner grants access to new clients. › Clients bounded to authenticated users / organizations

!25

The platform will make sure end users accessing the clients are authenticated (using Feide).

Users accessing clients, is handled through Feide login

!26

API Authorization Dialog

!27

Client has obtained a token, and can access «Feide Connect» services, such as: !> user info, > groups, > activity streams

!28

Any student or employee in Europe should be able to login with their local credentials on the through the platform.

Established cross-federation connections through eduGAIN and Kalmar.

!Collaboration on harmonizing group definitions and exchange protocols with other countries.Collaboration through GÉANT, Terena.

Nordic collaboration through NordForum?

Standardization OAuth, OpenID Connect, SCIM, OpenSocial, ActivityStreams, Misc W3C

International Collaboration

!29

Identifikator for mapping av bruker, brukerID, FeideID, studentID, personnummer, etc.

Hvilke type grupper, og evnt roller

Avtaleverk, og tilgang i utviklingsfasen

Kilde for dataene, WS vs database

Hastighet på oppslag

Samarbeid, UNINETT <-> FS

Til diskusjon