feide connect
DESCRIPTION
Variation:1, groups.TRANSCRIPT
«Feide Connect»Next generation service platform for advanced services and collaboration services for higher education.
[email protected] Åkre Solberg
!2
Web Single Sign-On with Feide was sufficient to provide a seamless user experience across services.
Once upon a time
Collaboration on Internet
✤ A dynamic working groups spanning multiple organizations, work together using digital collaboration tools:
✤ A wiki
✤ Document sharing tool
✤ Meeting planner and calendar
✤ A Web meeting tool
✤ A web forum or mailinglist
!3
Feide Connect
5
HTTP API
Authentication
Groupsand
Roles
OAuthAuthorization Engine
Activity streams
Peoplesearch
APIAuthz
Mngmnt
SelfService
oktober 23, 2013
Feide Connect
New architecture
API-based instead of SSO-flow
OAuth + authentication
Makes use of Feide (without changes)
Offers additional services
Better support for mobile, desktop etc.
API Authorization Management
Extremely simple integration for Service Providers
Low-bar of entry (for students, non-commercial, etc)
!6
Feide ConnectFeide
Feidetjeneste
Tredjepartsklient /integrasjon
Tjenestebackend
API
Web appMobil app
lagringpersonsøkgrupper API authzaktivitetstr
Authentication
Feide based upon SAML 2.0
Rather complex results in relatively high integration cost for Service Providers.
Limited opportunities to the «login request -> response»-flow.
!Trends in consumer markets (Facebook, Google, Twitter, Linkedin, Salesforce)
From enterprise protocols towards APIs / REST and OAuth
Providers needs to offer APIs and third party integration anyway; OAuth
Easy to establish a simple authentication protocol (userinfo) on top of that
OpenID Connect
Built-in support for cross-federation (eduGAIN, Kalmar) and guest users.
oktober 23, 2013 7
Groups and roles
!8
Groups and roles
!9
API Service
Base layer: builds groups from Feide attributes
Connector to FS:emner, studieretning med mer.
Support for Ad-Hoc groupsAnyone can create groups for their collaboration needs. Cross-organizational groups.
Support for custom external connectors to an institutions authoritative source of group data.
Feide ConnectFeide
Feidetjeneste
Tredjepartsklient /integrasjon
FS
Web appMobil app
lagringpersonsøkGroups API authzaktivitetstr
AdHocExt Connectors
Ad-hoc group management front-end
!10
People Search
!11
Separate People Search API
Authenticated API
Also available as a JS library
And as a Federated Widget
Relies on already public information
Better user experience to search for real user names, than to add userids.
Modell for grupper
!12
Superenkel, men utvidbar, informasjonsmodell
!!!!!Protokoll for:
hente ut liste over grupper for gjeldende bruker (fra FeideID)
hente ut liste over medlemmer for en gitt gruppe (fra gruppeID)
Utvidet modell
!13
Standardisering per gruppe-type for utvidede egenskaper.
Subscriptions
!14
Content associated with public groups. Users may subscribe.
Activity Streams
!15
!16
One activity stream per group.
Generic information model
Acitivites posted to one or more groups
!User interfaces
WebApp frontend
Mobile app frontend
Widgets
API
Activity Streams
Andr
eas c
reate
d a w
iki pa
ge
«welc
ome!»
at A
gora
Armaz
shar
ed a
file «a
rchite
cture
.pdf»
at C
louds
tor
Simon
sch
edule
d a ne
w mee
ting
Andr
eas c
onfirm
ed an
d
will a
ttend
mee
ting
A ne
w us
er Th
orlei
f is
adde
d to t
he gr
oup
!17
!18
The most important activity updates
Email and mobile push notifications
Personal preferences
Notifications
Open Data
!19
!20
Universities increasing interest to share their data using APIs.
Motivates growth of new innovative, and better services for the employees and students.
!Privacy very important!
Complex to provide authentication model for delegated access to personal data.
Open Data
Self-service
!21
!22
Registration of new clients !Third parties register new clients, and requests access to API scopes.
!23
Managing clients !› Trust › Scope management › Statistics !› Authorization workflow
!24
API Authorization workflow !API owner grants access to new clients. › Clients bounded to authenticated users / organizations
!25
The platform will make sure end users accessing the clients are authenticated (using Feide).
Users accessing clients, is handled through Feide login
!26
API Authorization Dialog
!27
Client has obtained a token, and can access «Feide Connect» services, such as: !> user info, > groups, > activity streams
!28
Any student or employee in Europe should be able to login with their local credentials on the through the platform.
Established cross-federation connections through eduGAIN and Kalmar.
!Collaboration on harmonizing group definitions and exchange protocols with other countries.Collaboration through GÉANT, Terena.
Nordic collaboration through NordForum?
Standardization OAuth, OpenID Connect, SCIM, OpenSocial, ActivityStreams, Misc W3C
International Collaboration
!29
Identifikator for mapping av bruker, brukerID, FeideID, studentID, personnummer, etc.
Hvilke type grupper, og evnt roller
Avtaleverk, og tilgang i utviklingsfasen
Kilde for dataene, WS vs database
Hastighet på oppslag
Samarbeid, UNINETT <-> FS
Til diskusjon