OpenConext Workshop TNC2014
-
Upload
openconext -
Category
Software
-
view
219 -
download
0
description
Transcript of OpenConext Workshop TNC2014
![Page 1: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/1.jpg)
“Open for Collaboration”
Terena Networking Conference 2014, Dublin
![Page 2: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/2.jpg)
Agenda
I: Introduction
(Niels)
II: Hands-on
(Niels)
III: Community and Future
(Frans)
Welcome & introductions
Use cases
OpenConext explained
Features
Components
Installing OpenConext VM
Basic activities
Working with SAML
Working with Groups
Roadmap
Community
Governance
Discussion
Break (15 min) Break (15 min) Lunch
2
![Page 3: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/3.jpg)
I: Introduction
I: Introduction
(Niels)
II: Hands-on
(Niels)
III: Community and Future
(Frans)
Welcome & introductions
Use cases
OpenConext explained
Features
Components
Installing OpenConext VM
Basic activities
Working with SAML
Working with Groups
Roadmap
Community
Governance
Discussion
Break (15 min) Break (15 min) Lunch
2
![Page 4: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/4.jpg)
Welcome & introductions
Introduction
Who are you, and why are you here?
4
Nielsvan Dijk
FransWard
AlexanderBlanc
![Page 5: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/5.jpg)
A bit of History
SURFgroepen platform (2006-2012)
~100.000 users, 13.000 groups
Any user can start a team
Sharepoint (docsharing) + Adobe Connect Webconferencing
Backend integration (LDAP)
BUT:
Hard/expensive to extend (No open standards!)
No Federated Login
Many feature requests from campus
5
![Page 6: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/6.jpg)
SURFconext Vision (2009)
Create a coherent infrastructure of loosely
coupled collaborative services, based on
(emerging) Open Standards and enabled by
access federations
6
![Page 8: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/8.jpg)
Use Cases – Federation Hub
8
![Page 9: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/9.jpg)
Use Cases – SURFconext
9
![Page 10: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/10.jpg)
Use Cases – Service Delivery
10
![Page 11: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/11.jpg)
Use Cases – Collab Platform
11
![Page 12: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/12.jpg)
Use Cases – Collab Platform
12
![Page 13: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/13.jpg)
OpenConext Building blocks
Identity Federations, SAML and attributes
Create and manage Groups
OpenSocial (VOOT) API and oAuth
A piece of middleware (a hub or proxy) that allows centrally managing
interconnects and facilitates application integration
13
![Page 14: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/14.jpg)
Identity federation
14
![Page 15: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/15.jpg)
Identity federation
15
![Page 16: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/16.jpg)
Identity federation
16
![Page 17: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/17.jpg)
Identity federation
17
![Page 18: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/18.jpg)
Attributes
18
![Page 19: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/19.jpg)
Groups
Any collaboration involves groups, either ‘AdHoc’, or ‘Institutional’
OpenConext facilitates the creation of groups of federated users
Adhoc Groups are managed centrally (Teams)
Any acceptable user can become a group 'admin‘
Invite any other users
Build groups from other groups
Institutional Groups (Campus or VO) can be provided by external sources
Groups provide context for applications (but applications decide on AuthZ!)
Groups feature (only) 3 roles (admin, collabmin, member)
Group + VO Registry -> VO IdP
19
![Page 20: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/20.jpg)
Attribute exchange
Attribute & Group information can be provided at logon
Many scenarios require out of band exchange
VOOT (http://openvoot.org/voot-2.0.html) REST API, based on OpenSocial
oAuth2 & oAuth 1 (deprecated)
Draft SCIM implementation expected in 2014
SAML attribute query support on the way (both AA and client)
20
![Page 21: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/21.jpg)
OpenConext platform (2009)
Do not start from Scratch
Add (a lot of) Glue
SAML Groups Management
Shibboleth SP(Shibboleth Consortium)
Grouper(Internet2)
Janus(WAYF)
SimpleSAMLphp SP(Feide.no)
Shindig (Apache)
Corto(WAYF)
21
![Page 22: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/22.jpg)
Openconext platform (Q1 2014)
Do not start from Scratch
Add (a lot of) Glue and more Glue
SAML Groups Management
Shibboleth SP(Shibboleth Consortium)
Grouper(Internet2)
Janus(SURFnet)
SimpleSAMLphp SP(Feide.no)
Shindig(Apache)Group Proxy, API & APIS
Manage
Corto(WAYF/SURFnet)SSP libraries
Teams Log handlingStatisticsOpenConext VM
22
![Page 23: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/23.jpg)
Components
23
![Page 24: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/24.jpg)
Engine
SAML2.0 (WebSSO profile, saml2int.org) authentication proxy capable of
acting as an IdP or SP
Engine relies on ServiceRegistry (SR) for configuring the entities.
SAML2 Metadata generation
WAYF Service
End user consent
Privacy and Authorization enforcement (ACL, ARP, vIdP)
Attribute Management
ARP
Persistent/Transient NameID management
Attribute Manipulation & Mapping
urn:oid and urn:mace-dir attributes
24
![Page 25: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/25.jpg)
Service Registry
A web-based registry for managing SAML2 SP and IdP metadata, ARP and
ACL information and oAuth key management
Based on JANUS (WAYF/SURFnet)
Features include
Versioning
Metadata import and export,
Storing non SAML data (e.g. oAuth)
Storing ‘business’ data, like e.g. policy information
25
![Page 26: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/26.jpg)
Teams (& Grouper)
A federated end-user tool for self-service management of group
relationships
Teams backend is Internet2's Grouper
Features include:
create teams: invite and re-invite, request membership
manage team members, assign basic roles
combine groups from connected group providers into new (virtual) teams
26
![Page 27: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/27.jpg)
OpenSocial/VOOT API,
APIs & API Playground API
Exchange groups and person info using a standardized REST API
Authorization based on oAuth v2 and oAuth v1 (deprecated)
A group proxy (connect multiple group providers)
The API supports three calls:
Groups the user is a member of
List other members of a group
Attributes of a user
APIs
OAuth2 authorization server that can handle multiple authorization servers and clients.
API Playground
Testbed for application development and testing27
![Page 28: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/28.jpg)
Mujina & Profile
Mujina
Mujina mocks a SAML2 Identity and Service Provider (IdP & SP)
Almost all characteristics of either the IdP or SP can be configured on-the-fly using a REST API
Profile
View profile information (Attributes) that are currently registered at the OpenConext platform for the use;
View the group providers and teams a user is a member of;
Connect to addition group providers if these have been made available to the user;
View and optionally revoke consent on released attributes;
View EULA and privacy statements of connected Services
28
![Page 29: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/29.jpg)
Components
29
![Page 30: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/30.jpg)
Break!
See you in 15 min!
30
I: Introduction
(Niels)
II: Hands-on
(Niels)
III: Community and Future
(Frans)
Welcome & introductions
Use cases
OpenConext explained
Features
Components
Installing OpenConext VM
Basic activities
Working with SAML
Working with Groups
Roadmap
Community
Governance
Discussion
Break (15 min) Break (15 min) Lunch
![Page 31: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/31.jpg)
II: Hands-on
31
I: Introduction
(Niels)
II: Hands-on
(Niels)
III: Community and Future
(Frans)
Welcome & introductions
Use cases
OpenConext explained
Features
Components
Installing OpenConext VM
Basic activities
Working with SAML
Working with Groups
Roadmap
Community
Governance
Discussion
Break (15 min) Break (15 min) Lunch
![Page 32: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/32.jpg)
Installing OpenConext VM Work from a standard OpenConext VM
https://github.com/OpenConext/OpenConext-vm
Slightly prepped CentOS 6.5 (yum dependencies preinstalled)
OpenStack based VMs, 1 vCPUs, 2 Gb ram, 40 Gb Disk
Add key to your ssh client: “ssh-add OCworkshopTNC2014.pem”
Login to your VM using ssh: “ssh [email protected]”
Become root: “sudo su –”
Start install “bash OpenConext-vm-62/scripts/install_openconext.sh –i”
Follow the instructions, select defaults everywhere (also: create Certificates)
Add hostnames and IP to your hosts file
Go to https://welcome.demo.openconext.org
Accept self signed certificates & CA 32
![Page 33: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/33.jpg)
Welcome to OpenConext
33
![Page 34: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/34.jpg)
Basic activities
Login to Profile via Mujina IdP; learn a bit about Profile
Create a team and invite members; learn about Teams
Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry
Inspect SAML metadata, learn about Engine
Get debug login from Feide OpenIDP using Engine
Accept team invite using Feide OpenIDP
Inspect group config in Grouper
See group ACLs using Manage
Get oAuth config from ServiceRegistry
Query API in API playground to see group and person data
34
![Page 35: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/35.jpg)
Basic activities
Login to Profile via Mujina IdP; learn a bit about Profile
Create a team and invite members; learn about Teams
Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry
Inspect SAML metadata, learn about Engine
Get debug login from Feide OpenIDP using Engine
Accept team invite using Feide OpenIDP
Inspect group config in Grouper
See group ACLs using Manage
Get oAuth config from ServiceRegistry
Query API in API playground to see group and person data
35
![Page 36: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/36.jpg)
Profile, Mujina and Teams
36
![Page 37: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/37.jpg)
OpenConext WAYF
37
![Page 38: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/38.jpg)
Mujina IdP
38
![Page 39: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/39.jpg)
End-user Consent
39
![Page 40: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/40.jpg)
Profile
40
![Page 41: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/41.jpg)
Teams - Login
41
![Page 42: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/42.jpg)
Teams – Create new Team
42
![Page 43: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/43.jpg)
Teams – Create new Team
43
![Page 44: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/44.jpg)
Teams and members
44
![Page 45: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/45.jpg)
Inviting members
45
![Page 46: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/46.jpg)
Inviting members
46
![Page 47: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/47.jpg)
Login via OpenIdP
47
![Page 48: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/48.jpg)
Oeps!
48
![Page 49: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/49.jpg)
Simple activities
Login to Profile via Mujina IdP; learn a bit about Profile
Create a team and invite members; learn about Teams
Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry
Inspect SAML metadata, learn about Engine
Get debug login from Feide OpenIDP using Engine
Accept team invite using Feide OpenIDP
Inspect group config in Grouper
See group ACLs using Manage
Get oAuth config from ServiceRegistry
Query API in API playground to see group and person data
49
![Page 50: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/50.jpg)
ServiceRegistry and Engine
50
![Page 51: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/51.jpg)
ServiceRegistry
51
![Page 52: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/52.jpg)
ServiceRegistry
52
![Page 53: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/53.jpg)
ServiceRegistry
53
![Page 54: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/54.jpg)
ServiceRegistry
54
![Page 55: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/55.jpg)
ServiceRegistry
55
![Page 56: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/56.jpg)
ServiceRegistry
56
![Page 57: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/57.jpg)
Engine - Testing IdPs
57
![Page 58: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/58.jpg)
Simple activities
Login to Profile via Mujina IdP; learn a bit about Profile
Create a team and invite members; learn about Teams
Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry
Inspect SAML metadata, learn about Engine
Get debug login from Feide OpenIDP using Engine
Accept team invite using Feide OpenIDP
Inspect group config in Grouper
See group ACLs using Manage
Get oAuth config from ServiceRegistry
Query API in API playground to see group and person data
58
![Page 59: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/59.jpg)
Ok, back to my Team
59
![Page 60: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/60.jpg)
Ok, back to my Team
60
![Page 61: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/61.jpg)
Teams – Accept Invite
61
![Page 62: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/62.jpg)
Teams – Accept Invite
62
![Page 63: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/63.jpg)
Teams – Accept Invite
63
![Page 64: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/64.jpg)
Teams – Accept Invite
64
![Page 65: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/65.jpg)
Grouper – Behind the Scenes
65
![Page 66: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/66.jpg)
Grouper - details
66
![Page 67: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/67.jpg)
Manage - Group ACLs
67
![Page 68: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/68.jpg)
Manage – Setting Group ACLs
68
![Page 69: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/69.jpg)
Manage – Add new group providers
69
![Page 70: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/70.jpg)
Simple activities
Login to Profile via Mujina IdP; learn a bit about Profile
Create a team and invite members; learn about Teams
Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry
Inspect SAML metadata, learn about Engine
Get debug login from Feide OpenIDP using Engine
Accept team invite using Feide OpenIDP
Inspect group config in Grouper
See group ACLs using Manage
Get oAuth config from ServiceRegistry
Query API in API playground to see group and person data
70
![Page 71: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/71.jpg)
ServiceRegisty – oAuth keys
71
![Page 72: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/72.jpg)
API Playground
72
![Page 73: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/73.jpg)
API Playground
73
![Page 74: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/74.jpg)
Authorization Grant
74
![Page 75: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/75.jpg)
API Playground
75
![Page 76: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/76.jpg)
My Groups!
76
![Page 77: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/77.jpg)
Simple activities
Login to Profile via Mujina IdP; learn a bit about Profile
Create a team and invite members; learn about Teams
Modify IdP metadata using ServiceRegistry; learn about ServiceRegistry
Inspect SAML metadata, learn about Engine
Get debug login from Feide OpenIDP using Engine
Accept team invite using Feide OpenIDP
Inspect group config in Grouper
See group ACLs using Manage
Get oAuth config from ServiceRegistry
Query API in API playground to see group and person data
77
![Page 78: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/78.jpg)
Keep Calm and
REMOVE
the OpenConext CA
from your browser!(it is publicly available in GitHub)
78
![Page 79: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/79.jpg)
Break!
See you in 15 min!
79
I: Introduction
(Niels)
II: Hands-on
(Niels)
III: Community and Future
(Frans)
Welcome & introductions
Use cases
OpenConext explained
Features
Components
Installing OpenConext VM
Basic activities
Working with SAML
Working with Groups
Roadmap
Community
Governance
Discussion
Break (15 min) Break (15 min) Lunch
![Page 80: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/80.jpg)
III: Community and Future
80
I: Introduction
(Niels)
II: Hands-on
(Niels)
III: Community and Future
(Frans)
Welcome & introductions
Use cases
OpenConext explained
Features
Components
Installing OpenConext VM
Basic activities
Working with SAML
Working with Groups
Roadmap
Community
Governance
Discussion
Break (15 min) Break (15 min) Lunch
![Page 81: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/81.jpg)
Roadmap
Release 68 (SR/Janus):
Unification of WAYF and SURFnet forks, keeping full history
Introduced composer for dependencies
Introduced doctrine for data access layer
Add automated upgrade from last Janus (WAYF release) DB schema
Explicitly keep track of the last revision of each entity in the DB to improve
performance when having many entities and revisions.
Get rid of separate ARPs. Move ARP to SP configuration
Introduce wildcard matching of ARP values
Introduce new r/w API for Janus.
81
![Page 82: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/82.jpg)
Roadmap
Release 70 (Engine):
Replace corto and old libxml with SimpleSAMLphp library as SAML library
Reduce the time SAML signing key is kept memory
Improved support for multiple SAML signing keys. Facilitate fast "hands off"
rollover by allowing the SP to select the signing key to use
Reduce writes to LDAP
New GUI for Teams (Twitter Bootstrap)
82
![Page 83: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/83.jpg)
Roadmap
Unplanned:
OpenConext VM with credentials and other key config parameters in 1 file
Introduce APIS as AuthZ service for public APIs
Experimental support for OpenIdConect
Experimental support for SCIM
Experimental support for SAML AA and client
83
![Page 84: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/84.jpg)
Open Source is…
License
Product
Community
84
![Page 85: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/85.jpg)
‘The realization of an
open source
project
does not guarantee
the creation of a
community’
85
![Page 86: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/86.jpg)
Community
Boosting the full potential of the OpenConext open
source ecosystem
Goals:
Create an active community
Exchange ideas
Promotion
Learn from different use cases
86
![Page 87: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/87.jpg)
87
![Page 89: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/89.jpg)
Governance
Why does a project like OpenConext need a
governance model?
Every open source project has its own
management strategy
It is therefore critical to have clear
communication about its politics and strategies
…to potential users and developers
Sustainability!
89
![Page 90: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/90.jpg)
Governance Model
Describes roles that project participants can
take on
Describes the process for decision making
within the project
Describes the ground rules for participation in
the project
Describes the processes for communicating
and sharing with project team and community
90
![Page 91: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/91.jpg)
Governance Models
91
![Page 92: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/92.jpg)
Governance Options
Do nothing aka leave it as it is
(SURFnet as benevolent dictator)
Create an independent entity out of
OpenConext
(like the MediaMosa Foundation)
Define a custom governance model
(like the MediaMosa Foundation)
92
![Page 93: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/93.jpg)
MediaMosa Governance
93
![Page 94: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/94.jpg)
Governance Barriers
the process is perceived as ‘red tape’
there is a concern that the project will lose its
sense of direction
it is felt that control of the project’s strategy will
be lost
the project is thought to be too young or to
small to attract active users or developers
94
![Page 95: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/95.jpg)
Community Options
Join the Apereo Foundation
DIY (based om MediaMosa)
What about Terena Greenhouse?
95
![Page 96: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/96.jpg)
Discussion
Given what you have seen, what usecase
would you have for OpenConext? What is
usefull, what is missing?
How important is formal governance
What kind of support tools would you expect?
What are your plans with OpenConext?
Would you consider using OpenConext and
become active member of the community?
96
![Page 97: OpenConext Workshop TNC2014](https://reader033.fdocuments.us/reader033/viewer/2022060200/559870c41a28abc26a8b4841/html5/thumbnails/97.jpg)
Resources
Source code
All of OpenConext is hosted at https://github.com/openconext
OpenConext support tools and compatible services are available at
https://github.com/openconextapps
Community Website, including documentation
https://www.openconext.org
Support
Mailinglists: [email protected] and openconext-
97