OpenConext Apereo2014
-
Upload
openconext -
Category
Software
-
view
131 -
download
0
description
Transcript of OpenConext Apereo2014
OpenConext: Open for Collaboration
Niels van Dijk
Technical Product Manager
SURFnet: the Dutch NREN
• SURFnet is the Dutch National Research & Education Network (NREN)
– Services, innovation, knowledge
– Not for profit
– Task organisation of Stichting SURF = ICT collaboration of higher education & research
• A small operation serving a large community:
– 85 employees
– 160 connected institutions
– 1 million end-users
– Turnover 35 million Euro; 1/3 innovation subsidies
SURFnet - We make innovation work 1
OpenConext
SURFnet - We make innovation work 2
OpenConext Vision (2009)
SURFnet - We make innovation work 3
Create a coherent infrastructure of loosely coupled
collaborative services, based on (emerging) Open
Standards and enabled by access federations
OpenConext Building blocks
SURFnet - We make innovation work 4
Identity Federations, SAML and attributes
Create and manage Groups
OpenSocial (VOOT) API and oAuth
A piece of middleware (a hub or proxy) that allows centrally managing interconnects and facilitates application integration
OpenConext Use cases
SURFnet - We make innovation work 5
• Collaboration Platform
• Service Delivery Platform
• Identity Federation hub
United Kingdom – JISCconext (JISC)
A Collabortion platform around email groups, will support about 1
million endusers
Australia (AARnet)
A service delivery for AARnet services in Australia and New Zealand
The Netherlands – SURFconext (SURFnet)
The middleware platform for the national hub-n-spoke Identity
Federation
JISCconext
SURFnet - We make innovation work 6
https://tnc2014.terena.org/core/presentation/15
AARNet
SURFnet - We make innovation work 7
https://tnc2014.terena.org/core/presentation/15
SURFconext
SURFnet - We make innovation work 8
A next generation collaboration
infrastructure that creates new
opportunities to collaborate online
based on a combination of applications
from different providers.
Researchers, educators and students wish to select the tools that best
fit their online collaboration needs. Institutions and Collaborative
Organizations struggle with the integration of self-hosted services
with commercial cloud services. Service providers seek for ways to
make their services easily accessible for users in higher research
and education.
SURFconext is the platform to facilitate these needs.
Collaboration Platform
SURFnet - We make innovation work 9
• Federated Authentication
• Centralized Groups
• Portals
Federated Authentication
Leverages secure, trusted authentication and Single Sign on for
Campus and Cloud applications
Centralized groups
Used for Adhoc collaborations and institutional groups
Portals
Bring together distributed services to provide end-users with a
coherent set of services
Service Delivery Platform
SURFnet - We make innovation work 10
• Federated Authentication
• Attribute based Authorization
• National Procurement & Licencing
Create Trusted Services
By combining Identity Federation, privacy and data protection
regulations and license deal in one contract between Service
Provider and (all) Dutch institutions
Services Dashboard
SURFnet - We make innovation work 11
Commercial Services
SURFnet - We make innovation work 12
eScience Services
SURFnet - We make innovation work 13
Collaborative Organisations
SURFnet - We make innovation work 14
• Groups
• Distributes Services
• Attributes, roles and rights
Groups are core to collaboration
Any collaboration is based on groups. In R&E these groups are
dynamic and international;
Distributed Services
COs collaborate around distributes services. Managing and
maintaining many SP IdP interconnections is tough;
Attributes, roles and rights
Roles and rights are based on Attributes. COs need very different
attributes as compared to the attributes provided by the IdPs.
Example Cases
SURFnet - We make innovation work 15
• WeNMR
• Virtual Campus Hub
WeNMR
Bringing together research teams in the structural biology and life
science area. The project offers a platform integrating services and
streamlining the computational approaches necessary for data
analysis and structural modelling.
Virtual Campus Hub
Create a virtual education portal for a joint programme, consisting
of applications made available by the partners involved in that
programme, and to which all relevant users have seamless access.
WeNMR
SURFnet - We make innovation work 16
• Connect HPC to federation
• Federated Portal
WeNMR and eduGAIN
SURFnet - We make innovation work 17
Partners in Virtual Campus Hub
Concept: virtual education portal for joint
programs
Components of Virtual Campus Hub
1. Inventory of the most important ICT barriers for international
collaboration in education.
2. Demo platform to prove that some of these barriers can be removed:
Easy access to partners’ applications (FIM)
More efficient and more flexible setup of online activities or online
participation in regular activities (UC hub)
Easier collaboration with industry (non-HE IdPs)
3. Vision on how to apply these insights and experiences in concrete
collaboration initiatives (e.g. international joint programs)
Demo portal (proof of concept)
Functionality:
• Access with your own account
to partners’ applications
• Create international groups
(virtual organizations)
• Single sign-on access through
simple website
(https://vch.tue.nl)
12-06-2013
IdPs connected to VCH
2204-10-2012
Enabling international collaboration:
National (NRENs) and European (Géant)
12-06-2013
Results
• Connections realized for several identity providers (IdPs)
and applications (SPs).
• Cloud service (DTU itslearning) connected to VCH
• Scalability of concept shown (by adding extra IdPs)
• Knowledge and experience with respect to using Géant-
eduGAIN
2412-06-2013
OpenConext Building blocks
SURFnet - We make innovation work 25
Identity Federations, SAML and attributes
Create and manage Groups
OpenSocial (VOOT) API and Oauth
A piece of middleware (a hub or proxy) that allows centrally managing interconnects and facilitates application integration
Identity Federation
SURFnet - We make innovation work 26
Groups
SURFnet - We make innovation work 27
Any collaboration involves groups, either ‘AdHoc’, or ‘Institutional’
OpenConext facilitates the creation of groups of federated users
Adhoc Groups are managed centrally (Teams) Any acceptable user can become a group 'admin‘
Invite any other users
Build groups from other groups
Institutional Groups (Campus or VO) can be provided by external sources
Groups provide context for applications (but applications decide on AuthZ!)
Groups feature (only) 3 roles (admin, collabmin, member)
Group + VO Registry -> VO IdP
Attributes
SURFnet - We make innovation work 28
Attribute & Group information can be provided at logon
Many scenarios require out of band exchange
VOOT (http://openvoot.org/voot-2.0.html) REST API, based on OpenSocial
oAuth2 & oAuth 1 (deprecated)
Draft SCIM implementation expected in 2014
SAML attribute query support on the way (both AA and client)
OpenConext – The platform (2009)
SURFnet - We make innovation work 29
Do not start from Scratch
Add (a lot of) Glue
SAML Groups Management
Shibboleth SP(Shibboleth Consortium)
Grouper(Internet2)
Janus(WAYF)
SimpleSAMLphp SP(Feide.no)
Shindig (Apache)
Corto(WAYF)
Teams
OpenConext – The platform (Q1 2014)
SURFnet - We make innovation work 30
Do not start from Scratch
Add (a lot of) Glue and even more Glue
SAML Groups Management
Shibboleth SP(Shibboleth Consortium)
Grouper(Internet2)
Janus(SURFnet)
SimpleSAMLphp SP(Feide.no)
Shindig(Apache)Group Proxy, API & APIS
Manage
Corto(WAYF/SURFnet)SSP libraries
Teams (v2) Log handling & StatisticsOpenConext VM
OpenConext – Overview
SURFnet - We make innovation work 31
OpenConext – Meshing a Hub
SURFnet - We make innovation work 32
Source: Neil Witheridge, AARNet
How OpenConext helps
SURFnet - We make innovation work 33
• Groups
• Distributed Services
• Attributes, roles and rights
Manage and share Groups
OpenConext provides a centralized group provider and allows
linking external group providers;
Centrally manage services and identity stores
SP and IdP connections can be manage centrally, including Access
and Attribute Release Policies;
Use Attributes, roles and rights for Authorization
Manage, transform and filter attributes and group (membership)
both at logon as well as when queried out-of-band.
OpenConext VM
SURFnet - We make innovation work 34
• Run your own OpenConext platform
• CentOS/Redhat, 10 min setup
• For demo, development and playing around
https://github.com/OpenConext/OpenConext-vm
More information
SURFnet - We make innovation work 35
• SURFconext
• OpenConext
SURFconext
http://www.surf.nl/en/services-and-products/surfconext/index.html
OpenConext
All of OpenConext is hosted at https://github.com/openconext
OpenConext support tools and compatible services are available at
https://github.com/openconextapps
Community Website, including documentation
https://www.openconext.org
Support
Mailinglists: [email protected] and [email protected]
niels.vandijk[at]surfnet.nl
@cdr80
cdr80
www.surfnet.nl
+31 30 2 305 305
Creative Commons “Attribution” license:
http://creativecommons.org/licenses/by/3.0/
W