Feide Connect
1 like•1,899 views
The document describes Feide Connect, a new platform for advanced collaboration services in higher education. Feide Connect uses APIs and OAuth instead of SAML for authentication, making integration simpler for service providers. It provides additional services like group management, person search, activity streams, and federated widgets. Feide Connect also includes an API authorization management system to securely provide access to university data through third party applications and services. The goals of Feide Connect are to improve collaboration both within and between universities through open standards and easy integration.
Feide Connect
- 1. «Feide Connect» Next generation service platform for advanced services and collaboration services for higher education. Andreas Åkre Solberg [email protected]
- 2. Once upon a time Web Single Sign-On with Feide was sufficient to provide a seamless user experience across services. !2
- 3. Collaboration on Internet ✤ A dynamic working groups spanning multiple organizations, work together using digital collaboration tools: ✤ A wiki ✤ Document sharing tool ✤ Meeting planner and calendar ✤ A Web meeting tool ✤ A web forum or mailinglist !3
- 5. Authentication Feide based upon SAML 2.0 Rather complex results in relatively high integration cost for Service Providers. Limited opportunities to the «login request -> response»-flow. ! Trends in consumer markets (Facebook, Google, Twitter, Linkedin, Salesforce) From enterprise protocols towards APIs / REST and OAuth Providers needs to offer APIs and third party integration anyway; OAuth Easy to establish a simple authentication protocol (userinfo) on top of that OpenID Connect Built-in support for cross-federation (eduGAIN, Kalmar) and guest users. oktober 23, 2013 5
- 6. Feide Connect New architecture Feide tjeneste Mobil app Web app Tredjepartsklient / integrasjon API-based instead of SSO-flow OAuth + authentication Makes use of Feide (without changes) Feide Feide Connect grupper personsøk lagring aktivitetstr API authz Offers additional services Better support for mobile, desktop etc. API Authorization Management Tjeneste backend API Extremely simple integration for Service Providers Low-bar of entry (for students, non-commercial, etc) oktober 23, 2013 !6
- 8. Groups and roles API Service Base layer: builds groups from Feide attributes Feide tjeneste Mobil app Web app Tredjepartsklient / integrasjon Connector to FS: emner, studieretning med mer. Feide Connect Support for Ad-Hoc groups Feide Anyone can create groups for their collaboration needs. Cross-organizational groups. Support for custom external connectors to an institutions authoritative source of group data. Groups FS personsøk lagring aktivitetstr API authz Ext Connectors AdHoc !8
- 9. Ad-hoc group management front-end !9
- 10. People Search Separate People Search API Authenticated API Also available as a JS library And as a Federated Widget Relies on already public information Better user experience to search for real user names, than to add userids. !10
- 12. ma Ar ha zs WebApp frontend Widgets dr wi eas l l a co tte nfi nd rm me ed eti an ng d df» ! sc he du led an ew me eti ng Generic information model A n ad ew u de se dt rT o t ho he rle gr if i ou s p Si mo n re «w as c elc rea om ted e!» a at wiki Ag pa or ge a User interfaces An d Acitivites posted to one or more groups An re .p Mobile app frontend da at file Cl «a o u rc ds hi tor tec tu API re Activity Streams One activity stream per group. !12
- 13. !13
- 14. Notifications The most important activity updates Email and mobile push notifications Personal preferences !14
- 16. Federated Widgets Embed content on remote site Challenge: secure environment authentication adopt context !16
- 17. Widgets adopts context Widgets in a separate security domain Communicates with the surroundings Harmonized references; activities, users and groups. As well as time and location. !17
- 18. Federated Widgets ting using Webmee C o n n e ct Adobe Join meet ing !18
- 19. Feed Widget" Shows an aggregated feed of activities for the current selected group across all collaboration tools. Share widget" Can be easily integrated anywhere. Will share a link to the current web page !1 to the activity stream for the current user in a selected group context. 9
- 20. Open Data !20
- 21. Open Data Universities increasing interest to share their data using APIs. Motivates growth of new innovative, and better services for the employees and students. ! Privacy very important! Complex to provide authentication model for delegated access to personal data. !21
- 23. Registering a new API Gatekeeper !23
- 24. Managing an API ! › Trust › Scope management › Statistics ! › Authorization workflow !24
- 25. Public API Information Page ! › OAuth Connection details › Link to register, and request access !25
- 26. Registration of new clients ! Third parties register new clients, and requests access to API scopes. !26
- 27. API Authorization workflow ! API owner grants access to new clients. › Clients bounded to authenticated users / organizations !27
- 28. The platform will make sure end users accessing the clients are authenticated (using Feide). ! API owner does not have to think about Feide. !28
- 30. Feide Connect established a trusted channel with your API › Adds information in HTTP headers, with › User info › Groups › Client info and scopes !30
- 32. Self-Service and Scalability Priority #1 Everything is self-service Well-designed authorization work-flows. Focus on «one-click» grant, when moderation is needed at all. Will run on HA infrastructure !32
- 34. International Collaboration Any student or employee in Europe should be able to login with their local credentials on the through the platform. Established cross-federation connections through eduGAIN and Kalmar. ! Collaboration on harmonizing group definitions and exchange protocols with other countries. Collaboration through GÉANT, Terena and NordForum. ! Standardization OAuth, OpenID Connect, SCIM, OpenSocial, ActivityStreams, Misc W3C !34
- 36. Piloting with Institutions Allow access to login through Feide Setup access for Person Search. Directory access Register a set of test users with additional privileges Integration with FS for groups and roles Integration with external connectors Testing of API authorization Real users testing of collaboration tools !36