Tjenesteplattform for utdanningssektoren

Andreas Åkre SolbergUNINETT, WebTechnology Research and Development

Oslo, 11. Februar 2013

Web Single Sign-On with Feide was sufficient to provide

a seamless user experience across services.

Once upon a time

Collaboration on Internet

✤ A dynamic working groups spanning multiple organizations, work together using digital collaboration tools:

✤ A wiki

✤ Document sharing tool

✤ Meeting planner and calendar

✤ A Web meeting tool

✤ A web forum or mailinglist

to provide a satisfying end-user experience spanning multiple collaboration services today,SSO is not sufficient.

Traditional approach

User directory

App1

App2

App3

Batch provisioningof users and groups

✤ Does not scale

✤ Not dynamic

✤ (Often) only in one direction

✤ But it works,for some use cases

Modern services

✤ Modern collaboration services share a bunch of common components:

✤ Users and authentication

✤ Groups and authorization

✤ Invitation (mapping users and groups)

✤ Activity stream

✤ Notifications (mail and mobile push notifications)

✤ Data access with third party REST API

Component X

Feide

App App App

Authentication

SAML

SP

API + OAuth

Addtional

services

Webteknologi20122012

2013

2011

2014

2015

2016

Webteknologi2013-2016

Innovasjonsprosjekter i UNINETT knyttet til "Webteknologi"

Spin-offstjeneste utvikling

/ utrulling

???

Innovasjon

UWAPPrototype

Feide

App App App

Authentication

SAML

SP

API + OAuth

Addtional

services

✤ ettersom man tilbyr mer og mer støtte-funksjonalitet (auth, gruppe ++) kan fort kompleksiteten bli uholdbar på tjenestesiden.

✤ Enkelt for tjenesteleveandørene er svært viktig!

✤ De bør forholde seg til biblioteker og ikke egne software komponenter som kjører på tjenestesiden.

✤ Vi må lære av økosystemene til store aktører som har lykkes med ekstrem skalerbarhet; google, linkedin, facebook m.fl.

✤ Selvbetjening er kritisk.

Users

ContentAPI

ServiceThird partyapplications

New more complex model

Delegation

Third partyapplications

ContentAPI

Service

UWAP Eco-system

AppDevelopers

ContentProviders

SchoolsUniversites

Users

UWAPPrototype

✤ Tjenesteleverandører

✤ Selvbetjening

✤ Enklere integrasjon enn Feide.

✤ Innebygget støtte for mobil Apps

✤ Basert på OAuth / OpenID Connect

✤ Enkelt API med en rekke ekstra funksjonalitet

Grupper

Groups

✤ Dynamic large-scale groups from Feide attributes✤ Organization, department✤ Affiliation: like «all students at NTNU»

✤ Ad-hoc groups✤ Managed external groups

✤ FS✤ KIND, etc.

Platform

Self-servicegroup mngmnt

FS SurfConext +++

App App App

Feide

DynamicGroups

Managed external groups

Ad-hoc groups

Ad-Hoc groups

✤ Everyone can create new groups, and invite/add users

✤ Important to easily find the correct persons you want to add. Search engine based upon real names.

✤

Group information model

✤ List of members✤ Membership roles:

✤ Admin/Owner✤ Regular member✤ (Subscribers) Optionally a group can have subscribers.

✤ Managed external group providers may defined extended role definitions

✤ Applications may off course provide additional membership roles locally.

✤ Work on international harmonization of this basic model.

Invitations, people search

✤ Protected with Feide

✤ Generic js library

✤ Very easy integration in all applications that needs to «add users».

ActivityStreams

Activity streams

Andr

eas c

reate

d a w

iki pa

ge

«welc

ome!»

at A

gora

Armaz

shar

ed a

file «a

rchite

cture

.pdf»

at C

louds

tor

Simon

sch

edule

d a ne

w mee

ting

Andr

eas c

onfirm

ed an

d

will a

ttend

mee

ting

A ne

w us

er Th

orlei

f is

adde

d to t

he gr

oup

› One activity stream per group.› Generic information model› Acitivites posted to one or more groups

Public / PrivateNormal / Promoted

User interfaces› WebApp frontend› Mobile app frontend› Widgets› API

Notifications

✤ The most important activity updates

✤ Email and mobile push notifications

✤ Personal preferences

Federated Widgets

Federated Widgets

✤ Embed content on remote site

✤ Challenge:

✤ secure environment

✤ authentication

Federated Widgets

✤ Super simple integration!

✤ Secure separation from container site

✤ Auto-detecting existing Feide session

✤ No server-side requirements...

Federated Widget

✤ The group-context-aware «webmeeting button»

Webmeeting using

Adobe Connect

Join meeting

Feed WidgetShows an aggregated feed of activities for the current

selected group across all collaboration tools.

Share widgetCan be easily integrated anywhere. Will share a link to the current web page

to the activity stream for the current user in a selected group context.

Feed WidgetShows an aggregated feed of activities for the current

selected group across all collaboration tools.

Share widgetCan be easily integrated anywhere. Will share a link to the current web page

to the activity stream for the current user in a selected group context.

Feed WidgetShows an aggregated feed of activities for the current

selected group across all collaboration tools.

RedMineWith Activity Stream Connector enabled.

WebApp Hosting (PaaS)

✤ Web as a platform

✤ Usage increasing

✤ True multi-platform: desktop, mobile (android+ios+)

✤ REST API friendly

✤ Client side logic

✤ Makes it hassle-free to provide cloudbased hosting environment

✤ Easier service roll-out in education: no installations..

creating a new application...

How does it work

✤ Each app gets their own domain: myapp.eduapps.org

✤ App engine provides a javascript API to access all functionality

✤ The javascript engine communicates with app server using REST api.

✤ Let’s test it...

89 lines of code (mostly UI)

App Store

App Store

Connecting edu institutions to content providers with new more efficient and fair payment models

Authorization data

New Potentials

Content Providers

Open Data

✤ Universites increasing interest to share their data using APIs.

✤ Win-win situation. Both students and commercial providers may provide value-added service by making use of the data.

✤ Privacy very important!

✤ Complex to provide authentication model for delegated access to personal data.

Service Providers

✤ REST API with delegated access control.

✤ Feide authentication

✤ Trust model

✤ Scalable management of third party client access control.

API

Information

Frontend

BusinessLogic

SOA Gatekeeper

✤ Manage 3rd party clients

✤ Control your open APIs

✤ User control, scopes, consent etc.

Providing a Service

✤ Ikke enda planlagt.

✤ Stor interesse i UH for å få opp tjenester. Spesielt rundt grupper.

✤ Koordineres med:

✤ Feide

✤ Nansen

✤ IKTsenteret tidlig med...

Webteknologi20122012

2013

2011

2014

2015

2016

Webteknologi2013-2016

Innovasjonsprosjekter i UNINETT knyttet til "Webteknologi"

Spin-offstjeneste utvikling

/ utrulling

???

Innovasjon

It.1 First iterationService Pilot

Innpakking sammen med Feide

FeideConnect!

Feide

App App App

Authentication

SAML

SP

API + OAuth

Addtional

services

Feide Connect! added-value

✤ Simpler integration with modern web applications (OAuth-based)✤ Support for authentication on mobile✤ Easier integration with PaaS (Nansen)✤ Support emerging standards: OpenID Connect!✤ Groups✤ People search✤ Easier cross-federation integration!✤ Built-in discovery✤ Guest users✤ Lower bar of entry for service providers: students etc. Self-service

Support no-contract consumers!✤ Extensible: allows us to add new services!✤

Will not solve...

✤ Local Single Sign-On on Windows Domain with Keberos

✤ Higher level authentication (2-factor). LoA.

✤ Accepting more loosely connected user through Feide (UiO)

Services to add later on

✤ Activity streams✤ Calendar sharing✤ REST API engine✤ Activity streams✤ Notifications✤ SOA Gatekeeper✤ App hosting

✤ Storage, message queue, cache, release management etc.✤ Federated widgets✤ OAuth REST Engine (simplify using protected REST APIs)✤ ...

NANSEN

✤ https://www.uninett.no/skytjenester-rapport-med-anbefalinger

✤ Stor interesse i UH sektoren om samarbeid rundt

✤ innkjøp av kommersielle skytjenester

✤ oppbygning av egen skyinfrastruktur i sektoren for å organisere morgendagens tjenester for sektoren. Erstatter dagens IKT drift. Med samarbeid.

UNINETTs Nova plattform

✤ Arbeid i 2013-2014.

✤ Bygger opp skyinfrastruktur internt for å kunne hoste våre egne tjenester

✤ Kompetanseoppbygning og forarbeid som kan være nyttig for sektoren i relisering av NANSENs sektor-spesifikke sky.

Virtualisering

UWAP Core

OS

Feide

WebApp PaaS

Høytilgjengelighet

Fil Lagring

In-memory

NoSQL store

✤ UNINETT FAS

✤ Administrative Apps for selvbetjening

✤ eCampus

✤ Samarbeidsverktøy: Agora, RedMine, webmøter etc.

Service Platform

FeideAuthentication

People search

Calendar sharing

Activity stream

Groups and authorization

REST API Engine

Notifications

All platform UI built asindepedent apps

AppApp

IKTsenteret

✤ Felles samarbeid om Feide.

✤ Svært sammenfallende behov rundt støtte mot tjeneser til utdanningssektoren.

✤ Trolig kosteffektivt å jobbe med en felles løsning når behovene er overlappende.

✤

✤ Samarbeid rundt informasjonsmodell for grupper

✤ Pilot-integrasjon mot f.eks. fylkeskommune gruppe-provider

✤ Pilot-integrasjon mot BAS for person-søk

✤ Pilot tjenesteleverandører

✤ Interessante use-case: DVM,

Mulige oppgaver

last slide