Upload
andreas-akre-solberg
View
171
Download
2
Tags:
Embed Size (px)
Citation preview
Tjenesteplattform for utdanningssektoren
Andreas Åkre SolbergUNINETT, WebTechnology Research and Development
Oslo, 11. Februar 2013
Web Single Sign-On with Feide was sufficient to provide
a seamless user experience across services.
Once upon a time
Collaboration on Internet
✤ A dynamic working groups spanning multiple organizations, work together using digital collaboration tools:
✤ A wiki
✤ Document sharing tool
✤ Meeting planner and calendar
✤ A Web meeting tool
✤ A web forum or mailinglist
to provide a satisfying end-user experience spanning multiple collaboration services today,SSO is not sufficient.
Traditional approach
User directory
App1
App2
App3
Batch provisioningof users and groups
✤ Does not scale
✤ Not dynamic
✤ (Often) only in one direction
✤ But it works,for some use cases
Modern services
✤ Modern collaboration services share a bunch of common components:
✤ Users and authentication
✤ Groups and authorization
✤ Invitation (mapping users and groups)
✤ Activity stream
✤ Notifications (mail and mobile push notifications)
✤ Data access with third party REST API
Component X
Feide
App App App
Authentication
SAML
SP
API + OAuth
Addtional
services
Webteknologi20122012
2013
2011
2014
2015
2016
Webteknologi2013-2016
Innovasjonsprosjekter i UNINETT knyttet til "Webteknologi"
Spin-offstjeneste utvikling
/ utrulling
???
Innovasjon
UWAPPrototype
Feide
App App App
Authentication
SAML
SP
API + OAuth
Addtional
services
✤ ettersom man tilbyr mer og mer støtte-funksjonalitet (auth, gruppe ++) kan fort kompleksiteten bli uholdbar på tjenestesiden.
✤ Enkelt for tjenesteleveandørene er svært viktig!
✤ De bør forholde seg til biblioteker og ikke egne software komponenter som kjører på tjenestesiden.
✤ Vi må lære av økosystemene til store aktører som har lykkes med ekstrem skalerbarhet; google, linkedin, facebook m.fl.
✤ Selvbetjening er kritisk.
Users
ContentAPI
ServiceThird partyapplications
New more complex model
Delegation
Third partyapplications
ContentAPI
Service
UWAP Eco-system
AppDevelopers
ContentProviders
SchoolsUniversites
Users
UWAPPrototype
✤ Tjenesteleverandører
✤ Selvbetjening
✤ Enklere integrasjon enn Feide.
✤ Innebygget støtte for mobil Apps
✤ Basert på OAuth / OpenID Connect
✤ Enkelt API med en rekke ekstra funksjonalitet
Grupper
Groups
✤ Dynamic large-scale groups from Feide attributes✤ Organization, department✤ Affiliation: like «all students at NTNU»
✤ Ad-hoc groups✤ Managed external groups
✤ FS✤ KIND, etc.
Platform
Self-servicegroup mngmnt
FS SurfConext +++
App App App
Feide
DynamicGroups
Managed external groups
Ad-hoc groups
Ad-Hoc groups
✤ Everyone can create new groups, and invite/add users
✤ Important to easily find the correct persons you want to add. Search engine based upon real names.
✤
Group information model
✤ List of members✤ Membership roles:
✤ Admin/Owner✤ Regular member✤ (Subscribers) Optionally a group can have subscribers.
✤ Managed external group providers may defined extended role definitions
✤ Applications may off course provide additional membership roles locally.
✤ Work on international harmonization of this basic model.
Invitations, people search
✤ Protected with Feide
✤ Generic js library
✤ Very easy integration in all applications that needs to «add users».
ActivityStreams
Activity streams
Andr
eas c
reate
d a w
iki pa
ge
«welc
ome!»
at A
gora
Armaz
shar
ed a
file «a
rchite
cture
.pdf»
at C
louds
tor
Simon
sch
edule
d a ne
w mee
ting
Andr
eas c
onfirm
ed an
d
will a
ttend
mee
ting
A ne
w us
er Th
orlei
f is
adde
d to t
he gr
oup
› One activity stream per group.› Generic information model› Acitivites posted to one or more groups
Public / PrivateNormal / Promoted
User interfaces› WebApp frontend› Mobile app frontend› Widgets› API
Notifications
✤ The most important activity updates
✤ Email and mobile push notifications
✤ Personal preferences
Federated Widgets
Federated Widgets
✤ Embed content on remote site
✤ Challenge:
✤ secure environment
✤ authentication
Federated Widgets
✤ Super simple integration!
✤ Secure separation from container site
✤ Auto-detecting existing Feide session
✤ No server-side requirements...
Federated Widget
✤ The group-context-aware «webmeeting button»
Webmeeting using
Adobe Connect
Join meeting
Feed WidgetShows an aggregated feed of activities for the current
selected group across all collaboration tools.
Share widgetCan be easily integrated anywhere. Will share a link to the current web page
to the activity stream for the current user in a selected group context.
Feed WidgetShows an aggregated feed of activities for the current
selected group across all collaboration tools.
Share widgetCan be easily integrated anywhere. Will share a link to the current web page
to the activity stream for the current user in a selected group context.
Feed WidgetShows an aggregated feed of activities for the current
selected group across all collaboration tools.
RedMineWith Activity Stream Connector enabled.
WebApp Hosting (PaaS)
✤ Web as a platform
✤ Usage increasing
✤ True multi-platform: desktop, mobile (android+ios+)
✤ REST API friendly
✤ Client side logic
✤ Makes it hassle-free to provide cloudbased hosting environment
✤ Easier service roll-out in education: no installations..
creating a new application...
How does it work
✤ Each app gets their own domain: myapp.eduapps.org
✤ App engine provides a javascript API to access all functionality
✤ The javascript engine communicates with app server using REST api.
✤ Let’s test it...
89 lines of code (mostly UI)
App Store
App Store
Connecting edu institutions to content providers with new more efficient and fair payment models
Authorization data
New Potentials
Content Providers
Open Data
✤ Universites increasing interest to share their data using APIs.
✤ Win-win situation. Both students and commercial providers may provide value-added service by making use of the data.
✤ Privacy very important!
✤ Complex to provide authentication model for delegated access to personal data.
Service Providers
✤ REST API with delegated access control.
✤ Feide authentication
✤ Trust model
✤ Scalable management of third party client access control.
API
Information
Frontend
BusinessLogic
SOA Gatekeeper
✤ Manage 3rd party clients
✤ Control your open APIs
✤ User control, scopes, consent etc.
Providing a Service
✤ Ikke enda planlagt.
✤ Stor interesse i UH for å få opp tjenester. Spesielt rundt grupper.
✤ Koordineres med:
✤ Feide
✤ Nansen
✤ IKTsenteret tidlig med...
Webteknologi20122012
2013
2011
2014
2015
2016
Webteknologi2013-2016
Innovasjonsprosjekter i UNINETT knyttet til "Webteknologi"
Spin-offstjeneste utvikling
/ utrulling
???
Innovasjon
It.1 First iterationService Pilot
Innpakking sammen med Feide
FeideConnect!
Feide
App App App
Authentication
SAML
SP
API + OAuth
Addtional
services
Feide Connect! added-value
✤ Simpler integration with modern web applications (OAuth-based)✤ Support for authentication on mobile✤ Easier integration with PaaS (Nansen)✤ Support emerging standards: OpenID Connect!✤ Groups✤ People search✤ Easier cross-federation integration!✤ Built-in discovery✤ Guest users✤ Lower bar of entry for service providers: students etc. Self-service
Support no-contract consumers!✤ Extensible: allows us to add new services!✤
Will not solve...
✤ Local Single Sign-On on Windows Domain with Keberos
✤ Higher level authentication (2-factor). LoA.
✤ Accepting more loosely connected user through Feide (UiO)
Services to add later on
✤ Activity streams✤ Calendar sharing✤ REST API engine✤ Activity streams✤ Notifications✤ SOA Gatekeeper✤ App hosting
✤ Storage, message queue, cache, release management etc.✤ Federated widgets✤ OAuth REST Engine (simplify using protected REST APIs)✤ ...
NANSEN
✤ https://www.uninett.no/skytjenester-rapport-med-anbefalinger
✤ Stor interesse i UH sektoren om samarbeid rundt
✤ innkjøp av kommersielle skytjenester
✤ oppbygning av egen skyinfrastruktur i sektoren for å organisere morgendagens tjenester for sektoren. Erstatter dagens IKT drift. Med samarbeid.
UNINETTs Nova plattform
✤ Arbeid i 2013-2014.
✤ Bygger opp skyinfrastruktur internt for å kunne hoste våre egne tjenester
✤ Kompetanseoppbygning og forarbeid som kan være nyttig for sektoren i relisering av NANSENs sektor-spesifikke sky.
Virtualisering
UWAP Core
OS
Feide
WebApp PaaS
Høytilgjengelighet
Fil Lagring
In-memory
NoSQL store
✤ UNINETT FAS
✤ Administrative Apps for selvbetjening
✤ eCampus
✤ Samarbeidsverktøy: Agora, RedMine, webmøter etc.
Service Platform
FeideAuthentication
People search
Calendar sharing
Activity stream
Groups and authorization
REST API Engine
Notifications
All platform UI built asindepedent apps
AppApp
IKTsenteret
✤ Felles samarbeid om Feide.
✤ Svært sammenfallende behov rundt støtte mot tjeneser til utdanningssektoren.
✤ Trolig kosteffektivt å jobbe med en felles løsning når behovene er overlappende.
✤
✤ Samarbeid rundt informasjonsmodell for grupper
✤ Pilot-integrasjon mot f.eks. fylkeskommune gruppe-provider
✤ Pilot-integrasjon mot BAS for person-søk
✤ Pilot tjenesteleverandører
✤ Interessante use-case: DVM,
Mulige oppgaver
last slide