This document discusses Feide Connect, a next generation service platform for advanced services and collaboration in higher education. It aims to provide a more seamless user experience across services through single sign-on authentication and additional features like user profiles, groups, activity streams, and open APIs. Rather than relying solely on SAML protocols, it advocates adopting modern OAuth standards and exposing functionality through REST APIs to better support mobile and third-party clients. Key components discussed include authentication, managing user groups and roles, searchable user profiles, activity streams, notifications, open data sharing, self-service tools for third-party clients, and international collaboration.

1. «Feide Connect»
Next generation service platform for advanced services
and collaboration services for higher education.
Andreas Åkre Solberg
andreas.solberg@uninett.no

2. Once upon a time
Web Single Sign-On with Feide was sufficient to provide
a seamless user experience across services.
!2

3. Collaboration on Internet
✤
A dynamic working groups spanning multiple organizations, work
together using digital collaboration tools:
✤
A wiki
✤
Document sharing tool
✤
Meeting planner and calendar
✤
A Web meeting tool
✤
A web forum or mailinglist
!3

5. Feide Connect
Authenti
cation
Self
Service
Groups
and
Roles
Activity People
streams search
API
Authz
Mngmnt
OAuth
Authorization Engine
HTTP API
5

6. Feide Connect
New architecture
Feide
tjeneste
Mobil app
Web app
Tredjepartsklient /
integrasjon
API-based instead of SSO-flow
OAuth + authentication
Makes use of Feide (without changes)
Feide
Feide Connect
grupper
personsøk
lagring
aktivitetstr
API authz
Offers additional services
Better support for mobile, desktop etc.
API Authorization Management
Tjeneste
backend
API
Extremely simple integration for Service
Providers
Low-bar of entry
(for students, non-commercial, etc)
oktober 23, 2013
!6

7. Authentication
Feide based upon SAML 2.0
Rather complex results in relatively high integration cost for Service Providers.
Limited opportunities to the «login request -> response»-flow.
!
Trends in consumer markets (Facebook, Google, Twitter, Linkedin, Salesforce)
From enterprise protocols towards APIs / REST and OAuth
Providers needs to offer APIs and third party integration anyway; OAuth
Easy to establish a simple authentication protocol (userinfo) on top of that
OpenID Connect
Built-in support for cross-federation (eduGAIN, Kalmar) and guest users.
oktober 23, 2013
7

8. Groups and roles
!8

9. Groups and roles
API Service
Base layer: builds groups
from Feide attributes
Feide
tjeneste
Mobil app
Web app
Tredjepartsklient /
integrasjon
Connector to FS:
emner, studieretning med mer.
Feide Connect
Support for Ad-Hoc groups
Feide
Anyone can create groups for their
collaboration needs. Cross-organizational
groups.
Support for custom external connectors
to an institutions authoritative source of
group data.
Groups
FS
personsøk
lagring
aktivitetstr
API authz
Ext Connectors
AdHoc
!9

10. Ad-hoc group management front-end
!10

11. People Search
Separate People Search API
Authenticated API
Also available as a JS library
And as a Federated Widget
Relies on already public information
Better user experience to search for real
user names, than to add userids.
!11

12. Modell for grupper
Superenkel, men utvidbar, informasjonsmodell
!
!
!
!
!
Protokoll for:
hente ut liste over grupper for gjeldende bruker (fra FeideID)
hente ut liste over medlemmer for en gitt gruppe (fra gruppeID)
!12

13. Utvidet modell
Standardisering per gruppe-type for utvidede egenskaper.
!13

14. Subscriptions
Content associated with public
groups. Users may subscribe.
!14

15. Activity Streams
!15

16. ma
Ar
ha
zs
WebApp frontend
Widgets
dr
wi eas
l l a co
tte nfi
nd rm
me ed
eti an
ng d
df»
!
sc
he
du
led
an
ew
me
eti
ng
Generic information model
A
n
ad ew u
de se
dt rT
o t ho
he rle
gr if i
ou s
p
Si
mo
n
re
«w as c
elc rea
om ted
e!» a
at wiki
Ag pa
or ge
a
User interfaces
An
d
Acitivites posted to one or more groups
An
re
.p
Mobile app frontend
da
at file
Cl «a
o u rc
ds hi
tor tec
tu
API
re
Activity Streams
One activity stream per group.
!16

17. !17

18. Notifications
The most important activity updates
Email and mobile push notifications
Personal preferences
!18

19. Open Data
!19

20. Open Data
Universities increasing interest to share their data using APIs.
Motivates growth of new innovative, and better services for the employees and
students.
!
Privacy very important!
Complex to provide authentication model for delegated access to personal data.
!20

21. Self-service
!21

22. Registration of new clients
!
Third parties register new
clients, and requests access
to API scopes.
!22

23. Managing clients
!
› Trust
› Scope management
› Statistics
!
› Authorization workflow
!23

24. API Authorization workflow
!
API owner grants access to new clients.
› Clients bounded to authenticated users / organizations
!24

25. Users accessing clients, is handled through Feide login
The platform will make sure end users accessing the
clients are authenticated (using Feide).
!25

26. API Authorization Dialog
!26

27. Client has obtained a token, and can access
«Feide Connect» services, such as:
!
> user info,
> groups,
> activity streams
!27

28. International Collaboration
Any student or employee in Europe should be able to login with their local credentials on the
through the platform.
Established cross-federation connections through eduGAIN and Kalmar.
!
Collaboration on harmonizing group definitions and exchange protocols with other countries.
Collaboration through GÉANT, Terena.
Nordic collaboration through NordForum?
Standardization
OAuth, OpenID Connect, SCIM, OpenSocial, ActivityStreams, Misc W3C
!28

29. Til diskusjon
Identifikator for mapping av bruker, brukerID, FeideID, studentID, personnummer, etc.
Hvilke type grupper, og evnt roller
Avtaleverk, og tilgang i utviklingsfasen
Kilde for dataene, WS vs database
Hastighet på oppslag
Samarbeid, UNINETT <-> FS
!29