There is some problems with the virtual machine running the LDAP server connected to Feide OpenIdP. It will most likely not be fixed until Sunday afternoon.
OpenIdP is back up and running
The virtual machine running OpenIdP have been converted and moved from the problematic host, to a new safer location. The man on the picture below, Øyvind, spent the weekend fixing the OpenIdP server for us. If you see him on the street, give him a hug.
Foodle is now updated to version 2.1. New feature: Foodle now allows anonymous access.
Many people want to use Foodle with friends or collegues that does not have a federated identity. Registering in Feide OpenIdP just to sign up for a meeting is not easy enough, so now you can check to allow anonymous access to a newly created Foodle:
There is also several minor fixes in this release.
Feide RnD runs the OpenIdP Identity Provider, where users can register new accounts and login with SSO to various services. I’ve written much about the OpenIdP solution, since the launch. Time for some updates:
Currently we hold around 125 identities – not an incredibly high number of users, but still, significant.
Although the OpenIdP is provided as-is, best-effort, we have not yet experienced much down-time. We’ll do our best to keep the service up and running.
We have a list of improvements that we want to do with the registration process of OpenIdP, to make it more simple to use.
As soon we make the OpenID provider part of simpleSAMLphp more stable, we’ll off course add OpenID provider functionality to OpenIdP.
I did a quick proof of concept implementation of an simpleSAMLphp authentication extension to MediaWiki.
More information and code to download available here:
I did this demo for Klaas. If Klaas, or someone else want to improve the auth extension and make it more polished many will be happy. This is one of the most requested service integration we have received.
We have implemented a web service called Foodle. What is it? – may be you already have testet doodle.ch, Foodle is a federated rip-off that is open sourced.
When you go to Foodle, you are asked to authenticate. As Foodle is a SAML 2.0 service we can connect it to all Identity Providers that supports SAML 2.0. We already have added Feide, OpenIdP (for guest users), Wayf.dk (Denmark), University of Malaga (in Spain), Luxembourg, Slovenia, Netherlands and Croatia. If you does not have a federated account, you can still use Foodle, because when you select Feide OpenIdP, you will get a link where you can create a new user account.
After authentication you end up on the Foodle front page. There you can create two kinds of Foodle: a meeting scheduler that allows a group of people to agree upon date and time slots, and a general multiple choice Foodle.
Let’s say you want to create a vacation planning table, where people in your group can tell when they are planning to take vacation. We click create a multiple choice, and fill inn the options:
We set an expire date – after this date the Foodle will be read only. When we click the Create Foodle button, we get a page that gives us an URL to our new Foodle.We send an email to the group of people that we want to participate, and then we wait for responses.
Both the creator of the Foodle and all participant that have the URL,will be able to anytime go back to the Foodle and review all the other participants respones.
If your Foodle is confidential, keep the URL to the Foodle confidential, because it contains the access code for both responding and viewing the responses.
Now I have turned on require consent on Feide RnD OpenIdP. That means everytime you log in to a new service you are asked whether it is OK that a list of attributes are sent. You can store the consent for later (then simpleSAMLphp stores alot of hashes it in a database).
The thing is that these functionalities put together is a killer-combo:
- A self-register OpenIdP
- Open connection (no closed federation)
- Dynamic SAML Metadata Exchange, enables instant setup with no effort for neigther IdP or SP admins.
- Consent on attribute release. The functionality in simpleSAMLphp that was contributed by the danish Wayf.dk
This is really great news! This have been a dream for a long time. Now we have an OpenIdP that you can connect to without any metadata exchange!
The latest version of simpleSAMLphp (from trunk) is also preconfigured to trust the OpenIdP. You can now download simpleSAMLphp and then without modifying a single line of configuration, or exchanging metadata with anyone, you can perform a login through the Feide RnD OpenIdP.
The default behaviour of simpleSAMLphp as an SP would be to set the entityId equal to a endpoint at your server that automatically generate hosted metadata for your service. Then OpenIdP supports looking up metadata on that URL and uses it.
Next step with OpenIdP would be to enable user consent, which means users will have more control of which services that retrieves information about your Feide RnD OpenIdP identity.
As you may have noticed, last week we added support for simpleSAMLphp to set it’s own entityID dynamically to an URL where simpleSAMLphp generates correct SAML 2.0 metadata for the service.
Now we have taken the next step. When simpleSAMLphp get an incomming SAML Request or Response, it will look in the stored metadata, if it does not find any entry, it will look at the entityID if it looks like an URL. If so, it will try to get the data available on that URL, and if it is SAML 2.0 metadata it will download it and look for an entity in there matching the entityId of the SAML request.
This allows SPs and IdPs to interoperate without beeing preconfigured. I will install this support in Feide RnD OpenIdP very soon, as well as include the OpenIdP metadata in a default installation of simpleSAMLphp. When I have done that, you can download simpleSAMLphp and use it right away with Feide RnD OpenIdP without exchanging any metadata or change a single line of config!
Metadata signature validation is not yet implemented, which means you can use this for open federations and tests, but not for closed federations. We will add metadata signature validation ASAP.
You can now login to rnd.feide.no (through Feide or OpenIdP) and access the new menu item OpenIdP. When you are logged in you get a submenu item to add new services:
Still, I manually update the metadata on the OpenIdP, but this will be more automated later. Right now, send me an email when you have added a new service, and I will configure it, and then contact you back.