1 Integration of PicoForge in a multi-authentication environment with Shibboleth Olivier BERGER (GET/INT - France) Hephaistos Conference Paris (France), 16 th November 2006

2 This work is licensed under a Creative Commons Attribution-ShareAlike License.

3 Contents Intro Context Description of PicoForge Promises of SSO with Shibboleth Future Challenges & conclusion

4 Article Authenticating from mutiple authentication sources in a collaborative work platform: the Picolibre & Shibboleth case study Quang Vu DANG (IFI) Olivier BERGER (GET/INT) Christian BAC (GET/INT) Benoît HAMET (phpGroupware)

5 About GET & INT GET is a group of several public higher education schools in France : – teaching + research – field of Telecommunications and IT Inside GET, INT (National Institute of Telecommunications), near Paris: business school + engineering school 470 researchers & 500 PhD + students

6 About me Research Engineer Software developer Libre software activist since 96 Contributor on PicoLibre/PicoForge Various other bits in many projects ;) Previously worked as SW dev. / consultant (config. management, etc.)

7 The current team at GET/INT Active team ATM – Christian Bac & Olivier Berger previously : – Benoît Hamet (consultant, phpGroupware dev. part time) – interns for PicoForge Vu Quang Dang Cong Van Ngo – Historic team at ENST Bretagne

8 Pico[Libre|Forge]

9 PicoLibre/PicoForge Web platform for collaborative software development (« forge ») Initially named PicoLibre PicoForge Recently renamed PicoForge Developped at GET (mainly GET/INT today) Free Software (GPL v2) More details

10 History Putting together libre software Picolibre : – platform for collaborative software development in pedagogical envt. ProGET : – for GET researchers' generic use – automated web publication Merging = PicoLibre V2 (PicoForge)

11 Concepts Web virtual desktop Projects (data isolation) : – public – private Ad-hoc project creation Open standards + Web accessible Potential redundancy in various tools

12 Main expected features Documents sharing – WebDAV folders (ProGET) – CVS (PicoLibre) – SubVersion (incl. DAV ?) (PicoForge) – Web FileManager (ProGET) Mailing lists multi-purpose Wikis (ProGET & PicoForge): – private, restricted – public (optional) – for Web site (optional)

13 PicoLibre GUI

14 Components of Pico[Libre/Forge] phpGroupWare (web virtual desktop, general ACL infrastructure, file-manager,...) OpenLDAP (glue) TWiki (project Wikis) (soon) Sympa (mailing-lists) WebDAV (web folders) CVS (through SSH) SubVersion (soon)

15 PicoForge openLDA P directory Symp a Lists Documents : SubVersion / CVS Groups PhpGW TWiki Wikis Shibboleth

16 Recent contributions Internship of Vu Quang Dang & Cong Van Ngo Plugging Apache auth methods to phpGW (mapping external auth desc. with internal accounts) Using Shibboleth for multiple auth sources and SSO FileManager over Subversion Integration with TWiki (+ Sympa, etc.)

17 Shibboleth SSO

18 Goals Several PicoLibre platforms Developers with several accounts Existing PicoLibre accounts Existing or future “identities” in global IS SSO with CAS/Shibboleth being deployed Progressive migration of local auth service to global SSO service

19 Identity Federation Meta data Common attributes Trust relationship between entities

20 Shibboleth architecture “Service Provider” (SP): protects a resource “Identity Provider” (IdP) : – identifies / authentify users – provides attributes to SPs WAYF (“Where are you from”) – helps the user to explicitly choose the IdP to use

21 Service Provider Implemented for instance in Apache Some attributes are fetched from IdP to identify the user The SP decides of access policy

22 Identity Provider SSO service (CAS) authenticates users Binds a nameIdentifier and attributes

23 Typical transactions

24 User view

25 About the project Uses CAS for SSO service Libre software (developped for proj. Internet2) Large scale deployment – USA, Finlande, Suisse et Grande-Bretagne Many applications supporting Shibb (Sympa, Twiki...) In France, Identity federation at CRU

26 Integration in phpGroupware Existing internal phpgw accounts Alternatives : – recreate accounts – migrate existing accounts Solution : binding accounts : – Shibboleth attributes -> Apache – phpGroupware local accounts Keep binding process soft & secure

27 Login process in phpgroupware

28 Mapping mechanism added to phpGroupware

29 Conclusion

30 Challenges for PicoForge Packaging for distributions Spread + Build a community of users / contributord PicoForge V2 ? – Application workflow module – Integration with other forge platforms Distributed forges Observing projects hosted on forge (CVSAnaly, etc.)

31 Benefits of Shibboleth SSO for users Smooth migration Distributed / aggregated collaboration platforms New mapping feature of phpGroupware for other SSO systems Yet to complete integration and deployment ;-)

32 References article.pdf

33 merci thanks

34 Pico[Libre|Forge] specificity Software projects (Forge) Meant to be simple to learn (students) Understand some libre software issues Free software fully available (GPL) Deployed mainly at GET – Teaching / students projects – Ad-hoc projects

Virtual Web desktop

36 Projects Shared documents spaces (ProGET) Each project owns a document repository Accessible via Web file manager (phpGW, over DAV) Directly via WebDAV Sub-space : web pages (../public_html/) Plus Wiki

Shared folder in KDE (webdavs://.../)

Same in HTTP browser

Corresponding public Web page

Project Wiki (TWiki)

Access methods for documents

42 Architecture of ProGET