What is OpenConext?


Facilitating online collaboration

OpenConext provides the building blocks to set up a collaboration infrastructure in which:

  • federated authentication is used to gain access to services and applications that are to be linked;
  • identity providers and service providers can exchange standardised attributes;
  • group information can be exchanged;
  • self-service components can be applied.

Expanding the use of OpenConext

The open source software is already being used by a number of different organisations. The aim is for OpenConext to be further developed within a growing community. SURFnet is encouraging international collaborative organisations, overseas research and educational network organisations and others to start using the software themselves and to contribute to the further development and expansion of OpenConext.

If you have an idea for an application of OpenConext, or would like to contribute to OpenConext yourself, get in touch through the mailing list. See the contact page for more information.

About Collaboration


So let’s start by identifying what is needed to make collaboration easier.

In order to make collaboration easy, users should be able to:

  • Use their own favourite tools as much as possible.
  • Re-use their credentials (username/password) for every tool they use.
  • Create their own collaboration groups and re-use those for every tool as well.
  • Depending on the type of collaboration having some sort of ‘collaboration home’ would be nice as well.

Not surprisingly, OpenConext is the middleware to achieve precisely that.

Re-use credentials

We employ technologies from Federated Identity Management to allow researchers and students to re-use their credentials across different tools and services. Simply put this means that users do not log in to services directly, instead the service redirects their browser to the log-in page of their own university or institute. There they log in, after which the university redirects their browser back to the service accompanied by a little token that tells the service that the person wanting to access is indeed a student or researcher. Depending on the service this token may also contain extra information (called attributes) such as the name or e-mail address and whether the person is a student or researcher.

In this setup, services are called Service Providers (for obvious reasons) and the institutes are called Identity Providers (since they provide and assert identity information of users to the Service Providers). This collaboration and distribution of responsibilities between Service Providers (often referred to as SPs) and Identity Providers (IdPs or IDPs) is called Federated Identity Management.

Almost all SPs will want to provide their services to more than one IDP. Of course in those cases the SP cannot know beforehand to which IDP the user’s browser needs to be redirected (since the user is not logged in yet). To get around that problem, the user is first redirected to a WAYF (Where Are You From) page, typically a list of IDPs that the SP ‘knows’ from which the user then selects his or her own institute.

Federated Identity Management is the first ingredient of OpenConext.

Create and Re-use groups

Collaborating on your own is somewhat difficult, therefore people tend to do this in groups.

Most services already have some way of describing groups. For example: Content Management Systems typically allow groups to be defined and different rights to be assigned to those groups (e.g. editing a page is limited to a web editors group). However, these groups are only relevant to the services in which they are defined. If you work together with a number of people in a project and use a CMS, a Video Conferencing service and some research specific tools, the project group(s) has to be recreated in each one of those tools. Even worse: when the project group changes (because people join or leave or get different roles) every group in every tool needs to be revisited and changed accordingly. This is a nightmare to keep track of and will inevitably lead to inconsistencies, errors, frustration and possibly security issues.

It is much easier to create and manage groups in one place and then tell all the tools you want to use where to get the group information from. This is exactly what OpenConext tries to do, by using a Group Provider where users can create and manage groups and where SPs can get information about groups (of which the logged-in user is a member). This approach ensures that groups are always up to date and consistent across tools, greatly lightening the administrative burden of maintaining groups across tools.

There is a caveat though: since different services have different interpretations of groups (or ways of assigning rights to groups or group members) you may still have to manage service specific interpretations in the services themselves (we’re working on that though).

Group Management across services is the second ingredient of OpenConext.

Tools and Services

Your favourite tools and services are not part of OpenConext itself.

But since we use open source and open standards as much as possible, hooking up your services is possible if they know how to play nicely with Federated Identity Management (the magic word is SAML2). If the service has no (notion of) groups then hooking it up using SAML2 is enough. In order to support groups the service has to be able to talk OpenSocial or VOOT, two protocols to exchange group information.

There is also a list of software that is able to connect to OpenConext.

A Collaboration Home, putting it all together

So there you have it. All the ingredients you need for easy collaboration.

The more technical nutshell

OpenConext is an open source technology stack for creating and running Collaboration platforms. It uses technologies from Federated Identity Management, as is available in Research and Educational Access Federations, Group management and OpenSocial Social Networking Technology. The aim of the software is to provide middleware infrastructure that can combine generic and specialized collaboration tools and services, within Research and Education and beyond, and make these available for collaboration over institutional and national borders. The Features & Components section describes the current and planned features for the platform.

OpenConext is built on top of many already available OpenSource products. The Documentation Development Area section explains what components are used, how these are used and what glues them together as well as how to install a test instance in your environment. Core building blocks include: Corto, JANUS, Apache Shindig and the Apache Rave incubator project, as well as Grouper, Shibboleth and SimpleSAMLphp.

Some of these are wrapped by OpenConext to be easily integrated into the platform, others are used mostly out of the box and only need configuration to work with OpenConext.

The source code repositories found on this site, in the section Repositories, together with installation instruction in the source code and some additional information on this site should enable technically oriented people to install, configure and run the platform for their own use. If you choose to do so, please please drop us a message, we are keen to learn what use cases you have with the platform. We also welcome any collaboration on the platforms components and technologies. Contact details for the OpenConext team at SURFnet can be found in the Contact & Support section. Note that we are currently only providing limited support, via a mailing list and as Jira tracking system.

All source code is licensed under the Apache License, Version 2.0, UNLESS the document headers in the actual sources indicate otherwise. When checking out the the source code, external SVN repositories may be included. These repositories may be under different, though still open source, licenses. The Licenses section provides a detailed overview of all the licenses used in OpenConext.

All documents and content of this site is under the Creative Commons “Attribution 3.0 Unported” license. This means that you are permitted to freely copy, distribute, display, present, or perform material on the site, and create derivative works from it, for either commercial or non-commercial purposes. The sole condition is that you cite the name of SURFnet.

So long, and thanks for all the fish.

Download the OpenConext brochure in PDF format: snconexta5hr.pdf