[Fiware-security] Fwd: Re: Concord CROWD server

[BISSON Pascal]

Hi Juanjo,

Thanks to inform us also about this. As you know since this relate to IdM GE please consider Robert and Wolfgang in cc as main contact persons to get involved on this threat of discussion and figure why CONCORD think IdM GE solutions we have released is not answering their needs.  Do think this worth to know in view of IdM GE potential evolution for next release. Of course you could also put me and Daniel to be kept in the loop and this how this evolved and step in necessary.

Best Regards,
Pascal

De : fiware-security-bounces at lists.fi-ware.eu [mailto:fiware-security-bounces at lists.fi-ware.eu] De la part de Juanjo Hierro
Envoyé : vendredi 28 septembre 2012 15:47
À : Fiware-security at lists.fi-ware.eu
Objet : [Fiware-security] Fwd: Re: Concord CROWD server

Hi all,

  I'm forwarding you a recent discussion that has taken place over the FI-PPP ab mailing list.   Essentially, one of the Use Case projects (ENVIROFI) is looking for a single sign-on solution plus a solution that supports creation and management of user accounts.    They have just found that the CONCORD guys are offering a service called CROWD that apparently serve their purpose or looks attractive enough to seek for further exploration.

  As you see, I have raised the question about why they believe that what the FI-WARE Identity Management GE provides is not enough ... However, it would be great that you participate in the discussion and help to solve it given the detailed answers to whatever question they may have.    Could you point whom should I add to the discussion ?

  Is this something for which we don't provide all the necessary pieces ?

  Cheers,

-- Juanjo



-------------

Product Development and Innovation (PDI) - Telefonica Digital

website: www.tid.es<http://www.tid.es>

email: jhierro at tid.es<mailto:jhierro at tid.es>

twitter: twitter.com/JuanjoHierro



FI-WARE (European Future Internet Core Platform) Chief Architect



You can follow FI-WARE at:

  website:  http://www.fi-ware.eu

  facebook: http://www.facebook.com/pages/FI-WARE/251366491587242

  twitter:  http://twitter.com/FIware

  linkedIn: http://www.linkedin.com/groups/FIWARE-4239932


-------- Original Message --------
Subject:

Re: Concord CROWD server

Date:

Fri, 28 Sep 2012 15:33:51 +0200

From:

Juanjo Hierro <jhierro at tid.es><mailto:jhierro at tid.es>

To:

Salo Juha <juha.salo at aalto.fi><mailto:juha.salo at aalto.fi>

CC:

Havlik Denis <Denis.Havlik at ait.ac.at><mailto:Denis.Havlik at ait.ac.at>, Humer Susanna <Susanna.Humer.fl at ait.ac.at><mailto:Susanna.Humer.fl at ait.ac.at>, Susanna Avessta <susanna.avessta at tivit.fi><mailto:susanna.avessta at tivit.fi>, Pauli Kuosmanen <Pauli.Kuosmanen at Tivit.fi><mailto:Pauli.Kuosmanen at Tivit.fi>, "jhierro >> \"Juan J. Hierro\"" <jhierro at tid.es><mailto:jhierro at tid.es>


Hi Denis,

  I may be wrong but ... could you elaborate on what was missing in the FI-WARE Identity Management GE in order to solve your problem ?

  Best regards,

-- Juanjo


-------------

Product Development and Innovation (PDI) - Telefonica Digital

website: www.tid.es<http://www.tid.es>

email: jhierro at tid.es<mailto:jhierro at tid.es>

twitter: twitter.com/JuanjoHierro



FI-WARE (European Future Internet Core Platform) Chief Architect



You can follow FI-WARE at:

  website:  http://www.fi-ware.eu

  facebook: http://www.facebook.com/pages/FI-WARE/251366491587242

  twitter:  http://twitter.com/FIware

  linkedIn: http://www.linkedin.com/groups/FIWARE-4239932
On 28/09/12 13:36, Salo Juha wrote:
Hello,
I was thinking to reply when we have more information about the hosting of Atlassian tools, but I think it would be informative to let know what is going on even without full details.

I'll answer inline if you may.

On 20 Sep, 2012, at 15:41 , Susanna Avessta wrote:


@Juha: Do you see any issues in principle for using Crowd really at large like mentioned below?

Crowd supports unlimited number of users ( http://www.atlassian.com/software/crowd/learn/faq#FAQs-Howmanyuserdirectories ), and the restriction is set by the license. Currently, our license for Atlassian software is set for unlimited number of users.

Other considerations that I can quickly think of relate to performance and policies. Currently, we are evaluating different hosting solutions for Atlassian software with Susanna and our focus is now on a dedicated server only to be used with Atlassian software. Since this task is currently in progress, we will come back to this question after we have settled some open questions first.

About policies, which relates to answers below, it should be thought out who can have access to the user information. For instance, it appears that to change OpenID settings, adding and changing groups requires administrator rights to Crowd. This means, that the administrator have access to all the user information in Crowd.

However, Crowd supports different scenarios for directories. You could have your own OpenLDAP instance for example that could be under your control, and then Crowd would connect to your OpenLDAP directory and while being a centralized point of entry.


From: Havlik Denis [mailto:Denis.Havlik at ait.ac.at]
Sent: 20 September 2012 14:25
To: Susanna Avessta
Cc: 'Jose Lorenzo Mon'; Juanjo Hierro (jhierro at tid.es<mailto:jhierro at tid.es>)
Subject: Concord CROWD server
...
1)      Can you assure the availability of this service for a couple of year after the project end?
2)      could we use this system for SSO on various ENVIROFI web sites? (for our team)

There seems to be two ways of achieving SSO ( https://confluence.atlassian.com/display/CROWD/Overview+of+SSO ). We currently use the first method between Crowd and Confluence that is based on a Web-browser cookie and only works under the same domain (in our case, *.fi-ppp.eu).

The second method relies on OpenID. I am not that familiar yet with OpenID (in the Atlassian world, CrowdID means OpenID provider), but seems like SSO can be achieved using CrowdID ( https://confluence.atlassian.com/display/CROWD/Overview+of+SSO - "SSO Beyound the Firewall").

Currently the new services (Crowd, Confluence) are under test use. We would like to establish Atlassian software on a solid ground first, including all the policies and processes related to specifically to user management, before enabling CrowdID.

However, to get things rolling, we could test how the Crowd would work by enabling it on a testing server?


3)      could we even use it for management of the users of our application prototypes? (that would potentially be a large number, so self-provision and assuring they don't get access to wrong applications would be important.)


If I understood the question correct, I think you would need some kind of a way to connect to Crowd from your applications to ask about whether the user has sufficient rights. Crowd supports connectors ( https://developer.atlassian.com/display/CROWDDEV/Crowd+Remote+API+Reference and https://confluence.atlassian.com/display/CROWD/Integrating+Crowd+with+a+Custom+Application ). Maybe we could make this connector to your applications to work based on groups. For instance, we could have Application1-users and Application2-users groups, and if we want a user to access both the first and the second application, we would add the user to these groups. Or, create a separate connector for each of your applications.

Here is a list of already supported applications: https://confluence.atlassian.com/display/CROWD/Supported+Applications+and+Directories



On 25 Sep, 2012, at 13:41 , Havlik Denis wrote:


OK, here is something to get us started:

1)      we are about to set up an Drupal service for ENVIROFI catalogue.
2)      I would like to use your server for identity management (Drupal supports OpenID).
3)      I'm putting Susanna and Susanna together now, and expect to get 2 out of it.
1.       Possiblity to use the CROWD server as our user mgm. Backend for this drupal instance.
2.       Drupal instance able to take advantage of this.


If we are going to use OpenID, I think in this instance you set groups and permissions in Drupal - Crowd handles the login. However, there might be more to this, I am not yet that familiar with OpenID/CrowdID.




Susanna x2, could you pls. see how this is done without me now? Just tell me "it works, here is how to use it", don't need more details. :)

Oops :)


How does this sound? Maybe we could have a chat on Skype and further elaborate what is needed and when?

Best Regards,
Juha Salo, Susanna Avessta




________________________________

Este mensaje se dirige exclusivamente a su destinatario. Puede consultar nuestra política de envío y recepción de correo electrónico en el enlace situado más abajo.
This message is intended exclusively for its addressee. We only send and receive email on the basis of the terms set out at:
http://www.tid.es/ES/PAGINAS/disclaimer.aspx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.fiware.org/private/old-fiware-security/attachments/20120928/28c5fc00/attachment.html>