OpenID Connect/LDAP

Purpose

OpenID Connect is the authentication and authorization service offered with each Layers Box and a single point of entry for using the Layers tools and services residing in the Layers Box. The service builds upon an open source implementation of the OpenID Connect standard for token-based authorization and Lightweight Directory Access Protocol (LDAP) for secure user management. Both OpenID Connect and OpenLDAP are secure, well-established standards with a big community support and adopted by major IT players. The OpenID Connect integration in the Learning Layers tools is a “should have” for achieving a unified and uniform user management across the project software landscape. The tools benefits are twofold: a tool implementing OIDC adheres automatically to the security and privacy policies enforced by the other Layers tools and it can provide access to data already available for registered users, which was gathered using different tools.

Description

OpenID Connect (OIDC) represents a new concept compared to plain OpenID as it provides an identity layer on top of Oauth2. Therefore the standard combines both the authentication efforts of OpenID as well as the established authorization framework around Oauth2 including its extensive community support. The standard was finalized in February 2014 and gained huge industry support by many big companies like Google and Microsoft right from the start. Generally, it hides the complexity from the clients.

As an identity provider, the MITREid Open Source project was selected and tailored to the Layers needs and installed within the Layers Box. Underneath, the user database is linked to a LDAP backend run by the OpenLDAP Open Source project. By relying on the combination of OIDC and LDAP we allow Tethys to be used in many different environments.

Figure 1 - Layers OpenID Connect Home Page

SMEs without an extensive IT infrastructure may either use the lightweight embedded solution we provide or completely rely on external identity providers like Google or Microsoft that both provide a public OIDC infrastructure. On the other hand, LDAP is an industry-strength solution that is run by many companies in the form of the commercial Microsoft Active Directory software. In these cases, the OIDC software that is embedded into the Layers Box can securely be integrated with the company’s LDAP system so existing user bases can simply log into the Layers services provided. Any application server environment providing Layers services through the Layers Adapter is enabled to receive access tokens, interact with an OIDC provider to exchange tokens for OIDC user information, and make use of OIDC user information internally for authentication/authorization purposes. Currently, OIDC authentication is realized for the Layers frameworks social semantic server and las2peer and all Layers tools using these Layers Box frameworks (such as Ach so!, Bits and Pieces and Discussion tool, Learning Toolbox, etc.).

Provided Services

Material

Developers and Contributors

References

  1. M. Derntl, R. Klamma, I. Koren, P. Nicolaescu, D. Renzel, K. Ngua, J. Purma, D. Zaki, T. Treasure-Jones, G. Attwell, O. Gray, T. Ley, V. Tomberg, C. Henry, C. Whitehead, D. Theiler, C. Trattner, R. Maier, M. Manhart, M. Schett, and S. Thalmann, “Initial Architecture for Fast Small-Scale Deployment,” Learning Layers Project, Deliverable D6.1, 2013.
  2. M. Derntl, M. Kravcik, R. Klamma, I. Koren, P. Nicolaescu, D. Renzel, A. Hannemann, M. Shahriari, J. Purma, M. Bachl, E. Bellamy, R. Elferink, V. Tomberg, D. Theiler, and P. Santos, “Customizable Architecture for Flexible Small-Scale Deployment,” Learning Layers Project, Deliverable D6.2, 2014.