Author: Renato Furter (SWITCH)
At this year’s TNC in Prague, I gave my first lightning talk ever. And the feedback of the audience was awesome. Almost everybody I met congratulated me on the talk. So I’d like to share how I ended up doing a lightning talk in rhymes, and why.
In January 2016 I submitted this very first lightning talk. And to my surprise it actually got accepted. As I never held a talk in front of 500+ people, I was quite nervous and wanted to stick to the rules. And the rule for a lightning talk is quite simple but also very harsh: you get 5 minutes and only 5 minutes.
“How can I make sure that I stick to the one rule?” I asked myself and the simplest answer to me was to learn by heart what you want to say. Now, learning stuff by heart gets more difficult the older you get, as you’re not used to learning by heart anymore. You merely know where and how to look up stuff.
So I remembered that I was always very good in memorising song-texts. And this is how the idea of the rhyming was born. I wrote about 850+ words in rhyme to learn them by heart. And the Slides just evolved almost organically once I had the text – thanks to the great graphics SWITCH provided.
Without further ado, I’ll present you my “lightning talk poem”:
TNC16 – Prague Lightning Talk “BetrAAIng the Federated Login”
by Renato Furter, June 13th 2016
My name is Renato and I’m working at SWITCH
I will do this talk in rhymes so the words better stick
As you probably know SWITCH is Switzerland’s NREN
you might heard of us before and you will again
We are serving universities – and institutions
they were asking us if we provide some file sharing solution
So we started a pilot, asked the users for their voice
In the end it was ownCloud – the product of their choice
As it happens to be, we just started our own cloud
and ownCloud was the first service on that cloud – no doubt!
You will agree, this is kind of confusing
From now on SWITCHdrive will be the name that we’re using
To access SWITCHdrive you need to identify
and in a our environment this means AAI
Oh how did we rejoice, as we found out
Shibboleth is supported out of the box in ownCloud.
After some investigation and a long talk with SURFnet
we started to have doubts, we started to sweat
We’ve been told that the Shibboleth implementation was frowsy
not user friendly, and on mobile phones lousy
And then there is webDAV – an established protocol
users might want to use it – probably not all
But Shibboleth enabled webDAV clients are rare
and in major OS implementations nowhere
So we had two choices – two paths one to choose:
Use AAI or use some other ruse
We went for the latter and that’s where it starts
the betrayal of the federated login – with a heavy heart
We created cloudID as a new identity
and were well aware, that it’s a huge obscenity
But with the user experience in our main focus
we decided that for the moment this will do for us
And also the webDAV problem that was latent,
with this little trick it was easily straightened
A web portal was created that is AAI protected
and if the user is allowed a cloudID is collected
Meanwhile our colleagues from the OpenStack group
had similar issues and similar dispute
OpenStack and AAI do not fit too well together
now they use cloudID too – for their matter
So how does this work? – I am glad you’re asking
I will give you the details of the cloudID magic
Of course there is no real magic in this process involved
It’s just putting parts and pieces together to get it solved
So when a user register for SWITCHdrive on the web site
an LDAP record is generated on our side
For OpenStack, a Keystone account is created
and this is how the user gets authenticated
“Now the user has two different login!” you will say
“and that undermines the purpose of AAI!”
I’ll give you that point and at the moment we know
that some users do have problems and a little woe
We will fix this very, soon as you will see
with the implementation of the Swiss eduID
To explain the eduID and all its aspects
would go too far and is a different subject
Important to know: it’s Shibboleth too
and users will have one login again – and not two
But enough about problems, let’s talk advantages!
And how, where and why there a vantage is
As all the users are registered through one page
it can also serve as a cloud service stage
On that site all our cloud services are presented
SWITCHdrive, SWITCHengines and SWITCHfilesender
Two of our main requests by users made
have been solved here as well – on that page
Quota enhancement is what they were asking for
And we gave’em that, so they can even store more
But we don’t want to manage quota for ten thousands of users
And if we do we’re going to be losers
We created a designated administration section
where privileged users from institutions are elected
Those administrators perform the quota raise
and responsibility in the institution stays
Request number two: collaboration!
Especially with people from outside the federation
When in a project or in a working group,
sharing data and files and keep people in the loop,
is hard with partners from an external institution
that do not have access to our file sharing solution.
So we created a voucher system to begin,
to create vouchers that let externals in.
With a voucher everyone can use SWITCHdrive!
Can I please, get a high-five?
Never mind, but the point here is,
that cloudID was a good idea – and still is
And once we have the Swiss eudID implemented
the betrayal of AAI will be terminated
We are looking forward to that day to come
we will get there and leave nothing undone
Time’s running up and I’m coming to an end
because I have been told it’s not allowed to transcend
Basically what I want you to say,
is that a little betraying sometimes might be OK.
This was probably confusing and a little too fast
and I’m sorry that there is no time for questions to ask
But TNC is young and I will be here,
chat me up in the breaks or buy me a beer.