So I'm modelling my architecture on MartinD's. Easy.
What the whiteboard had was a P2P-ish view of the graph here http://docs.moodle.org/en/Community_hub -- where instead of a clearly hub and spoke model, we have a mesh of nodes trusting each other.
So I am working on a dev plan based a bit on the earlier work we've done with Elgg and trust relations, which had a lot in common with this and yet was strictly centralised. The plan is evolving slowly at http://docs.moodle.org/en/Community_hub_technotes -- though I'd like discussion about it to happen on this forum rather than in the not-very-visible :Talk page there.
It is a bit thick and hard to digest initially, but in short my aim is to allow Moodle installations to identify themselves to each other (not automatically but at admin's request) and be able to pass messages aroun with GPG signing/encryption.
Given that GPG-style sygning and encryption are very flexible, trust relations can be established in a mesh or in a centralised (hub and spoke) layout.
With that infrastructure in place, it will be possible to easily:
* Enable SSO across 2 or more moodle installs, with several options to control it as tight or as open as you want, and reports to visualise who's coming and going.
* Enable cross enrolments across 2 or more moodle installs, with several options to control it and good reports to allow enrolment to cross-listed courses to be paid for under different models.
* Enable some kinds of resource and course content sharing.
And all of this while each Moodle admin has his/her own Moodle under control.
I also want to do this with a minimum of requirements (so far, it'll require that you have a working GPG), and it should allow you to trust any Moodle install you decide to, and still give you good hints that it is safer to trust only Moodle installs that use HTTPS with a proper certificate.
There is a lot more detail in the Wiki page anyway -- I'll let it speak for itself http://docs.moodle.org/en/Community_hub_technotes
The Project Plan says I will have a working implementation of this by Oct 31st ... but doesn't mention the year!
Lack of specificity nonwithstanding, this means I will be working on this on top of 1.6, port it to 1.7 once that's released and then merge it into HEAD for the 1.8/2.0 release cycle.
There is at least one good thing here: this is likely to get me into finishing off the multi-auth development work, and clearing out a few other oddities around enrolment and auth. So blocks of work that are useful and ready earlier can perhaps make it into 1.7... if they are any good, of course
Anyway, off to pack for MoodleMootUK. I am posting this to bring a few more eyes, and hoping that there'll be a chance to talk about this with people over there and on the forum.
Let me suggest another direction, one that could be implemented sooner and
relies on work already done within Moodle. Shibboleth. I've done a proof-of-concept for a different project that using a shibbed Moodle, so I know it's there to be done.
With Shib you can addresses
* trust relationships
* distributed user accounts
Have you looked closely enough at Shib to know how the pieces fit together? If not, I can outline that.
I have looked at Shibboleth a bit some time ago. Not at a detailed protocol level, which I should (any good link for me? ). You are right that it is a valid alternative, but I have some (perhaps misinformed) concerns...
When I looked at it originally, I thought it'd be P2P (something along the lines of what I describe in the wiki actually), and I later read in the specs stuff that seemed to imply running a Shibboleth-specific server. In fact, if you look here http://shibboleth.internet2.edu/latest.html some of that stuff is sample 'client' implementation, but the RPMs are for a daemon you must run.
That put me off the whole thing because it seems to invite a tricky dependency. Our goal is to make it work automagically as much as possible. So far I can boil it down to requiring gpg which is widely available on linux, though it's available for legacy platforms too
I've seen the latest MS leak memo. MSVista won't be considered ready until you can open a command window and
apt-get install gpg
Another concern is that when I discussed Shibboleth briefly with MartinD (can't remember when) and he was mentioning that the protocol changed in non-compatible ways with each revision. I frown upon protocols that pull such stunts too
(If we do our own protocol, and we make changes in it, fine, because it's driven by our needs and mistakes. But the whole point in using someone elses protocol is that it is stable... if things have broken between v1.0 and v1.3 of Shib I suddently lose my confidence on the protocol maintainers.)
As you can see, it's all hearsay and prejudice so far What are your thoughts & experiences?
You might first check Wikipedia http://en.wikipedia.org/wiki/Shibboleth_(Internet2)
which is a reasonable jumpstart.
Shib itself is in the http layer. I'll talk in terms of Apache, thought similar
mechanisms happen in IIS. You get a number of attributes that are made
available in the httpd process as variables. These variables get their values
from a remote source, the Attribute Authority, which is part of an Identy
Provider (IdP). There can be multiple IdPs, that's where you get a Federation.
The httpd server is the client, which in shib terms is the Service Provide (SP). The web apps run within the SP and just look for the variables that
are provided to them. At this point, you have to "wire up" the variables into
your web app, the Moodle shib authN module is a good example of how
that can play out.
The interaction between the IdP and SP are where the Shib protocol plays out.
This is built on SAML, Security Assertion Markup Language, I'll let you google
about to see more. The "big boys" are playing here SAML is riding on top
of HTTP. You are correct that there has been some changes between
1.0 and 1.3, with some things from 1.0 not moving forward to 1.3.
I take this to be a shakeout of what works and doesn't work, not any inherent
unstableness. There is also a 2.0 in the works, which is going to use the
more sophisticated SAML 2.0.
Now, the way Shib works does provide for trust relationships between the
IdP and SP. There are X509 certs involves,
key pairs that get exchanged. The IdP can control which attributes are provided
to the SPs. Within the SP, it's also possible to control which attibutes are
provided to which applications. The traffic over the wire between the
IdP and SP does use https too. I'm not going to say this is trivial to setup,
"some assembly is required", but it's also not THAT complicated. If you
deal with httpd and mysqld, it's not any worse than that.
The win with Shib comes with adoption of it. If the plumbing is already
there, that is the web service provider has it in place, just bolt 'er up.
We are not at that place just yet. Shib doesn't come with standard Linux
distros or out-of-the-box OSX.
Shib also gives you an SSO using the username/password of the "home IdP".
The IdP's will typical grab the user account info from an LDAP.
You could say that Shib is "LDAP on steriods" from this perspective.
There is a security win here, as you would not have to open up direct access
to your LDAP to the SP, this makes the LDAP admins and security staff
sleep better at night.
What I did in a recent project was a demonstration that we could add
an ACCLIP (Accessiblity Learner Information Profile) value to LDAP and
get it over to Moodle by way of Shib, and in turn launch something
external to Moodle, passing the ACCLIP value along, which showed
an appropriate view to the user. The win here was that with a "remote
SP", I didn't have to pre-load all the user accounts and their ACCLIP
values, these came over at run-time. I can show you more
details offline if you are interested.
There are some pros and cons of using Shib here in the near term.
I'd certainly suggest looking at it on it's own merits in solving the
near term goal of the Moodle hub, as opposed to the long term
"everyone will be using it". I think it's less work than the GPG
approach, that's my knee jerk assessment. And ... you are likely
to get some help from the Internet2 MACE folks, the ones who
maintain Shibboleith. Look at the Shib wiki https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/WebHome
and the mailing lists to see what kind of help you can
Thanks for the summary. I've read the basics of what the FAQs and overview docs -- good refresher (I also re-read it all yesterday from the PDFs the Shib website has). Still, I don't have a good picture of what it looks like in real life.
I am more interested in the practical "more assembly required" part -- I suspect that that's where it gets messy. How messy, however, is really important.
Can you help me answer there?
- How hard is it to set up the infrastructure? Say, if we did all the work in Moodle's PHP code, what would a Moodle admin need to do to use it, other than say yes in an admin page?
- In terms of versioning, the key question I am interested is "do apps interop between protocol minor versions?" I understand 'evolving' protocols, specially when the version number is < 1 but if a 1.3 node cannot work with a 1.0 node...
below. Assume the Community Hub is shibbolized and has
a Moodle Federation.
q: How hard is it to setup the infrastructure?
a: Institution A would first need to join the Moodle Federation.
This would involve registering and receive an X.509 cert.
Similar to joining the InQueue Federation (in Shib).
Somewhat analogous to getting a high quality cert from Verisign.
Institution A would then be able to enable their Shibboleth IdP
to be part of the Moodle Federation.
From there, Institution A could setup 1 or more SPs which had
Moodle running within them that would now be able
to access the Moodle Community Hub.
q: Say, if we did all the work in Moodle's PHP code, what would a
Moodle admin do to use it?
a: Depends how much assurance is needed to join the Moodle
Federation. Technically, certs could be requested, generated,
and placed behind the scenes. However, some great assurance
may be required by the "content providers". Much like what
it takes to setup a new wireless phone and they do a credit check.
q: But really, how much could be done right in PHP?
a: Depends on how the Community Hub works. Do you want the
content to stay "in place" on the Hub or some copy made that's
loaded on Institution A's site? If they content is on the Hub, then
you'd need to work out the logistics of federated user accounts,
which is already in the Moodle AuthN plugin. If the content is
copied to Institution A's site, then it's a matter of getting it in
some cannonical format (I have one in mind and sending,
receiving, and loading. This 2nd scenario would also be
enabled by the federerated user accounts, the Hub would
know who made the transaction.
q: In terms of versioning, do apps interop between protocol minor
versions? Does Shib 1.3 work with Shib 1.0.
a: There is some possiblity for working across minor versions, since
this is a problem that the Shib community already does address.
I'd have to point you to someone more knowledgable to get the
full scoop. Since there isn't any legacy, you would be looking at
going forward from current version of 1.3, which is where almost
everyone is at.
There's also some prospect for Moodle Partners who are content providers,
for example Publishers, to have their own node this Shibboleth world.
I see the "Pay?" link on the diagrm, that's what I'm reacting too.
Yes, that's very possible. I know some content providers are already
already looking to use Shibboleth with content we license thru
Dirk, great stuff. More questions on this...
a: Institution A would first need to join the Moodle Federation.
Cool. Joining a preexisting Federation would be easy then with self-signed certs (though some Federations may require more formal certs).
Follow on question: for free form, bottom up "you run moodle and I happen to run moodle too, let's hook'em together", can we band them together without a Federation, or can I make my Moodle "be a Federation hub server" with just PHP code (ie: with just a switch in /admin?
This question comes because one of the goals is to be able to run P2P as well as hub-spoke. And those RPMs seem to imply running daemons on ports, or at least non-standard Apache modules, which is a bit too much.
a: Depends on how the Community Hub works.
I am kind of trying to get rid of the "community hub" role, so let's not get too hung up on it For now, the 'community hub' is just a directory of Moodle nodes to trust, and any subsequent "transaction" happens between the 2 moodles involved. Think DNS (centralized/delegated) and TCP connections (end-to-end, distributed) and how they work together.
(This is for now, but you'll have to pry that one out of my pretty-beaten-up fingers -- or feed me good beer at the moot ... alright, maybe the hub could offer some extra goodies but that comes later. First the p2p infrastructure.)
There's also some prospect for Moodle Partners who are content providers
I am definitely planning to address 2 scenarios here:
- Content creators/publishers offering great moodle content for fee or for free.
- Course providers (all the way from large tertiaries to independent teachers) offering full course delivery for f(r)ee.
In terms of content delivery, I am currently thinking of the hybrid "Moodle-backup/IMS-CP" packages that Penny & Eloy have conspired to produce. We already need some smarts to open up an IMS-CP package and sniff out whether it is a moodle backup (and do something smart with it), so the mechanism would support SCORM, IMS-CP and course backups transparently.
The rest of this part of the infrastructure can (perhaps) ride on top of seminal work that Jun Yamog has done for OSLOR, but that overlaps a bit with some discussions about repositories that I want to have with people.
What is the format you are thinking of, Dirk?
For course delivery, you'll see I fully intend to allow certain controls on how and where "roaming" users can enrol to allow different business models to come into the picture.
Now, we are straying a bit into the "long term" here -- let's keep expectations reasonable...
Shib makes more sense in a Network. A Federation is a Network
One of the things that got WebCT off the ground circa 1997
was course sharing. This was when it was still at UBC.
Then it was bought (1999) and next thing we know there's
this WebCT Community Hub. Lot's of eCommerce was
talked about. Then we had the dot.com crash and all of
a sudden WebCT is dismantling their Hub and going back
to makin' money the old fashioned way (licensing, support,
So, I see a chance to rerun this story, only this time do it more
sustainably. Some is free and some is fee. Free or Fee, you
make the call
For the "immediate satisfaction" that brings a node into the
Federation, how about a subset of the functions? By using
proxy over http (or others), features like "Get this cool content
and bring it into your own Moodle course"
could be done. We'd have some pre-defined trust relationships
setup. Have to talk more with the Shib folks about this one,
it's a chain of trust scenario.
I was thinking about the IMS Common Cartridge as the content
format. This is CP on steriods, a superset of CP. I was talking
to Jason Cole about adding CC to Moodle at the June
IMS annual meeting (Alt-I-Lab 2006). By doing this the Moodle
Federation would be able to exchange cool content with
non-Moodle communities. This would be quite attractive to the commercial
Publishers, who are gettin' all fired up about CC.
That is the one thing that I am not getting a clear answer for. What are those RPMs for?
You'd have to jump down to HTTP (SAML in HTTP Headers) and I don't see anyone
doing that with SAML.
Another thought, how about OpenID? Could be a fit for a community network, where
the participants really don't know each other across nodes.
That's similar to the blogosphere
that OpenID has grown up within. I do see the prospect of doing this within
PHP and not needing extra stuff like registering certs to get started.
I'm still comparing to your original thought of GPG, OpenID has some of the infrastructure already done.
OpenID would be a great fit for this -- to quote from this blog post:
"OpenID could also simplify the process of allowing students from different schools to take the same class in a single Moodle install. If Moodle was OpenID enabled, it would be possible to whitelist OpenID servers from multiple schools. This has the potential to create a truly distributed learning environment: students from different institutions interacting in a more formal class structure (Moodle), and in an informal learning space (Elgg)."
Community Hub / Network and Bulgarian BEST code and conception practice
It is good. Behind the scheme given above stands real code, conventions and prof. Gergi Totkov's ideas. He stands that the educational process have to be modeled with conseptions. Environment is hyerarchy of edu- institutions.
Project Leader of BEST (Bulgarian Educational Site): Assoc. Prof. DSc., Totkov, George Atanassov
Project Title: Modelling of Learning Processes and Management of e-Learning Projects
Annotation (up to 1800 signs) research objectives, used methods, expected results The research objectives are to study and model the learning processes (and the related to them objects, subjects, activities and didactic approaches) as specific control process with workflow structure and their application for realization of elearning projects.
The main principles to be followed are: invariance in respect to the field of application; support of resource-based learning; shared use and cooperation during project creation, multiple use (in different contexts) of learning resources, etc. Research work can distributed into three fairly independent fields: creation and study of a learning process model; modeling of an e-learning project (including methods and algorithms for virtual learning management depending on events, subjects and resource constraints); creation of prototypes of software systems accompanying and supporting e-learning projects. An important Project result is the possibility to automate the e-learning design and as a result – to achieve effectiveness and interoperability. The research results can be multiplicated in the practice of research and education institutions in the country while implementing scientific experiments in the field of technology-based learning and e-learning projects for different forms of continuing education.
The research team includes teachers, researchers and five Ph.D. students from three of the largest Bulgarian universities, IMI of BAS and a successful software company. Scientific advisors of the Project are world renowned specialists in the field of intellectual technologies – Prof. A. Nariniani and Prof. R. Mitkov.
The Project realization will improve the quality of e-learning projects in Bulgaria with creation of effective models of the respective processes (based on didactic and resource constraints) including learning activities and communication tools. The created prototype of a software system will allow design, creation, editing and accompanying of electronic courses in different contexts (studied subject field, learners, distributed resources, etc.).
The first distribution and implementation of scientific and applied scientific results will be realized in the very first research year (in the implementation of “Intelekti” LTD activities – a Project partner). Other firms, employment agencies, government, non-government and educational institutions could also use the created methods, tools and technologies to create and share e-learning projects and to implement instruction for their staff and clients.
The models, methods, learning and software resources, created during the research work, are a natural follow-up of scientific and applied scientific results achieved earlier by the team, and will be available to e-learning researchers, professionals and experts for experimentation, evaluation and use.
The models and prototypes that are created and investigated have innovative nature and are among the hottest and most actual fields of application of information and communication technologies in education. The Project results will remain actual for a long period of time.
Your post (from 22 07 2006, 09:02) impressed me deeply and I found it very usefull. I have to work very hard on the BEST (Bulgarian Educational Site) because I have not time (deadlines etc.) One of the tasks is common intefface to all edu-institutions (sth. as portal).
I think the Shibboleth is too difficult to me as a implementation. I will try to write code of my idea and I will put it here. I know that there will be the people who will laugh at this idea (unfortunatelly it will be very simple ) but I bet on others (1/2*). It will be great to have an e-Learning Educational Network for Edu-Institutions all over the world. I admire this idea.
Go ahead an use GPG if you are really thinking in the web of trust (i.e., trust transitivity: I trust this other Moodle I didn't know of because it's GPG key is signed with this other Moodle's key I fully trust).
But if you are just talking about "one-to-one" trust, where you need each and every key "manually blessed" by the admins (i.e, no transitivity in trust at all), shared secret schemes (with as much strong crypto in the middle as you want) are simpler to implement and deploy.
Dirk Herr-Hoyman has talked about Shibboleth. I don't know anything about it, but all this "smells" a lot like Kerberos to me...
shared secret is easier, but harder to maintain. You have to keep a shared secret with each peer.
I don't intend to use all of GPG -- not trust encryption-level trust transitivity, not the key distributions server model. But I do want to use the public key cryptography because it is much easier to maintain (for admins) and to secure (to the extent that this can be secured), and using GPG protects us from the risks of DIY crypto .
The only advantage I see in the cert scenario is that you only need one cert for all your 'outgoing' way of trust, instead of a different shared secret for each peer. I guess this is only significant in Moodle sites that would have dozens of trust relationships, from the maintenace point of view.
On the other hand, why don't you use the OpenSSL extension that comes bundled with PHP? It has all the bells and whistles that you seem to need (private and public encryption, digital signatures, X.509 support, you name it) and it uses the OpenSSL library code, which is as good as GnuPG's. If you don't need/want trust transitivity, this should be enough.
As a bonus you don't have external dependencies, no license issues, no need to store things in the file system (OpenSSL extension functions accept keys/certs in strings, so you can store all of you crypto bit in the database), etc. You just need to store in the filesystem:
- the configuration file if you plan to use the key generation and certificate signing functions (openssl.cnf) and
- the trusted CA certs file to verify 'incoming' certs.
Just my 0.02 €
I might be completely wrong (...) you pretty much have the same scalability problems of shared secrets.
In the simplest of scenarios, yes. In the "peer with a 1000 nodes" the difference is noticeable. It is exactly half the workload than shared secret
However, I am thinking of leaving the door open for some kind of (optional) central directory of known servers+idents, perhaps as an option to the "register your moodle" button. So I did say that I won't use GPG's key server software, but we may still look into a simpler Moodle-specific "key server". In fact, I'm pretty sure we will at some point.
I would imagine that such a key servers can be run by Moodle.org and by entities like the Ministry of Education in NZ, which could aggregate groups of nodes, so you can decide to trust "all the secondary schools in Otago as listed by MoE" or something like that. But that's second stage stuff.
why don't you use the OpenSSL extension that comes bundled with PHP?
Because I'm an idiot. I hadn't heard of it before. Skimming the doco right now, it looks promising. Handles private key creation, signing, encryption, the works! Thanks!
(read some more...)
So far the only "tricky" part seems to be that we will require users to perform this step: http://nz.php.net/manual/en/ref.openssl.php#openssl.installation . most linux distros do it already so it's not a major problem.
Just my 0.02 €
Move the decimal point a dozen positions to the right...
I was talking to Martin D at Moodlemoot yesterday and I've started a thread here
to try to follow up about community hub now my brain is functioning again. I didn't want to clutter up your thought processes here, hope I've posted in the right place.