# NLnet entrust https://nlnet.nl/entrust/ ### Abstract: Can you explain the whole project and its expected outcome(s). Most organizations have a digital work environment that is composed of many applications. With a Single Sign-on (SSO) system they get a unified login and logout experience, but there is a catch. Traditional SSO protocols like OpenID Connect do not support syncing user profiles across applications: - in the applications, users are only created after they have logged in at least once - there is no mechanisms to propagate the deletion of users Because of this lack of syncronisation, SSO implementations are not GDPR compliant by default, and organizations have to develop custom process to circumvent that. SCIM is a protocol designed to solve that. As a FLOSS hosting provider of a collaborative platform for over 80 organizations, we want to implement the SCIM protocol in our Identity provider, and in our applications. This will keep user database in sync, and make our platform GDPR compliant. We also want to inspire the FLOSS ecosystem and encourage developers to implement that protocol in their applications for a better interoperability. This video presents the problem we aim to solve: https://hot-objects.liiib.re/meet-liiib-re-recordings/pair_2022-05-02-15-40-37.mp4 ### Have you been involved with projects or organisations relevant to this project before? And if so, can you tell us a bit about your contributions? We already have a proof of concept (POC) working with the main applications of our collaborative platform. We collaborate with [Fairkom][1] to beta test [Keycloak][2] and [RocketChat][3] SCIM integration. We aim at going production by the end of the summer. We created a [Nextcloud SCIM integration][4] during the [Nextgov Hackathon][5]. We aim to beta test this in our platform in September. [Audriga][6] is joining the effort and will use their php library in our app. We have been long time contributors in the FLOSS ecosystem: - [RocketChat official docker image][7] - [Nextcloud official docker image][8] - Official RocketChat kubernetes helm charts We plan to collaborate with [Greenhost][9] because they run into the exact same limitations of these SSO implementations with their product called [Stackspin][10]. Using SCIM in both products paves the road to re-use their dashboard, while they can re-use our SCIM implementations for the applications mentioned above. 1: https://www.fairkom.eu/ 2: https://lab.libreho.st/libre.sh/scim/keycloak-scim 3: https://lab.libreho.st/libre.sh/scim/rocketchat-scim 4: https://lab.libreho.st/libre.sh/scim/scimserviceprovider 5: https://eventornado.com/event/nextgovhackathon#home 6: https://www.audriga.com/ 7: https://github.com/RocketChat/Docker.Official.Image 8: https://github.com/nextcloud/docker 9: https://greenhost.net 10: https://www.stackspin.net/ ### Requested Amount 48k ### Explain what the requested budget will be used for? Does the project have other funding sources, both past and present? (If you want, you can in addition attach a budget at the bottom of the form) Keycloak and RocketChat SCIM integration POC were self-funded. Nextcloud SCIM integration POC was part of a the Nextgov hackathon mentioned earlier. We won the 3rd prize. We are currently polishing it with our own fund. Fairkom is helping with their own fund. And Audriga is helping, they got DAPSI funding for this job. The first goal is to finish, polish, publish and communicate around these SCIM integrations (estimation 10 weeks). Then we want to develop tools to help us and the SCIM ecosystem to better use SCIM. We already started, on our own fund, the development of a [SCIM CLI][1] to facilitate the deployment and configuration of those integrations. And we'd like to further develop it to also manage users and groups, and be able to bulk import csv files (users and groups) (estimation 3 weeks). And we'd like to develop a reusable testing library to be able to improve and durably ensure quality of SCIM integration (estimation 3 weeks). Then, we want to develop from scratch, a SCIM integration for matrix / synapse server (estimation 6 weeks) We'd like to create a website and documentation to help users and administrators to explore this SCIM ecosystem we are building (estimation 2 weeks). In term of user interface to manage users, we plan to [collaborate][2] with Greenhost to work to make Stackspin dashboard compatible with any SCIM compliant Identity Provider (estimation 6 weeks). And finally, we'd like to spend 2 weeks to communicate around the topic, by going to events like [FOSDEM][3]. We estimated that a week of an employed developer costs around 1500 euros. We estimated around 32 weeks of work, that's why we ask for 48.000 euros. You can find all the work already done, and all the project management (broken down in tasks with estimations) [here][4]. 1: https://lab.libreho.st/libre.sh/scim/scim 2: https://open.greenhost.net/stackspin/dashboard-backend/-/issues/42 3: https://fosdem.org/ 4: https://lab.libreho.st/groups/libre.sh/scim/-/issues?sort=created_date&state=opened ### Compare your own project with existing or historical efforts. Historically LDAP has been the way to go for an interoperable identity management solution. Many enterprises still use this solution but we have seen a transition towards SSO protocols such as OIDC and SAML. LDAP directories are still used as the user database with those protocols on top. Meanwhile the issue is to keep this user database in sync with the user database of the apps (say Nextcloud). This is usually done through a background sync than can be an intensive operation when you need to sync thousands of users and cannot be done regularly. SCIM fills up that gap by having a real time event driven strategy. Therefore we can say that SCIM is an efficient and more ecological solution than regular full LDAP sync. While the SCIM protocol has been standardized by an IETF workforce, very few in the FLOSS ecosystem, initiatives implemented it. In the enterprise and proprietary ecosystem we can find some solutions that do implement it, like Microsoft with Azure, or Amazon with AWS. Microsoft ecosystem is using their own version of the protocol to offer a unified experience in their application ecosystem. Okta and Gluu as identity providers and some applications such as Slack are also implementing this protocol. Audriga is using SCIM to perform email migration for their clients. ### What are significant technical challenges you expect to solve during the project, if any? Free software applications (Like Nextcloud) usually already have a user provisioning API. Now that we have a standard for that task (SCIM), it is tempting to ask upstream developers (like Nextcloud) to replace what they have with a standard. But unfortunately, usually, they have to maintain backward compatibility with existing APIs for years. And upstream developers are usually reluctant to accept external contributions. So in one hand, we'd like to push upstream, but on the other it would require a lot of effort without being sure to succeed. On the other side of the spectrum, the easiest for us, for our infrastructure, would be to develop a custom, internal solution, based on a microservice. The advantage of this approach would be to ease the development complexity on our side. We can choose one language, and discuss with the various applications though their already existing API (like Nextcloud user provisioning API). The downside of this approach is that it is not much reusable by broader community. We decided to choose an other approach that is in between. We decided to develop "native" integration. For instance, in the case of Nextcloud, we developed a [Nextcloud integration][1]. This means, it is a lot easier for Nextcloud community to adopt and use this integration. And it also means that one day, if Nextcloud would like to implement it upstream, then it would be easier to reuse parts of the code, as it is using the same language. With this approach, the challenge is that we have to develop integrations in different languages (in our case, java, javascript, php and python). Another challenge is that Applications internal APIs can be insufficient and force us to find some tweaks to be compliant with the protocol. For instance, in SCIM protocol, when we connect Keycloak with Nextcloud, we need to decorate the Nextcloud group resource with the group UUID from Keycloak. And in Nextcloud, it is currently impossible to decorate a group resource. 1: https://lab.libreho.st/libre.sh/scim/scimserviceprovider ### Describe the ecosystem of the project, and how you will engage with relevant actors and promote the outcomes? #### Organizations and their users When an organization uses FLOSS applications, it is often easy to get started, and get one running. After some years, they start to have various applications to effectively collaborate. This is when users start to get frustrated and it is when an SSO system comes in handy. As outlined in the abstract, current SSO solutions like Keycloak with OpenID Connect used with Nextcloud is nice to login/logout, but doesn't take care of syncing users' profile. And if you delete the user in the SSO, it is not deleted in Nextcloud. This is an issue to be GDPR compliant. As IndieHosters, we are in contact with these organizations and their users. #### IndieHosters We believe that privacy and European sovereignty are important for our democracies. That's why we built a digital collaboration platform based on these FLOSS tools, hosted in a German data center. We provide this platform to more than 80 organizations, with public administration like Meteo France, small companies like [innervision.fr][1] or climate activists NGOs like [alternatiba][2]. Our users are already facing the problem we described in the abstract, and we already started to work to solve it. With or without funding, we will develop, test and maintain the solution we propose. But this funding will help us deliver it quicker, polish it, write documentation for others, and communicate around it so that more people can benefit from this innovation. With more people joining us, maintenance of the SCIM integration becomes a shared burden. All the work is or will be made available as free software under AGPLv3 License. #### SCIM The System for Cross-domain Identity Management (SCIM) is a perfect fit to easily improve GDPR compliance and consolidate the user experience across multiple FOSS applications as one platform. [SCIM][3] is an IETF standard protocol for cross identity management. We plan to develop the building blocks to enable a seamless user experience for free software based collaboration platform. And we will publish the various integrations we are building on their website. If there is an event, online or offline we'll attend to demonstrate how SCIM helped us to create a better FLOSS collaboration platform. #### FLOSS Applications As said, we are already engaged with communities like Nextcloud, RocketChat or Keycloak. We'll publish our integration on their store or web page to help other people find our integrations. If they have online or offline event, we'll apply to demonstrate how our integration help us improve the user experience regarding user management with SSO. We are currently focusing on a "small" sample of applications that we integrate in our collaborative platform but our goal is to inspire any FLOSS software community to do the same and provide some building tools to help them to take that path. We truly hope that next time a free software developer plan to expose a user provisioning API, this developer will implement SCIM directly! We will also apply to present our solution at FOSSDEM. #### European Hosters As mentioned earlier, we are already working with Fairkom to test our SIMC integration. We plan to work with Greenhost to add SCIM integration to their user management dashboard, Stackspin. And we are also working with Audriga, to improve the Nextcloud integration, for their mission to ease migration of users. We are also part of the two main european FLOSS hosters networks: - https://www.chatons.org/ - https://libreho.st/ We are already organizing a monthly meeting about our technical topics, and we'll use one of this meeting to present our solution. For this meeting we'll invite all the members of both networks to come and engage. #### Flight policy at IndieHosters While we believe that communication around the project is important, we'll not take any flights to attend an event in Person. We'll only go to regional conferences in Person or attend online events. 1: https://www.innervision.fr/en/ 2: https://alternatiba.eu/ 3: http://www.simplecloud.info/