Transcript Interfaces
Securing a Place in History: Authentication, Authorization, and Platform Integration for the Fortunoff Video Archive of Holocaust Testimonies Steelsen S. Smith and Melissa A. Wisner 01-04-2015 Session Agenda • Quick introduction to FVA, Aeon and Kaltura • Project Overview: Guiding Principles, Platforms in Place, and Current Constraints • A walk through the request and access process • Breaking out the technical integration Fortunoff Video Archive FVA historically accessible on VHS cassettes stored securely on-site at YUL MSSA Project to migrate VHS to a digital format still in process Recording and collection of these testimonies began over thirty years ago Archive contains more than 10,000 recorded hours Aeon Aeon in use at YUL-Beinecke and MSSA since 2011 Effective tool for special collections request management User database effective for reading room management Evolving physical to digital access model introduces different request, delivery and reuse needs, and in current release Aeon begins to show a less effective reach for managing these needs Kaltura The situation… Three self-contained systems No existing integration No new (large) solutions The situation… Three self-contained systems No existing integration No new (large) solutions The actors… Aeon (no API) Kaltura (short features) Drupal (regulated instance) The actors… Aeon (no API) Kaltura (short features) Drupal (regulated instance) The minimum… Authenticate users in Aeon Authorize videos through Aeon Kaltura streams video Drupal glues the pieces The minimum… Authenticate users in Aeon Authorize videos through Aeon Kaltura streams video Drupal glues the pieces • Streaming services • Storage services • Interfaces • Web APIs Drupal • Request form for patrons • Tracking interface • Staff form for approvals • Interfaces • Web forms Kaltura • Library Online Catalog • Links to requesting interface • Interfaces • OpenURL Aeon Discovery Discovery, Aeon, Kaltura and Drupal • Content hosting • Pre-made environment • Interfaces • “Modules” • Streaming services • Storage services • Interfaces • Web APIs Drupal • Request form for patrons • Tracking interface • Staff form for approvals • Interfaces • Web forms Kaltura • Library Online Catalog • Links to requesting interface • Interfaces • OpenURL Aeon Discovery Discovery, Aeon, Kaltura and Drupal • Content hosting • Pre-made environment • Interfaces • “Modules” Discovery, Aeon, Kaltura and Drupal Guiding Principles Use standards Use web services Make it reusable What’s available? OpenURL Drupal “Modules” Kaltura’s API Discovery, Aeon, Kaltura and Drupal Guiding Principles Use standards Use web services Make it reusable What’s available? OpenURL Drupal “Modules” Kaltura’s API Discovery, Aeon, Kaltura and Drupal Guiding Principles Use standards Use web services Make it reusable What do we add? Authentication CAS? OpenID? Local? LDAP? Restrictions (Authorization) Claims? Enumerated? AD? Discovery, Aeon, Kaltura and Drupal Guiding Principles Use standards Use web services Make it reusable What do we add? Authentication CAS? OpenID? Local? LDAP? Restrictions (Authorization) Claims? Enumerated? AD? The Request Process End to End The Request Process End to End The Request Process End to End The Request Process End to End The Request Process End to End After curator approval, an email is generated via Aeon containing the link to the authorized testimony https://dev.testimonies.library.yale.edu/HVT107 The link will also appear in the Aeon request grid Users will be directed to the Fortunoff Drupal site Discovery, Aeon, Kaltura and Drupal Discovery OpenURL AEON Drupal Authorize Kaltura Discovery, Aeon, Kaltura and Drupal Discovery OpenURL AEON Drupal Authorize Kaltura Discovery, Aeon, Kaltura and Drupal Authentication: Identity on OAuth 2 Widely used Easily consumed FOSS implementations available Discovery, Aeon, Kaltura and Drupal Authorization: Custom Provider Group policy inadequate Aeon status (plus) as control Audit log Extend Aeon – for multiple projects Discovery, Aeon, Kaltura and Drupal Discovery OpenURL AEON Drupal Authorize Kaltura Discovery, Aeon, Kaltura and Drupal Discovery OpenURL AEON Drupal Authorize Kaltura Discovery, Aeon, Kaltura and Drupal Identity Provider OpenURL Discovery Aeon Drupal Dir. DB Custom Aeon API HTTPS Restriction Service HTTPS Kaltura About Authentication End User Authentication Server Fortunoff Site Request Access Redirect to Auth Request Authentication Page Respond with login challenge Credentials Provided Authorization Code Provided Authorization Code provided to App. Auth token requested Token granted Request User Details User information provided User redirect to authenticated page About Authentication Reusability Simplified identity management Linking to existing SSO (CAS) Identity Provider OpenURL Discovery Aeon Drupal Dir. DB Custom Aeon API HTTPS Restriction Service HTTPS Kaltura About Authorization: Exposing Aeon Creative queues WebAPI scaffolding for rapid development Service oriented architecture What are the risks? Identity Provider OpenURL Discovery Aeon Drupal Dir. DB Custom Aeon API HTTPS Restriction Service HTTPS Kaltura About Authorization: Standardizing API is a base for other application Restrictions normalized for use across services Single application – many collections How does it grow? Identity Provider OpenURL Discovery Aeon Drupal Dir. DB Custom Aeon API HTTPS Restriction Service HTTPS Kaltura About Authorization: Securing Metadata is sensitive too Ensure reusability – SOA gateway Client certificates for servers Identity Provider OpenURL Discovery Aeon Drupal Dir. DB Custom Aeon API HTTPS Restriction Service HTTPS Kaltura Remaining Work Update to the Aeon API Link to API gateway / finalize security Merge login interfaces Finish transcoding VHS tapes Designing new request forms and web pages in Aeon Updating metadata in discovery layer Soft rollout anticipated Summer 2015 Migrate metadata from AT to AS Winter 2016 Recap An identity provider unifies login An Aeon API abstracts access A restriction service links Aeon to Kaltura A user clicks the email link, goes to Drupal OpenID connect is used, identity confirmed Before the Kaltura module will play it uses the restrictions service to confirm access Authentication information is stored in a user repository, authorization information in a transaction repository, metadata stays uncontaminated. Thanks for stopping by! Remember to complete your evaluation forms by April 17! The yogurt in the fridge is mine!