There's a possibility that services integrated to MPASS could have interaction between them, for example a schedule planning service could provide the current user's next classroom time and location to a card on the Velmu desktop.

• Could, or even should MPASS provide a discovery API where the services could register their endpoints that can be used by other MPASS ecosystem services? Or is this something the services must privately do between them?
• If API discovery would be implemented, should MPASS define a set of interfaces the registered API's must implement, in essence providing an API contract? Using the classroom schedule example, MPASS could define an API interface where a service provides some human-readable data in list form. In this example Velmu would autodiscover the API and automatically create a card on the user's desktop which dynamically displays the list of classes for that user. Velmu would have a generic layout for a card which displays data in list mode, and could use any available data sources based on the API contract.

There is no logout functionality in Demo Velmu.

Come up with a reasonable convention of how logout should be handled on services using MPASS authentication. Write this down to be given out to Service Providers using MPASS.

Things to consider:

• Is SLO viable? Should MPASS support SAML2 logout at all?
• How an SP should implement logout when nothing can guarantee that the user would actually get logged out from the IdP (MPASS) and each SP session. This is a common problem in schools with shared devices.
• What about mobile devices and Apps like Google Docks or O365?

When user arrives to Demo Velmu as unauthenticated user a big list of authentication methods is displayed and the user needs to find her own method. Last selection or the most selected one with the current browser could be highlighted so the user finds it easily.

This could be implemented as a cookie where the choice is saved.

The Authentication Discovery API of MPASS provides a list of authentication methods and tags for categorizing those sources. The current login page of Demo Velmu does not utilize the tag information in any way.

Implement support for tags in the login page, for example tags could be used as sub-headings under which related authentication sources are grouped, or as a filter the user can apply to the list.

Each time a user logs into Demo Velmu they actually get a fresh empty user account behind the scenes. This is to prevent malicious content from being displayed to users, as stuff one adds to the desktop is only seen by themselves during the open session.

This should be told to the user somewhere in the system to prevent confusion.

Currently it's very hard to find the information necessary to adopt MPASS, especially as a service provider. Documentation and information is spread around in many places.

• Select a single place to host all the information necessary for adopting MPASS for service providers and for authentication providers (municipalities).
• Improve and update the architectural diagram (https://github.com/educloudalliance/eca-docs/blob/master/services.png)
• Create cards in Demo Velmu linking to the information. Create cards for 5 different user personas, where each type of person can find the information relevant to themselves:
  • A teacher
  • A student
  • An ICT manager in a municipality
  • A technical person of a Service Provider company
  • A CEO of a Service Provider company

• CSC will do the DNS settings
• Apache vhost settings need to be updated
• Shibboleth entity name needs to change
• MPASS needs to reregister Velmu as SP with the new entityid
• SP metadata to be regenerated (changes to entityID as said and several Location parameters)
• ALLOWED_HOSTS in local_settings.py for the main instance and sub-instances
• New LE web certificates once the new DNS is in place (this should work automagically if Ansible role works as expected)
• Updates to Vagrantfile and several Ansible files

Icons could be localized also, for example if the image contains text. Demo Velmu does not currently support localized icon_urls. Activating translation would mean there could be a different icon_url for each language.

Demo Velmu uses the MPASS Discovery API to fetch a list of available Service Providers, which are then added as cards. Currently all the data available from the Discovery API is saved to the Velmu database, but only the service title, SSO URL and thumbnail is displayed by the UI.

Additional information that could be relayed to the user are currently a description of the service and the general URL (which most likely contains some kind of general information of the service).

Tasks:

• Design how the UI should convey the new information.

• Implement backend changes. Create a new Dream-Cards card type containing the data.

• Implement the designed UI changes using the new card data from the backend.

MPASS Services are automatically added as cards on the desktop of Demo Velmu, based on the MPASS Service Discovery API. Take this functionality to the next level and implement an easy way for a municipality representative to take one of these demoed services to use in their own production MPASS environment.

This could be for example a button on the card. By clicking this button the user is taken to a place where they can easily buy or otherwise get the service into use. One easy option would be to add one more field to the Service API which provides an URL for "buying this", and the button in Velmu is simply a link to this URL.

Currently the card thumbnail images are downloaded from the URL provided in MPASS service listing API and saved on disk. To avoid redownloading the same files each time the API is checked the system currently only downloads the image if there is no pre-existing thumbnail for the Service. This means the thumbnail won't ever update in Demo Velmu if the image contents are changed in the origin.

If we use just an image url as the card thumbnail, the actual file will be served from the origin instead of downloaded to Demo Velmu.

An authentication method selection page was implemented for Demo Velmu which is visually pleasing and has a responsive layout for mobile clients.

The solution could be further developed and used to replace the official MPASS authentication selection page with a modern visual style.

Kokoa evaluates and provides certificates for pedagogical services. Could or should Demo Velmu fetch evaluation data from Kokoa API and display that information for Services found from the MPASS Service Discovery API?

Dream-cards (the desktop component of Demo Velmu) has new been developed further and contains new features which are not available in the version in Demo Velmu. The following features can be brought to Demo Velmu by upgrading the dream-cards component to new version:

• Multiple desktops per user
• Desktop sharing between users
• Card cache removal, replaced by precomputed visibility table. New system cards become visible to users immediately.
• Working unit tests.

Create a material package for Service and Authentication implementators containing resources for easy integration of MPASS in their service.

This could contain at least the following resources:

• Example Shibboleth SP configuration for MPASS authentication
• Example SimpleSAMLphp SP configuration for MPASS authentication
• Example HTML error pages covering error situations in SAML login
• Examples of mobile-friendly login pages for authentication providers, for example three different visually appealing ADFS login page templates