The Joomla! Identity Portal
On May 16, 2020, the Privacy Compliance Team announced the release of the Joomla! Identity Portal, a new website that is meant to serve as the home for all Joomlers’ personal data and as Single Sign On service to access all the *.joomla.org websites.
The deployment of the Single Sign On started with the connection of the Volunteers Portal, the place where most personal information was stored. The team is now working on a plan to connect more websites to the centralized system, but let’s ask some questions to those who developed the system: Roland Dalmulder and Sander Potjer.
Sander, how did it all start and why did we need another website to manage our identities?
With the new General Data Protection Regulation (GDPR) the Joomla-project looked into the options comply with the new regulations and to give control to Joomlers over their personal data for the *.joomla.org websites. A working group was formed and started brainstorming about possible solutions.
Over the time the number of *.joomla.org websites grew and all of them are separate Joomla-installations. Joomlers usually have several user accounts on multiple *.joomla.org websites. Those accounts could have different personal data like email, for example, and are not related to each other. The project was lacking a single source for all personal data. So the idea started to have a single location, the Joomla Identity Portal, with all personal data stored, and serving the data from there to other *.joomla.org websites. With this setup a Joomler only needs to change its personal data at a single location, or remove it, and it will be processed across all sites.
A great opportunity was around the corner: solve the frustration of Joomlers with all different accounts & logins for the Joomla websites by combining this central location with Single Sign On. A long time wish for the Joomla Project!
Roland, how the Single Sign On system works? Would it be easy to connect all the other *.joomla.org websites?
Single Sign On works on the basis of trust. By connecting the Volunteer Portal to the Identity Portal we are telling the Volunteer Portal that anybody logging in via the Identity Portal is a trusted person. How much data is sent over from the Identity Portal to the Volunteer Portal is managed by consents. So users have full control over which data is shared.
Once a user has logged in into the Identity Portal the browser stores two cookies and this remembers that you are logged in. When you visit another site connected to the Identity Portal, you are going back to the Identity Portal and this checks if the cookie is still valid, so yes, you are automatically logged in. Otherwise you will need to login again.
To connect to another site can be easy, can be hard :) It all depends on which data the site contains but most sites should be fairly easy to connect.
Sander, another interesting aspect of the system is the centralized Consent Management feature. How would you describe that?
A goal for this project was to give the Joomler full control over its own data. Having an account on the Identity Portal should not result in being listed on all *.joomla.org websites automatically. For example, it should be possible for the Joomler to choose to be listed on the Volunteers Portal and not on the Resources Directory. But also on a more fine-grained level, be listed on the Volunteers Portal, but not displaying your City / Country information.
In order to achieve this we came up with the consent management feature. For each *.joomla.org websites consents will be created. Depending on the site there could be multiple consents several groups of personal data, like the location info on the Volunteers Portal.
Joomlers can decide themselves what personal data *.joomla.org websites can use, by allowing the consents individually. And withdraw them at any time, resulting in removal of personal data on the connected site of the consent.
The consents can also be used for more general permissions, like receiving goodies from the Joomla project. Without a consent for that Joomla won't use your provided address data.
So the great thing is that the consent management gives the Joomler full control over their own personal data across the Joomla websites and data can be removed at any time from a single location.
Roland, is the system integrated with the Privacy Tools Suite shipped with the Joomla core?
The Identity Portal is connected to the Privacy Tools Suite. So any request to download or remove data is processed by the Identity Portal component as well. This way we ensure that the person making the request has all the data.
Sander, which were the most difficult challenges encountered during the development of the Identity Portal?
Time. Because we are all volunteers with our own work and lives it was sometimes hard to keep working on the project at a continuous pace. As the whole system is quite complex a left-over hour to work on something was usually not enough to get things done. Luckily Roland and I work together in our professional work as well, giving opportunities to brainstorm and discuss challenges in person.
Another challenge was the architecture. I think that designing the system and communications between the sites with all different aspects and flows in mind was more work than the actual development.
From a technical perspective the biggest challenge was the Single Sign On for which Roland had a fantastic base which he further developed for the Joomla project.
In general it was great to work with the Compliance Team that helped overcome all challenges. Both from a motivational aspect with our weekly meetings as well for the input on the more legal/GDPR side of things. We might have been working on the technical side, but this was not possible without the input and leadership from our entire team. A big thank you to all those involved over the years from this place!
The Identity Portal is powered by Joomla 3.x and uses libraries and custom components. Is it the demonstration of the power of Open Source, capable of managing complex systems without commercial and closed source software?
A full-hearted yes. Using Joomla as an Identity Provider is something quite new. In the past Joomla sites have been connected to Active Directory, CAS or other authentication providers. Now Joomla can be used as an authentication provider. In this case we are using Joomla as an authentication provider for another Joomla site.
Looking towards the future, we could have any site connected so users can login with their Joomla identity just as you can login with your Google, Facebook or Github account.
What are the next steps and how long does it take to complete the connection of all the sites to the Identity Portal?
The next step is to decide which sites to connect first and make an assessment of what is needed to connect the sites. As in terms of how long this will take, impossible to say at this stage.
Some sites will be relatively easy and quick, as those mainly use the Single Sign On. Others with more data and larger sites like the Joomla Extensions Directory will be more complex. And finally we have sites using other systems then Joomla, like the forum and documentation, which will require additional research.
The good news is that the initial launch of the Identity Portal connected with the Volunteers Portal took place without any major issues, so we can move on to connect other sites soon.
Did you already start planning the evolution of the Identity Portal with Joomla 4 that is coming along?
This has not been started yet. This will also be related to the general upgrades of the *.joomla.org websites to Joomla 4. The custom development that we have done for the Identity Portal is already prepared as much as possible for Joomla 4 using the latest standards for the development, so not expecting major issues on that side.