Access Management Federation for Spatial Data and Services in Germany

®

Hosted and Sponsored by

Access Management Federation for Access Management Federation for Spatial Data and Services in GermanySpatial Data and Services in Germany

80th OGC Technical Committee

Austin, Texas (USA)

Jan Grohmann (BKG)

March 20, 2012

OGC®

About GDI-DE and BKG

Motivation

Requirements

Realisation

Authorization

Authentication

Acess Management Federation

Use Cases

Outcome

AgendaAgenda

OGC®

BKG

Federal Agency for Cathography and Geodesy

Provide geodetic reference data and basic spatial data for the needs of the Federal Government

Coordination Office GDI-DE is situated in the BKG as a department of the division Geoinformation

About GDI-DE and BKGAbout GDI-DE and BKG

Coordination Office GDI-DECoordination Office GDI-DE

network consists of experts from Government, Private Sector and Universities

Decisions, Orders

Proposals,Reports

Steering Committee GDI-DESteering Committee GDI-DE

GDI-DE

OGC®

MotivationMotivation

…to establish a common infrastructure Government Government & Business & Public)

3 governmental levels in Germany: 13.000 municipalities, 16 federal states and the federal government

OGC®

Project „Betriebsmodell GDI-DE“ focused on the establishment,

development and operation of a spatial data infrastructure in Germany

Work package for using protected data and services

MotivationMotivation

OGC®

RequirementsRequirements

Technical / Operational Requirements

Authentication – Who are you?

Authorisation – What are you permitted to do?

consider existing infrastructures

security as an add-on

no central storage of user accounts

combine distributed data and services for use

Standards and Architectures for E-Government-Applications (SAGA 4.0)

OGC®

Requirements (2)Requirements (2)

Standards and Architectures for E-Government-Applications

eGovernment applications are using mostly a web browser as a frontend [Ch.

1.5, p. 13]

possible roles for access control defined in table 4-1 [Ch. 4.6.3, p.54]

core attributes for identities [Ch. 5.4.4, p.66]

Services are stateless [Ch. 6.6.2, p.70]

Composition of services [Ch. 6.6.2, p.71]

SAML 2.0 is recommended

…

OGC®

Requirements (3)Requirements (3)

Organisational Requirements

Who accepts users?

Who grants access rights for data and services?

Who coordinates access rights also between different domains?

Who supervises the working process?

...

=> Results provided by project „Betriebsmodell GDI-DE“

OGC®

AuthorizationAuthorization

Role based access control

Use of open standards

OASIS: eXtensible Access Control Markup Language 2.0

OGC Geospatial XACML (GeoXACML) 1.0

Access rights are

enforced by a service provider,

based on an user‘s attributes

OGC®

AuthenticationAuthentication

User accounts are provided by organisations, to which a user belongs

Deliver user attributes to service providers for the purpose of access

control

role, organisation

Login always on your home organisation

Use of open standards

OASIS: Security Assertion Markup Language 2.0

IETF: RFC 2818 (HTTPS), RFC 4346 (TLS 1.1), RFC 2617 (HTTP

Authentication), RFC 2965 (HTTP State Management Mechanism)

W3C: CORS, XML Digital Signatures, XML Encryption

OGC®

Solution Solution “Access Management Federation” “Access Management Federation”

[Source: http://www.switch.ch]

OGC®

AMF in the project BetriebsmodellAMF in the project Betriebsmodell

OGC®

Data and Services of the FederationData and Services of the Federation

Three different providers for data and services

OGC®

Use Case „Extending Infrastructure“Use Case „Extending Infrastructure“

Three Engineering Offices

Munich, Nuremberg, Bavaria

Users have roles

finished , current and planned construction works

Engineering Offices have got fields of activity

50 km around Munich / Nuremberg

within Bavaria

OGC®

Use Case „Qualification of German Use Case „Qualification of German Ensembles“Ensembles“

Match the geographic extend of an identified site to its actual ground

shape

Users of the Bavarian State Office for the Preservation of Historical

Monuments

Qualify ensembles via WFS-T

Users of Bavarian SDI

Reading access

Engineering Offices

No access

OGC®

Use Case „Information next to your home“Use Case „Information next to your home“

Citizen can view their required building documentation via electronic

Identity Card

Thomas Mustermann: for Munich

Helga Mustermann: for Nuremberg

3D LoD1/LoD2 city models in Google Earth

2D maps with Google Maps and OGC WMS

a required building documentation with OpenLayers, OGC WFS and

WMS

OGC®

OutcomeOutcome

An AMF for spatial data and services can be established like existing

AMFs of the academic sector, e.g. DFN-AAI (https://www.aai.dfn.de/)

Test federation GDI-DE: https://sp.gdi-de.org

Clarify the duties and responsibilities

Operations and Maintenance

Support

OGC White Paper #12-026

Authors: Andreas Matheus (Secure Dimensions), Christian Kiehle,

Jan Grohmann (BKG)

on Pending Documents – uploaded before 3 week rule for this meeting

OGC®

Question & AnswersQuestion & Answers

Jan GrohmannCoordination Office GDI-DE Federal Agency for Cartography and GeodesyRichard-Strauß-Allee 1160598 Frankfurt am MainGermany

Tel.: +49 (0) 69 6333 298Fax: +49 (0) 69 6333 446

E-Mail: jan.grohmann@bkg.bund.deInternet: http://www.gdi-de.org http://www.geoportal.de

OGC®

Use Case „Extending infrastructure“Use Case „Extending infrastructure“

OGC®

Use Case „Information next to your home“Use Case „Information next to your home“

OGC®

Use Case „Qualification of German Use Case „Qualification of German Ensembles“Ensembles“

OGC®

Use Case „Qualification of German Use Case „Qualification of German Ensembles“Ensembles“