Embed Size (px)
Citation preview
Shibboleth Access Management Federations and Secure SDI: ESDIN Experience from the OGC Authentication Interoperability ExperimentC.I.Higgins, M.Koutroumpas, A.Seales, EDINA National Datacentre, ScotlandA.Matheus, University of the Bundeswehr, Germany
INSPIRE Conference 2010, Kraków,Friday, June 25
• An eContentplus Best Practice Network project• Started September 2008. Ends March 2011• Coordinated by EuroGeographics
• Key goal: help member states, candidate countries and EFTA States prepare their data for INSPIRE Annex 1 spatial data themes and improve access:
1. Administrative Boundaries2. Cadastral Parcels3. Hydrography4. Transport Networks5. Geographical Names
ESDIN project info (www.esdin.eu)
Interactive Instruments Bundesamt für Kartographie
und Geodäsie
Lantmäteriet
National Technical University of Athens
IGN Belgium
Bundesamt für Eich-und
Vermessungswesen
Universität Münster
EDINA, University Edinburgh
National Agency for Cadastre and
Real Estate Publicity Romania
Helsinki University of Technology
IGN France
Kadaster
Kort & Matrikelstyrelsen
Geodan Software Development &
Technology 1Spatial
The Finnish Geodetic Institute
National Land Survey of Finland
Institute of Geodesy, Cartography
and Remote Sensing
Statens kartverk
EuroGeographics
EDINA • A National Data Centre for Tertiary Education since
1995– based at the University of Edinburgh, Scotland
• Our mission...to enhance the productivity of research, learning and
teaching in UK higher and further education• Focus is on service but also undertake r&D
– turn projects services• In ESDIN one of our roles is to try to represent
interests of the European academic sector – one of the identified target user groups
European Persistent Testbed for Research and Teaching (PTB) Objectives:
• To act as a research test-bed for collaborative European research in geospatial interoperability,
• To aid the assessment of the current standards for geospatial interoperability in terms of research compatibility, completeness, consistency and ease of use and extensibility
• To provide an environment for teaching standards and techniques for geospatial interoperability
• To provide a resource to AGILE/EuroSDR/OGC for the coordination of research requirements as well as definition, testing, validation and development of open standards
WP4: Data Access and Licensing Policy
Business model, pricing, licensing models
• Goal: maximise the use and re-use of reference geodata
• Define a data policy
• Define a policy for Geo Rights Management
• Also cover access issues such as: protection of IPR, security, access management, privacy, subscriptions.
Why put effort into federated access control?
• Authentication is the process of verifying that claims made concerning a subject, eg, identity, who is attempting to access a resource are true, ie, authentic
• Frequently, SDI content and service providers need to know who is accessing their valuable, secure, protected, etc, data
• The ability for a group of organisations with common objectives, ie, a federation, to securely exchange authentication information is a powerful SDI enabler
• Even more so if removing some of the barriers to interoperability…
WP 11 Interoperability Services, Goals
1. Develop Best Practices for building
• INSPIRE-compliant content access services
- View & Download
• … focusing on functionalities for
- Content transformations: CRS, Schema, Edge-matching, Generalisation
- Geo Rights Management
- Authentication
2. Build services to provide access, in INSPIRE-compliant form:
• Small scale / medium scale / large scale
Why put effort into federated access control round OGC Web Services?
• Requested by the commission to focus on testing practical existing solutions
• Opportunity to build on earlier work undertaken by same team as giving this ppt (JISC funded SEE-GEO project)– Demonstrated Shibboleth Access Control around
WMS• Key findings current work; the solution required:
– No changes to the OWS interface specifications– No changes to the core mainstream Shibboleth
Shibboleth• Internet2 consortium• Open source package for web Single Sign On across admin
boundaries based on standards:– Security Assertion Markup Language (SAML)
• Organisations can exchange user information and make security assertions by obeying privacy policies
• Small coordination centre, large federation of organisations (service and identity providers)
• Devolved authentication – maintain and leverage existing user management
• Enables finer grained authorisation through use of attributes • Many Shibboleth Access Management Federations across Globe
OGC Interoperability Experiments
• Intended as a relatively simple, low overhead, means for OGC members to get together and advance specific technical objectives within the OGC baseline
• Facilitated by OGC staff• More lightweight than the OGC Web Services initiatives • Focussed on specific interoperability issues • Effort is viewed as voluntary and supported by in-kind
contributions by participating member organisations • Duration normally around 6 months
Authentication IE• OpenGIS Project Document 09-092r1 • Test standard ways of authentication between OGC
clients and OGC Web Services • Intended that the following mechanisms would be tested:
– HTTP Authentication– HTTP Cookies– SSL/X509, SAML– Shibboleth– OpenID
– WS-Security
• Main output an OGC Engineering Report
Status ESDIN Partners Participation • ESDIN test federation established• Cooperating NMCAs so far:
– KMS (Denmark)– Kadaster (Netherlands)– Lantmatariet (Sweden)– Fomi (Hungary)
• 2 clients interoperable:– OpenLayers (browser)– OpenJump SAML Enhanced Client or Proxy profile (desktop)
• Shibboleth being integrated into ESDIN client under development by GeoDan
Status PTB Participation• Access Management Phase 2 responses from:
– EDINA, University of Edinburgh– FIUGINET (Finnish Universities Geoinformatics Network) and
CSC — IT Center for Science Ltd– Technical University of Dresden– Centre for Geospatial Science, University of Nottingham
• Pre-conference PTB workshop in association with AGILE 2010 discussing outcomes of the phase 2 CfP
• Variety of OWS, including Web Processing Services
Some results• Can use a production strength, standards based, widely
used piece of open source software to share identity information and control access to OGC Web Services
• Shibboleth used out the box, but ECP not currently part of mainstream IdP Shibboleth
• Not much effort to install• Single Sign On• No changes required to OGC Web Services• But changes do need to be made to the desktop client
Whats the significance of all this?• Access Management Federations (AMF) provide a practical
organisational model for operational SDI • Shibboleth is production strength• Small centre, big network of organisations• A fundamental SDI requirement demonstrated• Additional SDI organisational requirements could be layered
on top of the AMF, eg, governance• Needs changes to the clients, but not the services or
Shibboleth • Potential INSPIRE compliant approach for establishing
operational strength access control to ensure data provided is only available to legitimate government agencies!
Next steps…• Show the kind of thing a SSO federation that allows
NMCAs to securely grant access to each others harmonised data enables
• Include a demonstration of PTB universities securely accessing ESDIN data
• Based on outputs, an ESDIN Best Practice document• Make the client software we have created openly
available • Consider what SAML assertions necessary to make
these kinds of pan-European authorisation decisions• Consider cross-federation interoperability issues
