Authentication Methods: Shibboleth

Authentication methods: Shibboleth

UKLII: Data Publishing Working Group,Welsh Assembly Government,

Cardiff. 28th March 2011

[email protected]

Synopsis

• What is Shibboleth?• How does it work?• Shibb and OGC Web Services• Work done to date• What are the implications?

– or why do we think this important• Some things that could happen next…

Shibboleth

• Internet2 consortium• Open source package for web Single Sign On across

admin boundaries based on standards:– Security Assertion Markup Language (SAML)

• Organisations can exchange user information and make security assertions by obeying privacy policies

• Devolved authentication – maintain and leverage existing user management

• Enables finer grained authorisation through use of attributes

• Small coordination centre, large federation of organisations (service and identity providers)

• Many Shibboleth Access Management Federations:– https://www.aai.dfn.de/links/– https://spaces.internet2.edu/display/SHIB/ShibbolethFederations

UK Access Management Federation

• Managed by JISC Collections (previously JANET) and EDINA– Federation Operator: JISC Collections– Technical and Operational Support: EDINA

• 840 Member Organisations (IdPs and SPs)• Approximately 8 million users• Cost of running is not insignificant

SP

SPIdP

IdP

IdP

IdP

SP

SP

SP

SP

SP

SP

SP

SPSP

Coordinating

Centre

Federation Service Providers

Identity Providers

Users

Organisations

IdP

IdP

SP

SP

Key Roles within an Access Management Federation

Basic SAML Concepts

From the SAML Technical Overview

(http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.pdf)



Service Provider Initiated Single Sign On



Identity Provider Initiated Single Sign On

Example Shibboleth Login Procedures

http://www.switch.ch/aai/demo/medium.html

Why put effort into federated access control?

• Authentication is the process of verifying that claims made concerning a subject, eg, identity, who is attempting to access a resource are true, ie, authentic

• Frequently, SDI content and service providers need to know who is accessing their valuable, secure, protected, etc, data

• The ability for a group of organisations with common objectives, ie, a federation, to securely exchange authentication information is a powerful SDI enabler

• Article 19 of the INSPIRE Directive ”…Member States may limit public access…etc, etc”.

• Even more so if removing some of the barriers to interoperability…

Why put effort into federated access control round OWS?

• Open geospatial interoperability standards underpin SDI

• OGC Standards agnostic about security• Grand challenge: lack of a genuinely interoperable

security solution a major barrier to all sectors• EU requested that ESDIN project focus on testing

practical existing solutions• Prior work by same team (JISC funded SEE-GEO

project)– Demonstrated Shibb Access Control around

WMS– No changes to the OWS interface specification– No changes to the core mainstream Shibboleth

Work to Date: ESDIN Project• Resourced EDINA to build on in-house access control

expertise • An eContentplus Best Practice Network project• Ran from Sept 2008 until end Feb 2011• Coordinated by EuroGeographics• From AuthN perspective, the main ESDIN Use Case

was Key Users, eg, EEA, EuroStat, JRC, accessing INSPIRE Annex 1 services from different member states

• Key goal: help member states prepare their data for INSPIRE Annex 1 themes

ESDIN – Mostly NMCA’s

Interactive Instruments

Bundesamt für Kartographie

und Geodäsie

Lantmäteriet

National Technical University of Athens

IGN Belgium

Bundesamt für Eich- und

Vermessungswesen

Universität Münster

EDINA, University Edinburgh

National Agency for Cadastre and

Real Estate Publicity Romania

Helsinki University of Technology

IGN France

Kadaster

Kort & Matrikelstyrelsen

Geodan Software Development & Technology

1Spatial

The Finnish Geodetic Institute

National Land Survey of Finland

Institute of Geodesy,

Cartography and Remote

Sensing

Statens kartverk

EuroGeographics

OGC Interoperability Experiments (IE’s)

• Key vehicle for taking the work forward• Simple, low overhead, means for OGC members

to get together and advance specific technical objectives within the OGC baseline

• Facilitated by OGC staff• More lightweight than the OGC Web Services

initiatives • Focussed on specific interoperability issues • Effort is viewed as voluntary and supported by

in-kind contributions by participating member organisations

• Duration normally around 6 months

Authentication IE

• Test standard ways of authentication between OGC clients and OGC Web Services

• Intended that the following mechanisms would be tested: HTTP Authentication; HTTP Cookies; SSL/X509; SAML; Shibboleth;

OpenID; WS-Security • ESDIN concentrated on:

– Putting together a prototype Shibboleth Access Management Federation comprised mainly of NMCA’s

– Understanding how OWS clients could be modified to be capable of undergoing the Shibboleth interactions

• OGC Engineering Report: Doc 09-092r1

OGC Web Services Shibboleth IE (OSI)

• Started Aug 2010• Previous work had shown it was possible to protect

WMS with Shibb so that:– No mods required to OGC the interface– No mods required to Shibb download– BUT mods required to OWS clients

• OSI provided the OGC software producing community with means and opportunity of modifying OWS clients to work with Shibb

• Emphasis on desktop OWS client software• Provide participants with the opportunity to

demonstrate their software in action.

OSI - How

• Use the test ESDIN Federation to provide OSI participants with services to develop against

• Provide an open source reference implementation of a modified desktop client conformant with the SAML ECP Profile– http://esdin.fgi.fi/wiki/index.php/Esdin:AuthIE:Client

• Provide some technical support, eg, with OpenLayers clients conformant with the Web Browser SSO Profile

• Regular telcons• OSI Technology Integration Experiment event

OSI - Who

• 31 individuals registered Shibb OGC portal site• EDINA, Snowflake, Cadcorp, Envitia, con

terra/ESRI, Joint Research Centre all modified their OWS client software or open source

• Federal Agency for Cartography and Geodesy (BKG) contributed another test Shibb federation they have been using for similar purposes

• Recently started EU funded BRISEIDE project– http://www.briseide.eu/

Technology Integration Experiment Webinar

• Afternoon of Thurs 18th November• Approx 30 people turned up on the day• EDINA, Snowflake, Cadcorp, Envitia, con

terra, JRC all demonstrated:– Different clients (desktop, browser,

proxy)– Different services (WMS and WFS)– Different federations (ESDIN and BKG)

OSI - Outcomes

• Using Shibboleth to protect OWS is practical• Not particularly difficult on server side• Not particularly difficult with browser based

clients• More subtle with desktop based clients but

possible with some effort in short space of time• This kind of “IE testbed” approach appreciated

by participating OGC members• Highly likely community support and tooling will

be available if decision made to operationalise• Draft Engineering Report (OGC 11-019r1)

Related Outcomes – Germany

• Betriebsmodell GDI-DE" (Operating model for SDI Germany)• Technical feasibility (authentication/authorisation)

– Securing OWS using SAML via Shibb, XACML and geoXACML– AuthN using German Identity Card and connection to eID i/f

• Organisational requirements– Which SAML attributes for the Federation– Who is responsible for what– Costs

• Business Processes– Admitting/Excluding IdP/SP’s from the Federation– Roles and Processes in operation a WAYF

• Extending their Test Federation– Additional SP’s serving real restricted data, eg, cadastral parcels via OWS– Not just geospatial data– Additional IdP’s (including one that supports eID)– Establishing a WAYF

• Investigating additional Use Cases: Gov2Bus; Gov2Gov and Gov2Citz

• Results and Demo at InterGEO in Sept and at OGC TC later this year• Why don’t we collaborate more? Inter-Federation?

Related Outcomes – Sweden

• Swedish NSDI Shibboleth project initiated• Exact objectives still being formulated but

likely to include:– Feasibility of replacing existing system with

Shibboleth– Feasibility of devolving AuthN. Centralised at

the moment– Issues relating to administering a Federation– Investigation of collaborative opportunities with

other NMCA’s. Something like the “Nordic Initiative” in respect of GeoNetwork

Where Next?

An INSPIRE Federation?

1. One federation and every legally mandated organisation joins

2. Multiple federations: one in each country and one pan-European

3. One federation: one organisation in each country, the INSPIRE point of contact joins the single pan-European federation and acts as the gateway for all the other legally mandated organisations in the country that are standing up INSPIRE services

IdP

IdP

IdP

IdP

OWS Providers

Member State organisations, eg, INSPIRE Points of Contact

IdP

IdP

WMS

Key organisations, eg. EEA, JRC

WMS

WMS

WMS

WMS

WMS

WFS

WFS

WFS

WFSWFS

WFS

An INSPIRE Federation?

Coordinating

Centre

Workshop at INSPIRE Conference in June

• Title: Shibboleth Federations and Secure SDI: Outcome and Demonstrations from the OGC Web Service Shibboleth Interoperability Experiment

• Original intention is a re-run of the Nov 2010 “plugfest”

• More public, slicker• More member state NMCA’s in ESDIN

Federation• Maybe get more system suppliers to modify

their software• Up the level of discussion• IOC Task Force Involvement?

Interoperable Geographic Information for Biosphere Study

• JISC funded IGIBS project from Apr 1st to 31st Oct 2011• Partnership between EDINA, Aberystwyth University and

Welsh Assembly Government (WAG) • Focussed on Research and Education related to the

UNESCO Dyfi Biosphere Reserve• Allow users to create WMS’s to view data in conjunction

with reference data from WAG• Access control so:

– Students can publish intermediary results, or commercial in confidence datasets, etc.

– WAG can make available a wider range of data

• Better integration between academic and public sector• Opportunity to transfer knowledge and explore (a bit)

Lots of open questions

• How do e-commerce solutions bolt onto this architecture?• Whats the best way of approaching inter-federation

interoperability?• Whats best practice in respect of interoperability with

different member states identity management systems?• Similarly, pan-European identity management systems?• Whats best practice in terms of AuthZ infrastructures?• How do the processes and roles involved in governing an

access management federation map to those required for SDI governance?

• How may the more advanced service chaining patterns be realised where some or all of the services in the chain are protected?

B. Lawrence, http://www.osdm.gov.au/SBF201011_Lawrence.pdf?ID=1072

Dimensions of Interoperability

From the European Interoperability Framework for Pan-European eGovernment Services(http://ec.europa.eu/idabc/servlets/Docb0db.pdf?id=31597)

Comparison between OpenID and Shibb

From EDINA “Review of OpenID”, 2007