Click here to load reader

Authentication Methods: Shibboleth

  • View
    3.532

  • Download
    3

Embed Size (px)

DESCRIPTION

Presented by Chris Higgins at the UKLP Location Programme Data Publishing WG meeting, Cardiff, 28 March 2011.

Text of Authentication Methods: Shibboleth

  • 1. Authentication methods: Shibboleth UKLII: Data Publishing Working Group, Welsh Assembly Government, Cardiff.28 thMarch 2011 [email_address]

2. Synopsis

  • What is Shibboleth?
  • How does it work?
  • Shibb and OGC Web Services
  • Work done to date
  • What are the implications?
    • or why do we think this important
  • Some things that could happen next

3. Shibboleth

  • Internet2 consortium
  • Open source package for web Single Sign On across admin boundaries based on standards:
    • Security Assertion Markup Language (SAML)
  • Organisations can exchange user information and make security assertions by obeying privacy policies
  • Devolved authentication maintain and leverage existing user management
  • Enables finer grained authorisation through use of attributes
  • Small coordination centre, large federation of organisations (service and identity providers)
  • Many Shibboleth Access Management Federations:
    • https:// www.aai.dfn.de /links/
    • https://spaces.internet2.edu/display/SHIB/ShibbolethFederations

4. UK Access Management Federation

  • Managed by JISC Collections (previously JANET) and EDINA
    • Federation Operator: JISC Collections
    • Technical and Operational Support: EDINA
  • 840 Member Organisations (IdPs and SPs)
  • Approximately 8 million users
  • Cost of running is not insignificant

5. Key Roles within an Access Management Federation SP SP SP SP SP SP SP SP SP SP SP Coordinating Centre Federation Service Providers Identity Providers Users Organisations SP SP IdP IdP IdP IdP IdP IdP 6. Basic SAML Concepts

  • From the SAML Technical Overview
  • ( http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.pdf )

7.

  • From the SAML Technical Overview
  • ( http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.pdf )

Service Provider Initiated Single Sign On 8.

  • From the SAML Technical Overview
  • ( http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.pdf )

Identity Provider Initiated Single Sign On 9. Example Shibboleth Login Procedures http:// www.switch.ch/aai/demo/medium.html 10. Why put effort into federated access control?

  • Authentication is the process of verifying that claims made concerning a subject, eg, identity, who is attempting to access a resource are true, ie, authentic
  • Frequently, SDI content and service providers need to know who is accessing their valuable, secure, protected, etc, data
  • The ability for a group of organisations with common objectives, ie, a federation, to securely exchange authentication information is a powerful SDI enabler
  • Article 19 of the INSPIRE DirectiveMember States may limit public accessetc, etc.
  • Even more so if removing some of the barriers to interoperability

11. Why put effort into federated access control round OWS?

  • Open geospatial interoperability standards underpin SDI
  • OGC Standards agnostic about security
  • Grand challenge: lack of a genuinely interoperable security solution a major barrier to all sectors
  • EU requested that ESDIN project focus on testing practical existing solutions
  • Prior work by same team (JISC funded SEE-GEO project)
    • Demonstrated Shibb Access Control around WMS
    • No changes to the OWS interface specification
    • No changes to the core mainstream Shibboleth

12. Work to Date: ESDIN Project

  • Resourced EDINA to build on in-house access control expertise
  • An eContent plusBest Practice Network project
  • Ran from Sept 2008 until end Feb 2011
  • Coordinated by EuroGeographics
  • From AuthN perspective, the main ESDIN Use Case was Key Users, eg, EEA, EuroStat, JRC, accessing INSPIRE Annex 1 services from different member states
  • Key goal : help member states prepare their data for INSPIRE Annex 1 themes

13. ESDIN Mostly NMCAs Interactive InstrumentsBundesamt fr KartographieundGeodsieLantmteriet National Technical Universityof AthensIGN BelgiumBundesamt fr Eich- und VermessungswesenUniversitt MnsterEDINA, University EdinburghNational Agency for Cadastre and Real Estate PublicityRomania Helsinki University of TechnologyIGN FranceKadaster Kort & MatrikelstyrelsenGeodan Software Development & Technology1Spatial The Finnish Geodetic InstituteNational Land Survey of FinlandInstitute of Geodesy, Cartographyand Remote SensingStatens kartverkEuroGeographics 14. OGC Interoperability Experiments (IEs)

  • Key vehicle for taking the work forward
  • Simple, low overhead, means for OGC members to get together and advance specific technical objectives within the OGC baseline
  • Facilitated by OGC staff
  • More lightweight than the OGC Web Services initiatives
  • Focussed on specific interoperability issues
  • Effort is viewed as voluntary and supported by in-kind contributions by participating member organisations
  • Duration normally around 6 months

15. Authentication IE

  • Test standard ways of authentication between OGC clients and OGC Web Services
  • Intended that the following mechanisms would be tested:HTTP Authentication; HTTP Cookies;SSL/X509; SAML;Shibboleth;OpenID; WS-Security
  • ESDIN concentrated on:
    • Putting together a prototype Shibboleth Access Management Federation comprised mainly of NMCAs
    • Understanding how OWS clients could be modified to be capable of undergoing the Shibboleth interactions
  • OGC Engineering Report: Doc 09-092r1

16. OGC Web Services Shibboleth IE (OSI)

  • Started Aug 2010
  • Previous work had shown it was possible to protect WMS with Shibb so that:
    • No mods required to OGC the interface
    • No mods required to Shibb download
    • BUTmods required to OWS clients
  • OSI provided the OGC software producing community with means and opportunity of modifying OWS clients to work with Shibb
  • Emphasis ondesktopOWS client software
  • Provide participants with the opportunity to demonstrate their software in action.

17. OSI - How

  • Use the test ESDIN Federation to provide OSI participants with services to develop against
  • Provide an open source reference implementation of a modified desktop client conformant with the SAML ECP Profile
    • http:// esdin.fgi.fi/wiki/index.php/Esdin:AuthIE:Client
  • Provide some technical support, eg, with OpenLayers clients conformant with the Web Browser SSO Profile
  • Regular telcons
  • OSI Technology Integration Experiment event

18. OSI - Who

  • 31 individuals registered Shibb OGC portal site
  • EDINA, Snowflake, Cadcorp, Envitia, con terra/ESRI, Joint Research Centre all modified their OWS client software or open source
  • Federal Agency for Cartography and Geodesy (BKG) contributed another test Shibb federation they have been using for similar purposes
  • Recently started EU funded BRISEIDE project
    • http:// www.briseide.eu /

19. Technology Integration Experiment Webinar

  • Afternoon of Thurs 18 thNovember
  • Approx 30 people turned up on the day
  • EDINA, Snowflake, Cadcorp, Envitia, con terra, JRC all demonstrated:
    • Different clients (desktop, browser, proxy)
    • Different services (WMS and WFS)
    • Different federations (ESDIN and BKG)

20. OSI - Outcomes

  • Using Shibboleth to protect OWS is practical
  • Not particularly difficult on server side
  • Not particularly difficult with browser based clients
  • More subtle with desktop based clients but possible with some effort in short space of time
  • This kind of IE testbed approach appreciated by participating OGC members
  • Highly likely community support and tooling will be available if decision made to operationalise
  • Draft Engineering Report (OGC 11-019r1)

21. Related Outcomes Germany

  • Betriebsmodell GDI-DE" (Operating model for SDI Germany)
  • Technical feasibility(authentication/authorisation)
    • Securing OWS using SAML via Shibb, XACML and geoXACML
    • AuthN using German Identity Card and connection to eID i/f
  • Organisational req

Search related