Transcript Presentation title here

OGC Web Services Shibboleth
Interoperability Experiment (OSI)
Chris Higgins, IE Manager,
EDINA National Datacentre, Scotland
Webinar,
Thursday, Nov 18, 2010
OGC Web Services Shibboleth Interoperability
Experiment
Some housekeeping
• Audio separate from webinar. Phone in on:
+1 512 225 3050 Participant Code: 55699#
• Please mute if not speaking and in conversation with
colleagues, or in a busy room, etc.
• Submit questions via the “chat” pod. Will collate these
and get through as many as possible at the end.
• Session is being recorded
Some introductions
• Team that has worked on integrating Shibboleth/OWS:
– Self, Andrew Seales, Michael Koutroumpas and Andreas
Matheus
• IE Initiating Organisations:
– EDINA, Snowflake and Cadcorp
• IE Participants
– EDINA, Snowflake, Cadcorp, Envitia, con terra, JRC
– BKG (German NMA) provided another federation
• OGC IE Facilitator:
– Luis Bermudez
EDINA
• A National Data Centre for Tertiary Education since
1995
– based at the University of Edinburgh, Scotland
• Our mission...
to enhance the productivity of research, learning and
teaching in UK higher and further education
• Focus is on service but also undertake r&D
– turn projects  services
• In ESDIN one of our roles is to try to represent
interests of the European academic sector – one of
the identified target user groups
ESDIN Project
•
•
•
An eContentplus Best Practice Network project
Started September 2008. Ends March 2011
Coordinated by EuroGeographics
•
Key goal: help member states, candidate countries
and EFTA States prepare their data for INSPIRE
Annex 1 spatial data themes and improve access:
1.
2.
3.
4.
5.
Administrative Boundaries
Cadastral Parcels
Hydrography
Transport Networks
Geographical Names
ESDIN project info (www.esdin.eu)
Lantmäteriet
The Finnish Geodetic
Institute
Statens kartverk
Helsinki University of
Technology
National Land Survey
of Finland
Kort &
Matrikelstyrelsen
IGN Belgium
Kadaster
EDINA, University
Edinburgh
Geodan Software
Development &
Technology
Universität Münster
Interactive Instruments
Bundesamt für
Kartographie
und Geodäsie
1Spatial
EuroGeographics
Bundesamt für Eichund
Vermessungswesen
IGN France
Institute of Geodesy,
Cartography
and Remote Sensing
National Technical
University
of Athens
National Agency for
Cadastre and
Real Estate Publicity
Romania
Why put effort into federated access control?
• Authentication is the process of verifying that claims
made concerning a subject, eg, identity, who is
attempting to access a resource are true, ie, authentic
• Frequently, SDI content and service providers need to
know who is accessing their valuable, secure, protected,
data
• The ability for a group of organisations with common
objectives, ie, a federation, to securely exchange
authentication information is a powerful SDI enabler
• Even more so if removing some of the barriers to
interoperability…
Shibboleth
• Internet2 consortium
• Open source package for web Single Sign On across admin
boundaries based on standards:
– Security Assertion Markup Language (SAML)
• Organisations can exchange user information and make security
assertions by obeying privacy policies
• Small coordination centre, large federation of organisations (service
and identity providers)
• Devolved authentication – maintain and leverage existing user
management
• Enables finer grained authorisation through use of attributes
• Many Shibboleth Access Management Federations across Globe
Federation
Service Providers
SP
SP
SP
IdP
IdP
Identity Providers
Organisations
SP
SP
Coordinating
Centre
IdP
SP
SP
IdP
Users
SP
SP
SP
IdP
SP
SP
SP
IdP
Why put effort into federated access control round
OGC Web Services?
• Requested by the commission to focus on testing
practical existing solutions
• Opportunity to build on earlier work undertaken by same
team (JISC funded SEE-GEO project)
– Showed Shibboleth Access Control around WMS
• Key findings current work; the solution required:
– No changes to the OWS interface specifications
– No changes to the core mainstream Shibboleth
– BUT, does require changes to OWS desktop clients
INSPIRE
Federation
OWS Providers
WMS
WFS
WMS
IdP
IdP
Member State
organisations,
eg, NMCAs
WFS
IdP
WMS
WMS
IdP
WFS
WFS
WMS
IdP
WMS
WFS
WFS
IdP
Key
organisations,
eg. EEA, JRC
What we set out to do in this IE
• Provide the OGC community with the opportunity to
demonstrate their desktop client software being capable
of consuming OWS within Shibboleth Access
Management Federations
– Protected ESDIN Federation OWS to develop against
– Reference implementation of desktop client
• Result: a variety of different clients capable of
undergoing the Shibboleth/SAML interactions
– Browser based clients, ie OpenLayers based
– Desktop based clients
• Result: a better understanding of the issues
OGC Interoperability Experiment
• IEs are part of the OGC Interoperability program, which
includes other activities, such as Pilots and Testbeds.
• The IE is focused on an interoperability issue related to the
OGC Technical Baseline.
• The IE completion timeframe is reasonable (4-6 months).
• The IE is “lightweight” – focuses on a single interoperability
issue.
• All materials, documents, lessons learned, and other
findings developed as a result of the IE will be shared with
the OGC membership.
• The expected results: Engineering Report, Best Practice
Report, and Change Requests.
What we intend to do today
• Show these clients in action
• But note. Aggressive timeline. The Kickoff telcon was
on Sept 30th, ie, seven weeks ago.
• Different clients, some browser based, some desktop,
accessing various WMS and WFS
• Series of Single Sign On scenarios
The best-laid schemes o' mice an' men
Gang aft agley, (Robert Burns)
Example: Desktop Client, WMS
Attempt access protected service
2
User picks IdP
3
Authenticates
4
Demonstrates access to data
5
Attempts access different protected
services within the Federation
6
Demonstrates access to data
User not previously
authenticated
Already authenticated
Envitia
1
Cadcorp
EDINA
SSO,
Desktop Client,
WmS
OGC Web Services Shibboleth
Interoperability Experiment
Some housekeeping
• Audio separate from webinar. Phone in on:
+1 512 225 3050 Participant Code: 55699#
• Please mute if not speaking and in conversation with
colleagues, or in a busy room, etc.
• Submit questions via the “chat” pod. Will collate these
and get through as many as possible at the end.
• Session is being recorded