Transcript Presentation title here

Shibboleth Access Management Federations
and Secure SDI: ESDIN Experience from the
OGC Authentication Interoperability
Experiment
C.I.Higgins, M.Koutroumpas, A.Seales,
EDINA National Datacentre, Scotland
A.Matheus,
University of the Bundeswehr, Germany
INSPIRE Conference 2010, Kraków,
Friday, June 25
•
•
•
An eContentplus Best Practice Network project
Started September 2008. Ends March 2011
Coordinated by EuroGeographics
•
Key goal: help member states, candidate countries
and EFTA States prepare their data for INSPIRE
Annex 1 spatial data themes and improve access:
1.
2.
3.
4.
5.
Administrative Boundaries
Cadastral Parcels
Hydrography
Transport Networks
Geographical Names
ESDIN project info (www.esdin.eu)
Lantmäteriet
The Finnish Geodetic
Institute
Statens kartverk
Helsinki University of
Technology
National Land Survey
of Finland
Kort &
Matrikelstyrelsen
IGN Belgium
Kadaster
EDINA, University
Edinburgh
Geodan Software
Development &
Technology
Universität Münster
Interactive Instruments
Bundesamt für
Kartographie
und Geodäsie
1Spatial
EuroGeographics
Bundesamt für Eichund
Vermessungswesen
IGN France
Institute of Geodesy,
Cartography
and Remote Sensing
National Technical
University
of Athens
National Agency for
Cadastre and
Real Estate Publicity
Romania
EDINA
• A National Data Centre for Tertiary Education since
1995
– based at the University of Edinburgh, Scotland
• Our mission...
to enhance the productivity of research, learning and
teaching in UK higher and further education
• Focus is on service but also undertake r&D
– turn projects  services
• In ESDIN one of our roles is to try to represent
interests of the European academic sector – one of
the identified target user groups
European Persistent Testbed for Research
and Teaching (PTB) Objectives:
• To act as a research test-bed for collaborative European research in
geospatial interoperability,
• To aid the assessment of the current standards for geospatial
interoperability in terms of research compatibility, completeness,
consistency and ease of use and extensibility
• To provide an environment for teaching standards and techniques
for geospatial interoperability
• To provide a resource to AGILE/EuroSDR/OGC for the coordination
of research requirements as well as definition, testing, validation and
development of open standards
WP4: Data Access and Licensing Policy
Business model, pricing, licensing models
•
Goal: maximise the use and re-use of reference geodata
•
Define a data policy
•
Define a policy for Geo Rights Management
•
Also cover access issues such as: protection of IPR,
security, access management, privacy, subscriptions.
Why put effort into federated access control?
• Authentication is the process of verifying that claims
made concerning a subject, eg, identity, who is
attempting to access a resource are true, ie, authentic
• Frequently, SDI content and service providers need to
know who is accessing their valuable, secure, protected,
etc, data
• The ability for a group of organisations with common
objectives, ie, a federation, to securely exchange
authentication information is a powerful SDI enabler
• Even more so if removing some of the barriers to
interoperability…
WP 11 Interoperability Services, Goals
1. Develop Best Practices for building
• INSPIRE-compliant content access services
- View & Download
• … focusing on functionalities for
- Content transformations: CRS, Schema, Edgematching, Generalisation
- Geo Rights Management
- Authentication
2. Build services to provide access, in INSPIRE-compliant form:
• Small scale / medium scale / large scale
Why put effort into federated access control
round OGC Web Services?
• Requested by the commission to focus on testing
practical existing solutions
• Opportunity to build on earlier work undertaken by same
team as giving this ppt (JISC funded SEE-GEO project)
– Demonstrated Shibboleth Access Control around
WMS
• Key findings current work; the solution required:
– No changes to the OWS interface specifications
– No changes to the core mainstream Shibboleth
Shibboleth
• Internet2 consortium
• Open source package for web Single Sign On across admin
boundaries based on standards:
– Security Assertion Markup Language (SAML)
• Organisations can exchange user information and make security
assertions by obeying privacy policies
• Small coordination centre, large federation of organisations (service
and identity providers)
• Devolved authentication – maintain and leverage existing user
management
• Enables finer grained authorisation through use of attributes
• Many Shibboleth Access Management Federations across Globe
OGC Interoperability Experiments
• Intended as a relatively simple, low overhead, means for
OGC members to get together and advance specific
technical objectives within the OGC baseline
• Facilitated by OGC staff
• More lightweight than the OGC Web Services initiatives
• Focussed on specific interoperability issues
• Effort is viewed as voluntary and supported by in-kind
contributions by participating member organisations
• Duration normally around 6 months
Authentication IE
• OpenGIS Project Document 09-092r1
• Test standard ways of authentication between OGC
clients and OGC Web Services
• Intended that the following mechanisms would be tested:
–
–
–
–
–
HTTP Authentication
HTTP Cookies
SSL/X509, SAML
Shibboleth
OpenID
– WS-Security
• Main output an OGC Engineering Report
Status ESDIN Partners Participation
• ESDIN test federation established
• Cooperating NMCAs so far:
–
–
–
–
KMS (Denmark)
Kadaster (Netherlands)
Lantmatariet (Sweden)
Fomi (Hungary)
• 2 clients interoperable:
– OpenLayers (browser)
– OpenJump SAML Enhanced Client or Proxy profile (desktop)
• Shibboleth being integrated into ESDIN client under
development by GeoDan
Status PTB Participation
• Access Management Phase 2 responses from:
– EDINA, University of Edinburgh
– FIUGINET (Finnish Universities Geoinformatics Network) and
CSC — IT Center for Science Ltd
– Technical University of Dresden
– Centre for Geospatial Science, University of Nottingham
• Pre-conference PTB workshop in association with AGILE
2010 discussing outcomes of the phase 2 CfP
• Variety of OWS, including Web Processing Services
Some results
• Can use a production strength, standards based, widely
used piece of open source software to share identity
information and control access to OGC Web Services
• Shibboleth used out the box, but ECP not currently part
of mainstream IdP Shibboleth
• Not much effort to install
• Single Sign On
• No changes required to OGC Web Services
• But changes do need to be made to the desktop client
Whats the significance of all this?
• Access Management Federations (AMF) provide a practical
organisational model for operational SDI
• Shibboleth is production strength
• Small centre, big network of organisations
• A fundamental SDI requirement demonstrated
• Additional SDI organisational requirements could be layered
on top of the AMF, eg, governance
• Needs changes to the clients, but not the services or
Shibboleth
• Potential INSPIRE compliant approach for establishing
operational strength access control to ensure data provided is
only available to legitimate government agencies!
Next steps…
• Show the kind of thing a SSO federation that allows
NMCAs to securely grant access to each others
harmonised data enables
• Include a demonstration of PTB universities securely
accessing ESDIN data
• Based on outputs, an ESDIN Best Practice document
• Make the client software we have created openly
available
• Consider what SAML assertions necessary to make
these kinds of pan-European authorisation decisions
• Consider cross-federation interoperability issues
Any questions?
[email protected]
http://www.esdin.eu