Transcript Slide 1

Authentication methods:
Shibboleth
UKLII: Data Publishing Working Group,
Welsh Assembly Government,
Cardiff.
28th March 2011
[email protected]
Synopsis
•
•
•
•
•
•
What is Shibboleth?
How does it work?
Shibb and OGC Web Services
Work done to date
What are the implications?
– or why do we think this important
Some things that could happen next…
Shibboleth
•
•
Internet2 consortium
Open source package for web Single Sign On across admin
boundaries based on standards:
– Security Assertion Markup Language (SAML)
•
•
•
•
•
Organisations can exchange user information and make
security assertions by obeying privacy policies
Devolved authentication – maintain and leverage existing user
management
Enables finer grained authorisation through use of attributes
Small coordination centre, large federation of organisations
(service and identity providers)
Many Shibboleth Access Management Federations:
– https://www.aai.dfn.de/links/
– https://spaces.internet2.edu/display/SHIB/ShibbolethFederations
UK Access Management Federation
•
Managed by JISC Collections (previously JANET)
and EDINA
– Federation Operator: JISC Collections
– Technical and Operational Support: EDINA
840 Member Organisations (IdPs and SPs)
• Approximately 8 million users
• Cost of running is not insignificant
•
Key Roles within an Access Management Federation
Federation
Service Providers
SP
SP
SP
IdP
IdP
Identity Providers
Organisations
SP
SP
Coordinating
Centre
IdP
SP
SP
IdP
Users
SP
SP
SP
IdP
SP
SP
SP
IdP
Basic SAML Concepts
From the SAML Technical Overview
(http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.pdf)
Service Provider Initiated Single Sign On
From the SAML Technical Overview
(http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.pdf)
Identity Provider Initiated Single Sign On
From the SAML Technical Overview
(http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.pdf)
Example Shibboleth Login Procedures
http://www.switch.ch/aai/demo/medium.html
Why put effort into federated access control?
Authentication is the process of verifying that claims
made concerning a subject, eg, identity, who is
attempting to access a resource are true, ie,
authentic
• Frequently, SDI content and service providers need to
know who is accessing their valuable, secure,
protected, etc, data
• The ability for a group of organisations with common
objectives, ie, a federation, to securely exchange
authentication information is a powerful SDI enabler
• Article 19 of the INSPIRE Directive ”…Member States
•
may limit public access…etc, etc”.
•
Even more so if removing some of the barriers to
interoperability…
Why put effort into federated access control round OWS?
Open geospatial interoperability standards underpin SDI
• OGC Standards agnostic about security
• Grand challenge: lack of a genuinely interoperable
security solution a major barrier to all sectors
• EU requested that ESDIN project focus on testing
practical existing solutions
• Prior work by same team (JISC funded SEE-GEO project)
– Demonstrated Shibb Access Control around WMS
– No changes to the OWS interface specification
– No changes to the core mainstream Shibboleth
•
Work to Date: ESDIN Project
•
•
•
•
•
•
Resourced EDINA to build on in-house access
control expertise
An eContentplus Best Practice Network project
Ran from Sept 2008 until end Feb 2011
Coordinated by EuroGeographics
From AuthN perspective, the main ESDIN Use
Case was Key Users, eg, EEA, EuroStat, JRC,
accessing INSPIRE Annex 1 services from
different member states
Key goal: help member states prepare their
data for INSPIRE Annex 1 themes
ESDIN – Mostly NMCA’s
Lantmäteriet
The Finnish Geodetic
Institute
Statens kartverk
Helsinki University of
Technology
National Land Survey
of Finland
Kort &
Matrikelstyrelsen
IGN Belgium
Kadaster
EDINA, University
Edinburgh
Geodan Software
Development &
Technology
Universität Münster
Interactive Instruments
Bundesamt für
Kartographie
und Geodäsie
1Spatial
EuroGeographics
Bundesamt für Eichund
Vermessungswesen
IGN France
Institute of Geodesy,
Cartography
and Remote Sensing
National Technical
University
of Athens
National Agency for
Cadastre and
Real Estate Publicity
Romania
OGC Interoperability Experiments (IE’s)
•
•
•
•
•
•
•
Key vehicle for taking the work forward
Simple, low overhead, means for OGC members to get
together and advance specific technical objectives
within the OGC baseline
Facilitated by OGC staff
More lightweight than the OGC Web Services
initiatives
Focussed on specific interoperability issues
Effort is viewed as voluntary and supported by in-kind
contributions by participating member organisations
Duration normally around 6 months
Authentication IE
Test standard ways of authentication between
OGC clients and OGC Web Services
• Intended that the following mechanisms would
be tested: HTTP Authentication; HTTP Cookies;
•
SSL/X509; SAML; Shibboleth; OpenID; WS-Security
•
ESDIN concentrated on:
– Putting together a prototype Shibboleth Access Management
Federation comprised mainly of NMCA’s
– Understanding how OWS clients could be modified to be
capable of undergoing the Shibboleth interactions
•
OGC Engineering Report: Doc 09-092r1
OGC Web Services Shibboleth IE (OSI)
Started Aug 2010
• Previous work had shown it was possible to
protect WMS with Shibb so that:
•
– No mods required to OGC the interface
– No mods required to Shibb download
– BUT mods required to OWS clients
OSI provided the OGC software producing
community with means and opportunity of
modifying OWS clients to work with Shibb
• Emphasis on desktop OWS client software
• Provide participants with the opportunity to
demonstrate their software in action.
•
OSI - How
Use the test ESDIN Federation to provide OSI
participants with services to develop against
• Provide an open source reference
implementation of a modified desktop client
conformant with the SAML ECP Profile
•
– http://esdin.fgi.fi/wiki/index.php/Esdin:AuthIE:Client
Provide some technical support, eg, with
OpenLayers clients conformant with the Web
Browser SSO Profile
• Regular telcons
• OSI Technology Integration Experiment event
•
OSI - Who
31 individuals registered Shibb OGC portal site
• EDINA, Snowflake, Cadcorp, Envitia, con
terra/ESRI, Joint Research Centre all modified
their OWS client software or open source
• Federal Agency for Cartography and Geodesy
(BKG) contributed another test Shibb federation
they have been using for similar purposes
• Recently started EU funded BRISEIDE project
•
– http://www.briseide.eu/
Technology Integration Experiment Webinar
Afternoon of Thurs 18th November
• Approx 30 people turned up on the day
• EDINA, Snowflake, Cadcorp, Envitia, con
terra, JRC all demonstrated:
– Different clients (desktop, browser, proxy)
– Different services (WMS and WFS)
– Different federations (ESDIN and BKG)
•
OSI - Outcomes
•
•
•
•
•
•
•
Using Shibboleth to protect OWS is practical
Not particularly difficult on server side
Not particularly difficult with browser based
clients
More subtle with desktop based clients but
possible with some effort in short space of time
This kind of “IE testbed” approach appreciated
by participating OGC members
Highly likely community support and tooling will
be available if decision made to operationalise
Draft Engineering Report (OGC 11-019r1)
Related Outcomes – Germany
•
•
Betriebsmodell GDI-DE" (Operating model for SDI Germany)
Technical feasibility (authentication/authorisation)
– Securing OWS using SAML via Shibb, XACML and geoXACML
– AuthN using German Identity Card and connection to eID i/f
•
Organisational requirements
– Which SAML attributes for the Federation
– Who is responsible for what
– Costs
•
Business Processes
– Admitting/Excluding IdP/SP’s from the Federation
– Roles and Processes in operation a WAYF
•
Extending their Test Federation
–
–
–
–
•
•
•
Additional SP’s serving real restricted data, eg, cadastral parcels via OWS
Not just geospatial data
Additional IdP’s (including one that supports eID)
Establishing a WAYF
Investigating additional Use Cases: Gov2Bus; Gov2Gov and Gov2Citz
Results and Demo at InterGEO in Sept and at OGC TC later this year
Why don’t we collaborate more? Inter-Federation?
Related Outcomes – Sweden
•
•
Swedish NSDI Shibboleth project initiated
Exact objectives still being formulated but likely
to include:
– Feasibility of replacing existing system with Shibboleth
– Feasibility of devolving AuthN. Centralised at the
moment
– Issues relating to administering a Federation
– Investigation of collaborative opportunities with other
NMCA’s. Something like the “Nordic Initiative” in
respect of GeoNetwork
Where Next?
An INSPIRE Federation?
One federation and every legally mandated
organisation joins
2. Multiple federations: one in each country and
one pan-European
3. One federation: one organisation in each
country, the INSPIRE point of contact joins
the single pan-European federation and acts
as the gateway for all the other legally
mandated organisations in the country that
are standing up INSPIRE services
1.
An INSPIRE Federation?
OWS Providers
WMS
WFS
WMS
IdP
IdP
Member State
organisations,
eg, INSPIRE
Points of
Contact
WFS
IdP
WMS
Coordinating
Centre
WMS
IdP
WFS
WFS
WMS
IdP
WMS
WFS
IdP
WFS
Key
organisations,
eg. EEA, JRC
Workshop at INSPIRE Conference in June
•
•
•
•
•
•
•
Title: Shibboleth Federations and Secure SDI:
Outcome and Demonstrations from the OGC Web
Service Shibboleth Interoperability Experiment
Original intention is a re-run of the Nov 2010
“plugfest”
More public, slicker
More member state NMCA’s in ESDIN Federation
Maybe get more system suppliers to modify their
software
Up the level of discussion
IOC Task Force Involvement?
Interoperable Geographic Information for Biosphere Study
JISC funded IGIBS project from Apr 1st to 31st Oct 2011
• Partnership between EDINA, Aberystwyth University and
Welsh Assembly Government (WAG)
• Focussed on Research and Education related to the
UNESCO Dyfi Biosphere Reserve
• Allow users to create WMS’s to view data in conjunction
with reference data from WAG
• Access control so:
•
– Students can publish intermediary results, or commercial in
confidence datasets, etc.
– WAG can make available a wider range of data
•
•
Better integration between academic and public sector
Opportunity to transfer knowledge and explore (a bit)
Lots of open questions
How do e-commerce solutions bolt onto this architecture?
• Whats the best way of approaching inter-federation
interoperability?
• Whats best practice in respect of interoperability with
different member states identity management systems?
• Similarly, pan-European identity management systems?
• Whats best practice in terms of AuthZ infrastructures?
• How do the processes and roles involved in governing an
access management federation map to those required for
SDI governance?
• How may the more advanced service chaining patterns be
realised where some or all of the services in the chain are
protected?
•
B. Lawrence,
http://www.osdm.gov.au/SBF201011_Lawrence.pdf?ID=1072
Dimensions of Interoperability
From the European Interoperability Framework for Pan-European eGovernment Services
(http://ec.europa.eu/idabc/servlets/Docb0db.pdf?id=31597)
Comparison between OpenID and Shibb
From EDINA “Review of OpenID”, 2007