Transcript Slide 1

OGC Interoperability
Experiments & Authentication
Association GI Laboratories Europe (AGILE) pre-conference
work shop. Testbed research: Testing Geospatial and
Services/Persistent Testbed,
Utrecht, The Netherlands,
18th April, 2011.
[email protected]
EDINA National Data Centre,
University of Edinburgh
Shibboleth
Internet2 consortium
• Open source package for web Single Sign On across
admin boundaries based on standards:
•
– Security Assertion Markup Language (SAML)
•
•
•
•
Organisations can exchange user information and
make security assertions by obeying privacy policies
Devolved authentication – maintain and leverage
existing user management
Enables finer grained authorisation through use of
attributes
Small coordination centre, large federation of
organisations (service and identity providers)
Key Roles within an Access Management Federation
Federation
Service Providers
SP
SP
SP
IdP
IdP
Identity Providers
Organisations
SP
SP
Coordinating
Centre
IdP
SP
SP
IdP
Users
SP
SP
SP
IdP
SP
SP
SP
IdP
EDINA
A National Data Centre for Tertiary Education
EDINA
since 1995
•
…enhance the productivity of research, learning and
teaching in UK higher and further education
Focus is on services but also undertake r&D
• Shibboleth used primarily in academic sector
•
– https://www.aai.dfn.de/links/
– https://spaces.internet2.edu/display/SHIB/ShibbolethFederations
•
EDINA provides technical support in the
operation of the UK Access Management
Federation
– Approx 8 million users
– 837 Member Organisations (IdPs and SPs)
Why put effort into federated access control?
Authentication is the process of verifying that claims
made concerning a subject, eg, identity, who is
attempting to access a resource are true, ie,
authentic
• Frequently, SDI content and service providers need to
know who is accessing their valuable, secure,
protected, etc, data
• The ability for a group of organisations with common
objectives, ie, a federation, to securely exchange
authentication information is a powerful SDI enabler
• Example: Article 19 of the INSPIRE Directive
•
”…Member States may limit public access…etc, etc”.
•
Even more so if removing some of the barriers to
interoperability…
Why put effort into federated access control round OWS?
•
•
•
•
Open geospatial interoperability standards
underpin SDI
OGC Standards agnostic about security
Grand challenge: lack of a genuinely
interoperable security solution a major
barrier to all sectors
EU requested that ESDIN project focus on
testing practical existing solutions
Work to Date: ESDIN Project
•
•
•
•
•
•
Resourced EDINA to build on in-house access
control expertise
An eContentplus Best Practice Network project
Ran from Sept 2008 until end Feb 2011
Coordinated by EuroGeographics
From AuthN perspective, the main ESDIN Use
Case was Key Users, eg, EEA, EuroStat, JRC,
accessing INSPIRE Annex 1 services from
different member states
Key goal: help member states prepare their
data for INSPIRE Annex 1 themes
EDINA’s Role in ESDIN
•
Bring experience of:
– putting up operational OGC Web Services
– access management
A point of contact for the European
academic sector
• Help the NMCAs understand academic
sector market
• Bring academic users
• Report on work done:
•
– http://www.esdin.eu/sites/esdin.eu/files/ESDIN%20D11%
206%20services%20academic%20sector%20v4%200.pdf
Steps towards...
•
Our users; students, lecturers, etc,
getting access to INSPIRE compliant
services:
– for research
– for education
•
•
•
Our UK users getting access to
European data
And European academic sector users
getting access to UK data
Development of a European academic
SDI
Key Vehicle - PTB Objectives
To act as a research test-bed for collaborative European
research in geospatial interoperability,
• To aid the assessment of the current standards for
geospatial interoperability in terms of research
compatibility, completeness, consistency and ease of use
and extensibility
• To provide an environment for teaching standards and
techniques for geospatial interoperability
• To provide a resource to AGILE/EuroSDR/OGC for the
coordination of research requirements as well as definition,
testing, validation and development of open standards
•
Overall Goal
•
•
•
Real world SDI R&D requirements
Resources
Data
Public
sector
•
•
•
Virtuous
Circle
Academic
sector
Better educated graduates
Future customers/employees used to using high
quality public sector reference data via Geospatial
Web Services
R&D requirements get met
OGC Interoperability Experiments (IE’s)
•
•
•
•
•
•
•
Key vehicle for taking the work forward
Simple, low overhead, means for OGC members to get
together and advance specific technical objectives
within the OGC baseline
Facilitated by OGC staff
More lightweight than the OGC Web Services
initiatives
Focussed on specific interoperability issues
Effort is viewed as voluntary and supported by in-kind
contributions by participating member organisations
Duration normally around 6 months
Authentication IE
Test standard ways of authentication between
OGC clients and OGC Web Services
• Intended that the following mechanisms would
be tested: HTTP Authentication; HTTP Cookies;
•
SSL/X509; SAML; Shibboleth; OpenID; WS-Security
•
ESDIN concentrated on:
– Putting together a prototype Shibboleth Access Management
Federation comprised mainly of NMCA’s
– Understanding how OWS clients could be modified to be
capable of undergoing the Shibboleth interactions
•
OGC Engineering Report: Doc 09-092r1
OGC Web Services Shibboleth IE (OSI)
Started Aug 2010
• Previous work had shown it was possible to
protect WMS with Shibb so that:
•
– No mods required to the OGC interfaces
– No mods required to Shibb download
– BUT mods required to OWS clients
OSI provided the OGC software producing
community with means and opportunity of
modifying OWS clients to work with Shibb
• Emphasis on desktop OWS client software
• Provide participants with the opportunity to
demonstrate their software in action.
•
OSI - How
Use the test ESDIN Federation to provide OSI
participants with services to develop against
• Provide an open source reference
implementation of a modified desktop client
conformant with the SAML ECP Profile
•
– http://esdin.fgi.fi/wiki/index.php/Esdin:AuthIE:Client
Provide some technical support, eg, with
OpenLayers clients conformant with the Web
Browser SSO Profile
• Regular telcons
• OSI Technology Integration Experiment event
•
Technology Integration Experiment Webinar
Afternoon of Thurs 18th November
• Approx 30 people turned up on the day
• EDINA, Snowflake, Cadcorp, Envitia, con
terra, JRC all demonstrated:
– Different clients (desktop, browser, proxy)
– Different services (WMS and WFS)
– Different federations (ESDIN and BKG)
•
OSI - Outcomes
•
•
•
•
•
•
•
Using Shibboleth to protect OWS is practical
Not particularly difficult on server side
Not particularly difficult with browser based
clients
More subtle with desktop based clients but
possible with some effort in short space of time
This kind of “IE testbed” approach appreciated
by participating OGC members
Highly likely community support and tooling will
be available if decision made to operationalise
Draft Engineering Report (OGC 11-019r1)
Interoperable Geographic Information for Biosphere Study
JISC funded IGIBS project from Apr 1st to 31st Oct 2011
• Partnership between EDINA, Aberystwyth University and
Welsh Assembly Government (WAG)
• Focussed on Research and Education related to the
UNESCO Dyfi Biosphere Reserve
• Allow users to create WMS’s to view data in conjunction
with reference data from WAG
• Access control so:
•
– Students can publish intermediary results, or commercial in
confidence datasets, etc.
– WAG can make available a wider range of data
•
•
Better integration between academic and public sector
Opportunity to transfer knowledge and explore (a bit)
Workshop at INSPIRE Conference in June
•
•
•
•
•
•
Title: Shibboleth Federations and Secure SDI:
Outcome and Demonstrations from the OGC Web
Service Shibboleth Interoperability Experiment
Original intention is a re-run of the Nov 2010
“plugfest”
More public, slicker
More member state NMCA’s in ESDIN Federation
Maybe get more system suppliers to modify their
software
Up the level of discussion
Consequences
•
If they operationalise, it will be good for the
academic sector:
– More Shibb enabled software/tooling will become
available
– Our sector already had the technology in place
and has understanding
– Well positioned to negotiate for access to data
and services