• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Access Control in ESDIN: Shibboleth
 

Access Control in ESDIN: Shibboleth

on

  • 1,196 views

Presented by Chris Higgins at the ESDIN Closing Workshop, Brussels, Belgium, 29 March 2011.

Presented by Chris Higgins at the ESDIN Closing Workshop, Brussels, Belgium, 29 March 2011.

Statistics

Views

Total Views
1,196
Views on SlideShare
1,196
Embed Views
0

Actions

Likes
0
Downloads
8
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Better emphasize that this “security guy” does not have all the answers
  • Make this generic to show the components of a federation
  • User attempts to access a Shibboleth-protected resource on the Service Provider (SP) site. User is redirected to the WAYF in order to select their home organisation (IdP). Part of same exchange as 2. IdP ensures that user is authenticated, by whatever means IdP deems appropriate After successful authentication, a one-time handle (a SAML artefact) is generated for this user session. SP uses the handle to request attribute information from the IdP for this user IdP allows or denies attribute information to be made available to this SP Based on the attribute information made available, SP makes authorisation decision, ie, allows or denies the user access to the resource.
  • Not just SDI, many kinds of information infrastructure require access control Typically, authentication is a pre-requisite. Some use cases where you don’t, eg, public Barriers to interoperability include; cost, vendor lock-in, lack of a support community, not standards based, etc Return later to those last points
  • But not OSGB
  • Advantage of working within the processes of a Standards Body
  • ESDIN contributed Shibboleth No openID, ws-security for catalogue
  • Link back to profiles and IdP led as opposed to SP led flows
  • Access Management Federations (AMF) provide a practical organisational model for operational SDI Shibboleth is production strength Small centre, big network of organisations A fundamental SDI requirement demonstrated Additional SDI organisational requirements could be layered on top of the AMF, eg, governance Needs changes to the clients, but not the services or Shibboleth Potential INSPIRE compliant approach for establishing operational strength access control to ensure data provided is only available to legitimate government agencies!
  • Examples for each of the components Bindings : eg, HTTP Redirect, HTTP POST, HTTP Artifact Binding
  • Typical series of SAML interactions
  • Typical series of SAML interactions JRC has done something like this
  • Probably other activity taking place across Europe that I don’t know about. Geonetwork
  • “ British experience with building standards based networks for climate and environmental research”

Access Control in ESDIN: Shibboleth Access Control in ESDIN: Shibboleth Presentation Transcript

  • Access Control in ESDIN: Shibboleth ESDIN Closing Event, Brussels. 29 th March 2011 Chris Higgins, EDINA National Datacentre, University of Edinburgh. [email_address]
  • Shibboleth
    • Internet2 consortium
    • Open source package for web Single Sign On across admin boundaries based on standards:
      • Security Assertion Markup Language (SAML)‏
    • Organisations can exchange user information and make security assertions by obeying privacy policies
    • Devolved authentication – maintain and leverage existing user management
    • Enables finer grained authorisation through use of attributes
    • Small coordination centre, large federation of organisations (service and identity providers)
    • Many Shibboleth Access Management Federations:
      • https:// www.aai.dfn.de /links/
      • https://spaces.internet2.edu/display/SHIB/ShibbolethFederations
  • EDINA
    • A National Data Centre for Tertiary Education since 1995
      • based at the University of Edinburgh, Scotland
    • Our mission...
    • to enhance the productivity of research, learning and teaching in UK higher and further education
    • Focus is on service but also undertake r&D
      • turn projects  services
    • In ESDIN one of our roles is to try to represent interests of the European academic sector – one of the identified target user groups
    • Technical and operational support for the UK Access Management Federation
  • Key Roles within an Access Management Federation SP SP SP SP SP SP SP SP SP SP SP Coordinating Centre Federation Service Providers Identity Providers Users Organisations SP SP IdP IdP IdP IdP IdP IdP
  • Example Shibboleth Login Procedures http:// www.switch.ch/aai/demo/medium.html
  • Why put effort into federated access control?
    • Authentication is the process of verifying that claims made concerning a subject, eg, identity, who is attempting to access a resource are true, ie, authentic
    • Frequently, SDI content and service providers need to know who is accessing their valuable, secure, protected, etc, data
    • The ability for a group of organisations with common objectives, ie, a federation, to securely exchange authentication information is a powerful SDI enabler
    • Article 19 of the INSPIRE Directive ”…Member States may limit public access…etc, etc”.
    • Even more so if removing some of the barriers to interoperability…
  • Why put effort into federated access control round OWS?
    • Open geospatial interoperability standards underpin SDI
    • OGC Standards agnostic about security
    • Grand challenge: lack of a genuinely interoperable security solution a major barrier to all sectors
    • EU requested that ESDIN project focus on testing practical existing solutions
    • Prior work by same team (JISC funded SEE-GEO project)
      • Demonstrated Shibb Access Control around WMS
      • No changes to the OWS interface specification
      • No changes to the core mainstream Shibboleth
  • Work to Date: ESDIN
    • Resourced EDINA to build on in-house access control expertise
    • An eContent plus Best Practice Network project
    • Ran from Sept 2008 until end Feb 2011
    • Coordinated by EuroGeographics
    • From AuthN perspective, the main ESDIN Use Case was Key Users, eg, EEA, EuroStat, JRC, accessing INSPIRE Annex 1 services from different member states
    • Key goal : help member states prepare their data for INSPIRE Annex 1 themes
  • ESDIN – Mostly NMCA’s Interactive Instruments Bundesamt für Kartographie und Geodäsie Lantmäteriet National Technical University of Athens IGN Belgium Bundesamt für Eich- und Vermessungswesen Universität Münster EDINA, University Edinburgh National Agency for Cadastre and Real Estate Publicity Romania Helsinki University of Technology IGN France Kadaster Kort & Matrikelstyrelsen Geodan Software Development & Technology 1Spatial The Finnish Geodetic Institute National Land Survey of Finland Institute of Geodesy, Cartography and Remote Sensing Statens kartverk EuroGeographics
  • OGC Interoperability Experiments (IE’s)
    • Key vehicle for taking the work forward
    • Simple, low overhead, means for OGC members to get together and advance specific technical objectives within the OGC baseline
    • Facilitated by OGC staff
    • More lightweight than the OGC Web Services initiatives
    • Focussed on specific interoperability issues
    • Effort is viewed as voluntary and supported by in-kind contributions by participating member organisations
    • Duration normally around 6 months
  • Authentication IE
    • Test standard ways of authentication between OGC clients and OGC Web Services
    • Intended that the following mechanisms would be tested: HTTP Authentication; HTTP Cookies; SSL/X509; SAML; Shibboleth; OpenID; WS-Security
    • ESDIN concentrated on:
      • Putting together a prototype Shibboleth Access Management Federation comprised mainly of NMCA’s
      • Understanding how OWS clients could be modified to be capable of undergoing the Shibboleth interactions
    • OGC Engineering Report: Doc 09-092r1
  • OGC Web Services Shibboleth IE (OSI)
    • Started Aug 2010
    • Previous work had shown it was possible to protect WMS with Shibb so that:
      • No mods required to OGC the interface
      • No mods required to Shibb download
      • BUT mods required to OWS clients
    • OSI provided the OGC software producing community with means and opportunity of modifying OWS clients to work with Shibb
    • Emphasis on desktop OWS client software
    • Provide participants with the opportunity to demonstrate their software in action.
  • OSI - How
    • Use the test ESDIN Federation to provide OSI participants with services to develop against
    • Provide an open source reference implementation of a modified desktop client conformant with the SAML ECP Profile
      • http:// esdin.fgi.fi/wiki/index.php/Esdin:AuthIE:Client
    • Provide some technical support, eg, with OpenLayers clients conformant with the Web Browser SSO Profile
    • Regular telcons
    • OSI Technology Integration Experiment event
  • OSI - Who
    • 31 individuals registered Shibb OGC portal site
    • EDINA, Snowflake, Cadcorp, Envitia, con terra/ESRI, Joint Research Centre all modified their OWS client software or open source
    • Federal Agency for Cartography and Geodesy (BKG) contributed another test Shibb federation they have been using for similar purposes
    • Recently started EU funded BRISEIDE project
      • http:// www.briseide.eu /
  • Technology Integration Experiment Webinar
    • Afternoon of Thurs 18 th November
    • Approx 30 people turned up on the day
    • EDINA, Snowflake, Cadcorp, Envitia, con terra, JRC all demonstrated:
      • Different clients (desktop, browser, proxy)
      • Different services (WMS and WFS)
      • Different federations (ESDIN and BKG)
  • OSI - Outcomes
    • Using Shibboleth to protect OWS is practical
    • Not particularly difficult on server side
    • Not particularly difficult with browser based clients
    • More subtle with desktop based clients but possible with some effort in short space of time
    • This kind of “IE testbed” approach appreciated by participating OGC members
    • Highly likely community support and tooling will be available if decision made to operationalise
    • Draft Engineering Report (OGC 11-019r1)
  • Where Next?
  • An INSPIRE Federation? INSPIRE Federation OWS Providers Member State organisations, eg, NMCAs WMS Key organisations, eg. EEA, JRC WMS WMS WMS WMS WMS WFS WFS WFS WFS WFS WFS IdP IdP IdP IdP IdP IdP Coordinating Centre
  • Workshop at INSPIRE Conference in June
    • Title: Shibb Federations and Secure SDI: Outcome and Demonstrations from the OGC Web Service Shibboleth Interoperability Experiment
    • Original intention is a re-run of the Nov 2010 “plugfest” but more public, slicker
    • Need more NMCA’s in ESDIN Federation
    • Maybe get more system suppliers to modify their software
    • Up the level of discussion
  • Lots of open questions
    • How do e-commerce solutions bolt onto this architecture?
    • Whats the best way of approaching inter-federation interoperability?
    • Whats best practice in respect of interoperability with different member states identity management systems?
    • Similarly, pan-European identity management systems?
    • Whats best practice in terms of AuthZ infrastructures?
    • How do the processes and roles involved in governing an access management federation map to those required for SDI governance?
    • How may the more advanced service chaining patterns be realised where some or all of the services in the chain are protected?
  • Dimensions of Interoperability
    • From the European Interoperability Framework for Pan-European eGovernment Services
    • ( http://ec.europa.eu/idabc/servlets/Docb0db.pdf?id=31597 )
  •  
  • UK Access Management Federation
    • Managed by JISC Collections (previously JANET) and EDINA
      • Federation Operator: JISC Collections
      • Technical and Operational Support: EDINA
    • 840 Member Organisations (IdPs and SPs)
    • Approximately 8 million users
    • Cost of running is not insignificant
  • Basic SAML Concepts
    • From the SAML Technical Overview
    • ( http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.pdf )
    • From the SAML Technical Overview
    • ( http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.pdf )
    Service Provider Initiated Single Sign On
    • From the SAML Technical Overview
    • ( http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.pdf )
    Identity Provider Initiated Single Sign On
  • Related Outcomes – Germany
    • Betriebsmodell GDI-DE" (Operating model for SDI Germany)
    • Technical feasibility (authentication/authorisation)
      • Securing OWS using SAML via Shibb, XACML and geoXACML
      • AuthN using German Identity Card and connection to eID i/f
    • Organisational requirements
      • Which SAML attributes for the Federation
      • Who is responsible for what
      • Costs
    • Business Processes
      • Admitting/Excluding IdP/SP’s from the Federation
      • Roles and Processes in operation a WAYF
    • Extending their Test Federation
      • Additional SP’s serving real restricted data, eg, cadastral parcels via OWS
      • Not just geospatial data
      • Additional IdP’s (including one that supports eID)
      • Establishing a WAYF
    • Investigating additional Use Cases: Gov2Bus; Gov2Gov and Gov2Citz
    • Results and Demo at InterGEO in Sept and at OGC TC later this year
    • Why don’t we collaborate more? Inter-Federation?
  • Related Outcomes – Sweden
    • Swedish NSDI Shibboleth project initiated
    • Exact objectives still being formulated but likely to include:
      • Feasibility of replacing existing system with Shibboleth
      • Feasibility of devolving AuthN. Centralised at the moment
      • Issues relating to administering a Federation
      • Investigation of collaborative opportunities with other NMCA’s. Something like the “Nordic Initiative” in respect of GeoNetwork
  • An INSPIRE Federation?
    • One federation and every legally mandated organisation joins
    • Multiple federations: one in each country and one pan-European
    • One federation: one organisation in each country, the INSPIRE point of contact joins the single pan-European federation and acts as the gateway for all the other legally mandated organisations in the country that are standing up INSPIRE services
  • Interoperable Geographic Information for Biosphere Study
    • JISC funded IGIBS project from Apr 1 st to 31 st Oct 2011
    • Partnership between EDINA, Aberystwyth University and Welsh Assembly Government (WAG)
    • Focussed on Research and Education related to the UNESCO Dyfi Biosphere Reserve
    • Allow users to create WMS’s to view data in conjunction with reference data from WAG
    • Access control so:
      • Students can publish intermediary results, or commercial in confidence datasets, etc.
      • WAG can make available a wider range of data
    • Better integration between academic and public sector
    • Opportunity to transfer knowledge and explore (a bit)
  • Comparison between OpenID and Shibb
    • From EDINA “Review of OpenID”, 2007
  • B. Lawrence, http:// www.switch.ch/aai/demo/medium.html