1. Access Control in ESDIN: Shibboleth ESDIN Closing Event, Brussels. 29 th March 2011 Chris Higgins, EDINA National Datacentre, University of Edinburgh. [email_address]
2.
3.
4. Key Roles within an Access Management Federation SP SP SP SP SP SP SP SP SP SP SP Coordinating Centre Federation Service Providers Identity Providers Users Organisations SP SP IdP IdP IdP IdP IdP IdP
9. ESDIN – Mostly NMCA’s Interactive Instruments Bundesamt für Kartographie und Geodäsie Lantmäteriet National Technical University of Athens IGN Belgium Bundesamt für Eich- und Vermessungswesen Universität Münster EDINA, University Edinburgh National Agency for Cadastre and Real Estate Publicity Romania Helsinki University of Technology IGN France Kadaster Kort & Matrikelstyrelsen Geodan Software Development & Technology 1Spatial The Finnish Geodetic Institute National Land Survey of Finland Institute of Geodesy, Cartography and Remote Sensing Statens kartverk EuroGeographics
18. An INSPIRE Federation? INSPIRE Federation OWS Providers Member State organisations, eg, NMCAs WMS Key organisations, eg. EEA, JRC WMS WMS WMS WMS WMS WFS WFS WFS WFS WFS WFS IdP IdP IdP IdP IdP IdP Coordinating Centre
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32. B. Lawrence, http:// www.switch.ch/aai/demo/medium.html
Editor's Notes
Better emphasize that this “security guy” does not have all the answers
Make this generic to show the components of a federation
User attempts to access a Shibboleth-protected resource on the Service Provider (SP) site. User is redirected to the WAYF in order to select their home organisation (IdP). Part of same exchange as 2. IdP ensures that user is authenticated, by whatever means IdP deems appropriate After successful authentication, a one-time handle (a SAML artefact) is generated for this user session. SP uses the handle to request attribute information from the IdP for this user IdP allows or denies attribute information to be made available to this SP Based on the attribute information made available, SP makes authorisation decision, ie, allows or denies the user access to the resource.
Not just SDI, many kinds of information infrastructure require access control Typically, authentication is a pre-requisite. Some use cases where you don’t, eg, public Barriers to interoperability include; cost, vendor lock-in, lack of a support community, not standards based, etc Return later to those last points
But not OSGB
Advantage of working within the processes of a Standards Body
ESDIN contributed Shibboleth No openID, ws-security for catalogue
Link back to profiles and IdP led as opposed to SP led flows
Access Management Federations (AMF) provide a practical organisational model for operational SDI Shibboleth is production strength Small centre, big network of organisations A fundamental SDI requirement demonstrated Additional SDI organisational requirements could be layered on top of the AMF, eg, governance Needs changes to the clients, but not the services or Shibboleth Potential INSPIRE compliant approach for establishing operational strength access control to ensure data provided is only available to legitimate government agencies!
Examples for each of the components Bindings : eg, HTTP Redirect, HTTP POST, HTTP Artifact Binding
Typical series of SAML interactions
Typical series of SAML interactions JRC has done something like this
Probably other activity taking place across Europe that I don’t know about. Geonetwork
“ British experience with building standards based networks for climate and environmental research”