ESDIN - OGC Web Services Shibboleth Interoperability Experiment (OSI)


Published on

Webinar given by Chris Higgins on 18 November 2010

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Not just SDI, many kinds of information infrastructure require access control
    Typically, authentication is a pre-requisite. Some use cases where you don’t, eg, public
    Barriers to interoperability include; cost, vendor lock-in, lack of a support community, not standards based, etc
    Return later to those last points
  • Mostly in the academic sector
    Identity protected
    Millions of users
    Talk a bit about the ESDIN Federation
  • Make this generic to show the components of a federation
  • Access Management Federations (AMF) provide a practical organisational model for operational SDI
    Shibboleth is production strength
    Small centre, big network of organisations
    A fundamental SDI requirement demonstrated
    Additional SDI organisational requirements could be layered on top of the AMF, eg, governance
    Needs changes to the clients, but not the services or Shibboleth
    Potential INSPIRE compliant approach for establishing operational strength access control to ensure data provided is only available to legitimate government agencies!
  • ESDIN - OGC Web Services Shibboleth Interoperability Experiment (OSI)

    1. 1. OGC Web Services Shibboleth Interoperability Experiment (OSI) Chris Higgins, IE Manager, EDINA National Datacentre, Scotland Webinar, Thursday, Nov 18, 2010
    2. 2. OGC Web Services Shibboleth Interoperability Experiment Some housekeeping • Audio separate from webinar. Phone in on: +1 512 225 3050 Participant Code: 55699# • Please mute if not speaking and in conversation with colleagues, or in a busy room, etc. • Submit questions via the “chat” pod. Will collate these and get through as many as possible at the end. • Session is being recorded
    3. 3. Some introductions • Team that has worked on integrating Shibboleth/OWS: – Self, Andrew Seales, Michael Koutroumpas and Andreas Matheus • IE Initiating Organisations: – EDINA, Snowflake and Cadcorp • IE Participants – EDINA, Snowflake, Cadcorp, Envitia, con terra, JRC – BKG (German NMA) provided another federation • OGC IE Facilitator: – Luis Bermudez
    4. 4. EDINA • A National Data Centre for Tertiary Education since 1995 – based at the University of Edinburgh, Scotland • Our mission... to enhance the productivity of research, learning and teaching in UK higher and further education • Focus is on service but also undertake r&D – turn projects  services • In ESDIN one of our roles is to try to represent interests of the European academic sector – one of the identified target user groups
    5. 5. • An eContentplus Best Practice Network project • Started September 2008. Ends March 2011 • Coordinated by EuroGeographics • Key goal: help member states, candidate countries and EFTA States prepare their data for INSPIRE Annex 1 spatial data themes and improve access: 1. Administrative Boundaries 2. Cadastral Parcels 3. Hydrography 4. Transport Networks 5. Geographical Names ESDIN Project
    6. 6. ESDIN project info ( Interactive Instruments Bundesamt für Kartographie und Geodäsie Lantmäteriet National Technical University of Athens IGN Belgium Bundesamt für Eich- und Vermessungswesen Universität Münster EDINA, University Edinburgh National Agency for Cadastre and Real Estate Publicity Romania Helsinki University of Technology IGN France Kadaster Kort & Matrikelstyrelsen Geodan Software Development & Technology 1Spatial The Finnish Geodetic Institute National Land Survey of Finland Institute of Geodesy, Cartography and Remote Sensing Statens kartverk EuroGeographics
    7. 7. Why put effort into federated access control? • Authentication is the process of verifying that claims made concerning a subject, eg, identity, who is attempting to access a resource are true, ie, authentic • Frequently, SDI content and service providers need to know who is accessing their valuable, secure, protected, data • The ability for a group of organisations with common objectives, ie, a federation, to securely exchange authentication information is a powerful SDI enabler • Even more so if removing some of the barriers to interoperability…
    8. 8. Shibboleth • Internet2 consortium • Open source package for web Single Sign On across admin boundaries based on standards: – Security Assertion Markup Language (SAML) • Organisations can exchange user information and make security assertions by obeying privacy policies • Small coordination centre, large federation of organisations (service and identity providers) • Devolved authentication – maintain and leverage existing user management • Enables finer grained authorisation through use of attributes • Many Shibboleth Access Management Federations across Globe
    9. 9. SP SPIdP IdP IdP IdP SP SP SP SP SP SP SP SPSP Coordinating Centre Federation Service Providers Identity Providers Users Organisations IdP IdP SP SP
    10. 10. Why put effort into federated access control round OGC Web Services? • Requested by the commission to focus on testing practical existing solutions • Opportunity to build on earlier work undertaken by same team (JISC funded SEE-GEO project) – Showed Shibboleth Access Control around WMS • Key findings current work; the solution required: – No changes to the OWS interface specifications – No changes to the core mainstream Shibboleth – BUT, does require changes to OWS desktop clients
    11. 11. IdP IdP IdP IdP INSPIRE Federation OWS Providers Member State organisations, eg, NMCAs IdP IdP WMS Key organisations, eg. EEA, JRC WMS WMS WMS WMS WMS WFS WFS WFS WFS WFS WFS
    12. 12. What we set out to do in this IE • Provide the OGC community with the opportunity to demonstrate their desktop client software being capable of consuming OWS within Shibboleth Access Management Federations – Protected ESDIN Federation OWS to develop against – Reference implementation of desktop client • Result: a variety of different clients capable of undergoing the Shibboleth/SAML interactions – Browser based clients, ie OpenLayers based – Desktop based clients • Result: a better understanding of the issues
    13. 13. OGC Interoperability Experiment • IEs are part of the OGC Interoperability program, which includes other activities, such as Pilots and Testbeds. • The IE is focused on an interoperability issue related to the OGC Technical Baseline. • The IE completion timeframe is reasonable (4-6 months). • The IE is “lightweight” – focuses on a single interoperability issue. • All materials, documents, lessons learned, and other findings developed as a result of the IE will be shared with the OGC membership. • The expected results: Engineering Report, Best Practice Report, and Change Requests.
    14. 14. What we intend to do today • Show these clients in action • But note. Aggressive timeline. The Kickoff telcon was on Sept 30th , ie, seven weeks ago. • Different clients, some browser based, some desktop, accessing various WMS and WFS • Series of Single Sign On scenarios The best-laid schemes o' mice an' men Gang aft agley, (Robert Burns)
    15. 15. Example: Desktop Client, WMS SSO, Desktop Client, WmS EDINA Cadcorp Envitia 1 Attempt access protected service User not previously authenticated 2 User picks IdP 3 Authenticates 4 Demonstrates access to data 5 Attempts access different protected services within the Federation Already authenticated 6 Demonstrates access to data
    16. 16. OGC Web Services Shibboleth Interoperability Experiment Some housekeeping • Audio separate from webinar. Phone in on: +1 512 225 3050 Participant Code: 55699# • Please mute if not speaking and in conversation with colleagues, or in a busy room, etc. • Submit questions via the “chat” pod. Will collate these and get through as many as possible at the end. • Session is being recorded