Watch timing Original title “Authentication and the Shibboleth Test” Session is “C3-NMA day - Euro SDR: NMCAs, universities and private players gathered for applied research” 1330 room 251
Cannot assume all in audience know about Shibb Mostly in the academic sector Identity protected Millions of users Talk a bit about the ESDIN Federation
Effectively, develop the European academic SDi
Shibb IE related work emerged from the PTB The testbed aspect was valued by the IE participants Objectives have proven robust
Even if all open (free of charge online access) often still need to know who is accessing the data And some data will never be completely open due to personal privacy issues, eg, cadastral parcels?
Make scope clear, eg, not licencing, georm, authZ, etc Framework agreements
This diagram adapted from the Switch website
Not the only available technology, eg, OpenID Effectively the reference implementation for SAML
Access Management Federations (AMF) provide a practical organisational model for operational SDI Shibboleth is production strength Small centre, big network of organisations A fundamental SDI requirement demonstrated Additional SDI organisational requirements could be layered on top of the AMF, eg, governance Needs changes to the clients, but not the services or Shibboleth Potential INSPIRE compliant approach for establishing operational strength access control to ensure data provided is only available to legitimate government agencies!
Mention have not talked about SAML. Refer to INSPIRE paper
No more than a rephrasing of the PTB Objectives? If the NMCAs find a new market then great
Likely that multiple federations with no inter-federation interoperabi
Some Academic Sector/NMCA outcomes from the OGC Web Service Shibboleth Interoperability Experiment International Cartographic Conference, Paris, July, 2011 Chris Higgins, IE Manager, [email_address]
Many of the most valuable SDI resources are protected
These resources frequently in different admin domains
Example: Article 19 of the INSPIRE Directive ”…Member States may limit public access…etc, etc”.
No widely accept standard for securing these protected geospatial resources
Consequence: lots of point solutions
Major interoperability barrier, eg, how can a X-Border application consume protected OWS while having to deal with multiple different access control mechanism?
Make everything open? or,
Access Management Federations (AMF’s)? or, …?
What can Access Management Federations do for us?
Fundamental requirement: information on who is accessing your valuable resource = authentication
An AMF allows secure sharing of authentication information across administrative domains
The members of the federation form a circle of trust and agree to a set of policies and technologies
Provides Single Sign On
My X-Border appl can now access a protected resource in country A, be challenged for credentials at home institution. Now I can also access additional federation resources (if authorised) in country A, B, C, …, without needing to re-authenticate
One Federation and every every legally mandated organisation joins
Multiple federations: one in each country and one pan-European
One federation: one organisation in each country, the INSPIRE point of contact joins the single pan-European federation and acts as the gateway for all the other legally mandated organisations in the country that are standing up INSPIRE services
Multiple federations: one in each country and inter-federation interoperability ensures SSO