• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
OGC Interoperability Experiments and Authentication
 

OGC Interoperability Experiments and Authentication

on

  • 831 views

Presented by Chris Higgins at 14th AGILE Conference on Geographic Information Science, 18 April 2011 Utrecht, Netherlands.

Presented by Chris Higgins at 14th AGILE Conference on Geographic Information Science, 18 April 2011 Utrecht, Netherlands.

Statistics

Views

Total Views
831
Views on SlideShare
831
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Make this generic to show the components of a federation
  • Cannot assume all in audience know about Shibb Mostly in the academic sector Identity protected Millions of users Talk a bit about the ESDIN Federation
  • Not just SDI, many kinds of information infrastructure require access control Typically, authentication is a pre-requisite. Some use cases where you don’t, eg, public Barriers to interoperability include; cost, vendor lock-in, lack of a support community, not standards based, etc Return later to those last points
  • Started out with intention of building things Lack or resources = networking organisation
  • Element of knowledge transfer about this project
  • Advantage of working within the processes of a Standards Body
  • ESDIN contributed Shibboleth No openID, ws-security for catalogue
  • Link back to profiles and IdP led as opposed to SP led flows

OGC Interoperability Experiments and Authentication OGC Interoperability Experiments and Authentication Presentation Transcript

  • OGC Interoperability Experiments & Authentication Association GI Laboratories Europe (AGILE) pre-conference work shop. Testbed research: Testing Geospatial and Services/Persistent Testbed, Utrecht, The Netherlands, 18 th April, 2011. [email_address] EDINA National Data Centre, University of Edinburgh
  • Shibboleth
    • Internet2 consortium
    • Open source package for web Single Sign On across admin boundaries based on standards:
      • Security Assertion Markup Language (SAML)‏
    • Organisations can exchange user information and make security assertions by obeying privacy policies
    • Devolved authentication – maintain and leverage existing user management
    • Enables finer grained authorisation through use of attributes
    • Small coordination centre, large federation of organisations (service and identity providers)
  • Key Roles within an Access Management Federation SP SP SP SP SP SP SP SP SP SP SP Coordinating Centre Federation Service Providers Identity Providers Users Organisations SP SP IdP IdP IdP IdP IdP IdP
  • EDINA
    • A National Data Centre for Tertiary Education since 1995
    • … enhance the productivity of research, learning and teaching in UK higher and further education
    • Focus is on services but also undertake r&D
    • Shibboleth used primarily in academic sector
      • https:// www.aai.dfn.de /links/
      • https://spaces.internet2.edu/display/SHIB/ShibbolethFederations
    • EDINA provides technical support in the operation of the UK Access Management Federation
      • Approx 8 million users
      • 837 Member Organisations (IdPs and SPs)
    EDINA
  • Why put effort into federated access control?
    • Authentication is the process of verifying that claims made concerning a subject, eg, identity, who is attempting to access a resource are true, ie, authentic
    • Frequently, SDI content and service providers need to know who is accessing their valuable, secure, protected, etc, data
    • The ability for a group of organisations with common objectives, ie, a federation, to securely exchange authentication information is a powerful SDI enabler
    • Example: Article 19 of the INSPIRE Directive ”…Member States may limit public access…etc, etc”.
    • Even more so if removing some of the barriers to interoperability…
  • Why put effort into federated access control round OWS?
    • Open geospatial interoperability standards underpin SDI
    • OGC Standards agnostic about security
    • Grand challenge: lack of a genuinely interoperable security solution a major barrier to all sectors
    • EU requested that ESDIN project focus on testing practical existing solutions
  • Work to Date: ESDIN Project
    • Resourced EDINA to build on in-house access control expertise
    • An eContent plus Best Practice Network project
    • Ran from Sept 2008 until end Feb 2011
    • Coordinated by EuroGeographics
    • From AuthN perspective, the main ESDIN Use Case was Key Users, eg, EEA, EuroStat, JRC, accessing INSPIRE Annex 1 services from different member states
    • Key goal : help member states prepare their data for INSPIRE Annex 1 themes
  • EDINA’s Role in ESDIN
    • Bring experience of:
      • putting up operational OGC Web Services
      • access management
    • A point of contact for the European academic sector
    • Help the NMCAs understand academic sector market
    • Bring academic users
    • Report on work done:
      • http://www.esdin.eu/sites/esdin.eu/files/ESDIN%20D11%206%20services%20academic%20sector%20v4%200.pdf
    • Our users; students, lecturers, etc, getting access to INSPIRE compliant services:
      • for research
      • for education
    • Our UK users getting access to European data
    • And European academic sector users getting access to UK data
    • Development of a European academic SDI
    Steps towards...
  • Key Vehicle - PTB Objectives
    • To act as a research test-bed for collaborative European research in geospatial interoperability,
    • To aid the assessment of the current standards for geospatial interoperability in terms of research compatibility, completeness, consistency and ease of use and extensibility
    • To provide an environment for teaching standards and techniques for geospatial interoperability
    • To provide a resource to AGILE/EuroSDR/OGC for the coordination of research requirements as well as definition, testing, validation and development of open standards
  • Overall Goal
    • Public
    • sector
    Academic sector
    • Real world SDI R&D requirements
    • Resources
    • Data
    • Better educated graduates
    • Future customers/employees used to using high quality public sector reference data via Geospatial Web Services
    • R&D requirements get met
    Virtuous Circle
  • OGC Interoperability Experiments (IE’s)
    • Key vehicle for taking the work forward
    • Simple, low overhead, means for OGC members to get together and advance specific technical objectives within the OGC baseline
    • Facilitated by OGC staff
    • More lightweight than the OGC Web Services initiatives
    • Focussed on specific interoperability issues
    • Effort is viewed as voluntary and supported by in-kind contributions by participating member organisations
    • Duration normally around 6 months
  • Authentication IE
    • Test standard ways of authentication between OGC clients and OGC Web Services
    • Intended that the following mechanisms would be tested: HTTP Authentication; HTTP Cookies; SSL/X509; SAML; Shibboleth; OpenID; WS-Security
    • ESDIN concentrated on:
      • Putting together a prototype Shibboleth Access Management Federation comprised mainly of NMCA’s
      • Understanding how OWS clients could be modified to be capable of undergoing the Shibboleth interactions
    • OGC Engineering Report: Doc 09-092r1
  • OGC Web Services Shibboleth IE (OSI)
    • Started Aug 2010
    • Previous work had shown it was possible to protect WMS with Shibb so that:
      • No mods required to the OGC interfaces
      • No mods required to Shibb download
      • BUT mods required to OWS clients
    • OSI provided the OGC software producing community with means and opportunity of modifying OWS clients to work with Shibb
    • Emphasis on desktop OWS client software
    • Provide participants with the opportunity to demonstrate their software in action.
  • OSI - How
    • Use the test ESDIN Federation to provide OSI participants with services to develop against
    • Provide an open source reference implementation of a modified desktop client conformant with the SAML ECP Profile
      • http:// esdin.fgi.fi/wiki/index.php/Esdin:AuthIE:Client
    • Provide some technical support, eg, with OpenLayers clients conformant with the Web Browser SSO Profile
    • Regular telcons
    • OSI Technology Integration Experiment event
  • Technology Integration Experiment Webinar
    • Afternoon of Thurs 18 th November
    • Approx 30 people turned up on the day
    • EDINA, Snowflake, Cadcorp, Envitia, con terra, JRC all demonstrated:
      • Different clients (desktop, browser, proxy)
      • Different services (WMS and WFS)
      • Different federations (ESDIN and BKG)
  • OSI - Outcomes
    • Using Shibboleth to protect OWS is practical
    • Not particularly difficult on server side
    • Not particularly difficult with browser based clients
    • More subtle with desktop based clients but possible with some effort in short space of time
    • This kind of “IE testbed” approach appreciated by participating OGC members
    • Highly likely community support and tooling will be available if decision made to operationalise
    • Draft Engineering Report (OGC 11-019r1)
  • Interoperable Geographic Information for Biosphere Study
    • JISC funded IGIBS project from Apr 1 st to 31 st Oct 2011
    • Partnership between EDINA, Aberystwyth University and Welsh Assembly Government (WAG)
    • Focussed on Research and Education related to the UNESCO Dyfi Biosphere Reserve
    • Allow users to create WMS’s to view data in conjunction with reference data from WAG
    • Access control so:
      • Students can publish intermediary results, or commercial in confidence datasets, etc.
      • WAG can make available a wider range of data
    • Better integration between academic and public sector
    • Opportunity to transfer knowledge and explore (a bit)
  • Workshop at INSPIRE Conference in June
    • Title: Shibboleth Federations and Secure SDI: Outcome and Demonstrations from the OGC Web Service Shibboleth Interoperability Experiment
    • Original intention is a re-run of the Nov 2010 “plugfest”
    • More public, slicker
    • More member state NMCA’s in ESDIN Federation
    • Maybe get more system suppliers to modify their software
    • Up the level of discussion
  • Consequences
    • If they operationalise, it will be good for the academic sector:
      • More Shibb enabled software/tooling will become available
      • Our sector already had the technology in place and has understanding
      • Well positioned to negotiate for access to data and services