Web Services Tiered Internet Authorization (WSTIERIA) 21 June 2011 Fiona Culloch [email_address]
Output 1: Digimap changes <ul><li>Modified production Digimap service </li></ul><ul><ul><li>To give non-browser GIS client...
Output 2: DIY instructions <ul><li>Short document (7 pages) on “how-to” </li></ul><ul><ul><li>Control access to existing w...
Output 3: Try Shibboleth delegation <ul><li>Set up dev & test environment </li></ul><ul><ul><li>PM1: Eclipse + Maven2 </li...
Successes <ul><li>Production service (Digimap) using UK fed. for non-browser web services </li></ul><ul><li>Route to inter...
Lesson 1: Delegation limitations <ul><li>Delegation depends on IdP & all SPs </li></ul><ul><ul><li>Supporting SAML2, bits ...
Lesson 2: uPortal not needed <ul><li>Original delegation use case was uPortal web app invoking portlets </li></ul><ul><li>...
Lesson 3: Delegation & UK federation <ul><li>Potential issue identified </li></ul><ul><ul><li>UK federation (& others, e.g...
Failures <ul><li>No deployments outside EDINA </li></ul><ul><li>No future external partner identified </li></ul><ul><li>At...
Future <ul><li>Shibboleth developers </li></ul><ul><ul><li>Migrate delegation library into SP code? </li></ul></ul><ul><ul...
Upcoming SlideShare
Loading in …5
×

Web Services Tiered Internet Authorization (WSTIERIA)

1,102 views
1,056 views

Published on

Presented by Fiona Culloch at AIM End of Programme meeting, Birmingham, 21/06/2011

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,102
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Web Services Tiered Internet Authorization (WSTIERIA)

  1. 1. Web Services Tiered Internet Authorization (WSTIERIA) 21 June 2011 Fiona Culloch [email_address]
  2. 2. Output 1: Digimap changes <ul><li>Modified production Digimap service </li></ul><ul><ul><li>To give non-browser GIS clients (ArcView etc.) </li></ul></ul><ul><ul><ul><li>Access to Digimap data via web services </li></ul></ul></ul><ul><ul><ul><li>Using OGC standards (Web Map Service etc.) </li></ul></ul></ul><ul><ul><ul><li>UK federation authentication of registered users, with SSO </li></ul></ul></ul><ul><ul><ul><li>As alternative to large downloads of raw data </li></ul></ul></ul>
  3. 3. Output 2: DIY instructions <ul><li>Short document (7 pages) on “how-to” </li></ul><ul><ul><li>Control access to existing web services </li></ul></ul><ul><ul><li>From non-browser clients </li></ul></ul><ul><ul><li>Without modifying the web service </li></ul></ul><ul><ul><li>Implementable by average sysadmin </li></ul></ul><ul><ul><li>Using only off-the-shelf software </li></ul></ul><ul><ul><ul><li>Apache web server (with mod_rewrite) </li></ul></ul></ul><ul><ul><ul><li>A little scripting (perl, or anything else) </li></ul></ul></ul>
  4. 4. Output 3: Try Shibboleth delegation <ul><li>Set up dev & test environment </li></ul><ul><ul><li>PM1: Eclipse + Maven2 </li></ul></ul><ul><ul><li>VM1: IdP + delegation plugin </li></ul></ul><ul><ul><li>VM2: example client (JSP) + Shib SP1 + JASIG delegation library </li></ul></ul><ul><ul><li>PM2: example web service (WSP) + Shib SP2 </li></ul></ul><ul><li>“ Hello, world”-level success! </li></ul><ul><ul><li>User goes to JSP/SP1, logs in at IdP </li></ul></ul><ul><ul><li>JSP calls JASIG library to GET from WSP/SP2 </li></ul></ul><ul><ul><li>Lib accesses SP2 using delegatable token from IdP; user does not need to log in to SP2 </li></ul></ul>
  5. 5. Successes <ul><li>Production service (Digimap) using UK fed. for non-browser web services </li></ul><ul><li>Route to interoperation of unmodified web services, unmodified non-browser clients with UK federation </li></ul><ul><li>Demonstrated deployability of new Shibboleth delegation software by developer outside the Shibboleth team </li></ul>
  6. 6. Lesson 1: Delegation limitations <ul><li>Delegation depends on IdP & all SPs </li></ul><ul><ul><li>Supporting SAML2, bits of Liberty </li></ul></ul><ul><ul><li>SP implementation (Shibboleth 2.2+) </li></ul></ul><ul><li>IdP deployer must explicitly name: </li></ul><ul><ul><li>SP entities allowed to delegate </li></ul></ul><ul><ul><li>SP entities they can delegate to, etc, etc. </li></ul></ul><ul><li>Probably rules out cross-organisational scenarios for now, leaving </li></ul><ul><ul><li>Intra-org applications (e.g. student portal) </li></ul></ul>
  7. 7. Lesson 2: uPortal not needed <ul><li>Original delegation use case was uPortal web app invoking portlets </li></ul><ul><li>Wasn’t known if delegation library depended on this uPortal context </li></ul><ul><li>Project showed how a non-uPortal web app (JSP) can use delegation library </li></ul>
  8. 8. Lesson 3: Delegation & UK federation <ul><li>Potential issue identified </li></ul><ul><ul><li>UK federation (& others, e.g. InCommon) moving from CAs to self-signed trust-fabric certs </li></ul></ul><ul><ul><li>Delegation library rejects these because not in std. Java CA trust list </li></ul></ul><ul><ul><li>Reported to developer (Unicon), response awaited </li></ul></ul>
  9. 9. Failures <ul><li>No deployments outside EDINA </li></ul><ul><li>No future external partner identified </li></ul><ul><li>Attempt to apply the simple Apache + scripting technique to WebDAV </li></ul><ul><ul><li>Limited success (only easy cases worked) </li></ul></ul><ul><ul><li>Protocol with server URLs in data & headers defeats simple technique </li></ul></ul><ul><ul><li>Wrote up experience as tech note </li></ul></ul>
  10. 10. Future <ul><li>Shibboleth developers </li></ul><ul><ul><li>Migrate delegation library into SP code? </li></ul></ul><ul><ul><li>IdP config optionally take delegation audiences (SP2,…,n) from SP1 metadata </li></ul></ul><ul><li>EDINA </li></ul><ul><ul><li>More interesting examples (INSPIRE?) </li></ul></ul><ul><li>Community </li></ul><ul><ul><li>Apply techniques! </li></ul></ul>

×