Web Services Tiered Internet Authorization (WSTIERIA)
Upcoming SlideShare
Loading in...5

Web Services Tiered Internet Authorization (WSTIERIA)



Presented by Fiona Culloch at AIM End of Programme meeting, Birmingham, 21/06/2011

Presented by Fiona Culloch at AIM End of Programme meeting, Birmingham, 21/06/2011



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Web Services Tiered Internet Authorization (WSTIERIA) Web Services Tiered Internet Authorization (WSTIERIA) Presentation Transcript

  • Web Services Tiered Internet Authorization (WSTIERIA) 21 June 2011 Fiona Culloch [email_address]
  • Output 1: Digimap changes
    • Modified production Digimap service
      • To give non-browser GIS clients (ArcView etc.)
        • Access to Digimap data via web services
        • Using OGC standards (Web Map Service etc.)
        • UK federation authentication of registered users, with SSO
        • As alternative to large downloads of raw data
  • Output 2: DIY instructions
    • Short document (7 pages) on “how-to”
      • Control access to existing web services
      • From non-browser clients
      • Without modifying the web service
      • Implementable by average sysadmin
      • Using only off-the-shelf software
        • Apache web server (with mod_rewrite)
        • A little scripting (perl, or anything else)
  • Output 3: Try Shibboleth delegation
    • Set up dev & test environment
      • PM1: Eclipse + Maven2
      • VM1: IdP + delegation plugin
      • VM2: example client (JSP) + Shib SP1 + JASIG delegation library
      • PM2: example web service (WSP) + Shib SP2
    • “ Hello, world”-level success!
      • User goes to JSP/SP1, logs in at IdP
      • JSP calls JASIG library to GET from WSP/SP2
      • Lib accesses SP2 using delegatable token from IdP; user does not need to log in to SP2
  • Successes
    • Production service (Digimap) using UK fed. for non-browser web services
    • Route to interoperation of unmodified web services, unmodified non-browser clients with UK federation
    • Demonstrated deployability of new Shibboleth delegation software by developer outside the Shibboleth team
  • Lesson 1: Delegation limitations
    • Delegation depends on IdP & all SPs
      • Supporting SAML2, bits of Liberty
      • SP implementation (Shibboleth 2.2+)
    • IdP deployer must explicitly name:
      • SP entities allowed to delegate
      • SP entities they can delegate to, etc, etc.
    • Probably rules out cross-organisational scenarios for now, leaving
      • Intra-org applications (e.g. student portal)
  • Lesson 2: uPortal not needed
    • Original delegation use case was uPortal web app invoking portlets
    • Wasn’t known if delegation library depended on this uPortal context
    • Project showed how a non-uPortal web app (JSP) can use delegation library
  • Lesson 3: Delegation & UK federation
    • Potential issue identified
      • UK federation (& others, e.g. InCommon) moving from CAs to self-signed trust-fabric certs
      • Delegation library rejects these because not in std. Java CA trust list
      • Reported to developer (Unicon), response awaited
  • Failures
    • No deployments outside EDINA
    • No future external partner identified
    • Attempt to apply the simple Apache + scripting technique to WebDAV
      • Limited success (only easy cases worked)
      • Protocol with server URLs in data & headers defeats simple technique
      • Wrote up experience as tech note
  • Future
    • Shibboleth developers
      • Migrate delegation library into SP code?
      • IdP config optionally take delegation audiences (SP2,…,n) from SP1 metadata
    • EDINA
      • More interesting examples (INSPIRE?)
    • Community
      • Apply techniques!