Authentication Use Cases


Published on

Presenter: Chris Higgins, EDINA

Presentation given at ESDIN Work Package 4 Workshop
IGN Belgium, Brussels,
19th May 2010

Looking at two ESDIN authentication use cases:

1. Secure access by desktop client to medium and small scale ESDIN download service

2. Secure access by desktop client to large scale ESDIN download service

Published in: Education, Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Advantage is that this approach is well-known, testable, can guide implementation More to follow: view services, browser based clients
  • Will need to explain Shibboleth and SAML here
  • But who maintains this? How difficult to administer Whats involved? Who pays? What are the legal ramifications?
  • An OGC mechanism Pricing, licencing, required infrastructure and other remain to be worked out and documented Would be interested in exploring further scenario/use cases, eg, different SPs, diff themes, same area
  • Authentication Use Cases

    1. 1. Authentication Use Cases ESDIN Work Package 4 Workshop IGN Belgium, Brussels, 19 th May 2010
    2. 2. What is authentication? <ul><li>… a mandatory part of access control concerned with establishing that claims made concerning a subject who is attempting to use a particular resource are authentic, ie, true </li></ul>
    3. 3. Two Use Cases: <ul><li>Secure access by desktop client to medium and small scale ESDIN download service </li></ul><ul><li>Secure access by desktop client to large scale ESDIN download service </li></ul>
    4. 4. Actors <ul><li>Key ESDIN Users of pan-European Geographical Data , eg, JRC, EEA, EuroStat. </li></ul><ul><li>But could be any user where there is a requirement to know who is taking the data </li></ul>
    5. 5. Description <ul><li>For a wide variety of different reasons, individuals at organizations such as the EEA, JRC or EC need to be able to access secure ESDIN download services on top of pan-European coverage ExM data at medium and small scales. The downloaded data will be accessed via a desktop client and will be either EBM, ERM, EGM or user defined </li></ul>
    6. 6. Trigger <ul><li>Various, user has need for harmonized pan-European data </li></ul>
    7. 7. Preconditions <ul><li>1. Harmonised ExM data available at medium and small scales via a basic WFS serving up data with pan-European coverage </li></ul><ul><li>2. The users organisation and the ExM WFS service provider are part of the same access management federation </li></ul><ul><li>3. User has access to a desktop client capable of undergoing the Shibboleth/SAML interaction </li></ul>
    8. 8. Postconditions <ul><li>1. User has been authenticated and authorized </li></ul><ul><li>2. Data has been delivered to the users WFS client application </li></ul>
    9. 9. Normal Flow <ul><li>1. Users application issues a GetCapabilities request </li></ul><ul><li>2. User selects their Identity Provider from a list of IdPs </li></ul><ul><li>3. Authenticates </li></ul><ul><li>4. GetCapabilities request followed by however many DescribeFeatureType, GetFeature requests and responses as necessary to satisfy users requirements </li></ul>
    10. 10. Alternative Flows <ul><li>1. Single Sign On. User has already authenticated at another federation service provider and is not required to authenticate again </li></ul>
    11. 11. Exceptions <ul><li>1. User not authorised. Authorisation exception </li></ul><ul><li>2. Illegal request leading to a service exception </li></ul><ul><li>3. Security exception in case of attack </li></ul>
    12. 12. Priority <ul><li>High, being able to securely exchange identity information to make authorisation decisions is a fundamental pre-requisite of a large number of SDI scenarios </li></ul>
    13. 13. Frequency of use <ul><li>High </li></ul>
    14. 14. Assumptions <ul><li>It is assumed that a trust federation comprising the ESDIN partners and cooperating organisations will have been established and is being maintained </li></ul>
    15. 15. Notes and issues <ul><li>Cross-federation interoperability not assumed but likely to be desirable under several scenarios, eg, the EEA operates its own federation-like partnership, the European Environment Information and Observation Network (EEIONet). </li></ul>
    16. 16. AuthN Interoperability Experiment <ul><li>OGC mechanism looking at various alternatives </li></ul><ul><li>Implementing these use cases under WP11 </li></ul><ul><li>Two federations created: </li></ul><ul><ul><li>ESDIN NMCAs </li></ul></ul><ul><ul><li>University members of the European Persistent Geospatial Testbed for Research and Education </li></ul></ul><ul><li>Exploring cross-federation scenario where it is agreed universities get access to ExM data </li></ul>
    17. 17. <ul><li>Chris Higgins </li></ul><ul><li>[email_address] </li></ul>