Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ESDIN - OGC Web Services Shibboleth Interoperability Experiment (OSI)

1,336 views

Published on

Webinar given by Chris Higgins on 18 November 2010

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

ESDIN - OGC Web Services Shibboleth Interoperability Experiment (OSI)

  1. 1. OGC Web Services Shibboleth Interoperability Experiment (OSI) Chris Higgins, IE Manager, EDINA National Datacentre, Scotland Webinar, Thursday, Nov 18, 2010
  2. 2. OGC Web Services Shibboleth Interoperability Experiment Some housekeeping • Audio separate from webinar. Phone in on: +1 512 225 3050 Participant Code: 55699# • Please mute if not speaking and in conversation with colleagues, or in a busy room, etc. • Submit questions via the “chat” pod. Will collate these and get through as many as possible at the end. • Session is being recorded
  3. 3. Some introductions • Team that has worked on integrating Shibboleth/OWS: – Self, Andrew Seales, Michael Koutroumpas and Andreas Matheus • IE Initiating Organisations: – EDINA, Snowflake and Cadcorp • IE Participants – EDINA, Snowflake, Cadcorp, Envitia, con terra, JRC – BKG (German NMA) provided another federation • OGC IE Facilitator: – Luis Bermudez
  4. 4. EDINA • A National Data Centre for Tertiary Education since 1995 – based at the University of Edinburgh, Scotland • Our mission... to enhance the productivity of research, learning and teaching in UK higher and further education • Focus is on service but also undertake r&D – turn projects  services • In ESDIN one of our roles is to try to represent interests of the European academic sector – one of the identified target user groups
  5. 5. • An eContentplus Best Practice Network project • Started September 2008. Ends March 2011 • Coordinated by EuroGeographics • Key goal: help member states, candidate countries and EFTA States prepare their data for INSPIRE Annex 1 spatial data themes and improve access: 1. Administrative Boundaries 2. Cadastral Parcels 3. Hydrography 4. Transport Networks 5. Geographical Names ESDIN Project
  6. 6. ESDIN project info (www.esdin.eu) Interactive Instruments Bundesamt für Kartographie und Geodäsie Lantmäteriet National Technical University of Athens IGN Belgium Bundesamt für Eich- und Vermessungswesen Universität Münster EDINA, University Edinburgh National Agency for Cadastre and Real Estate Publicity Romania Helsinki University of Technology IGN France Kadaster Kort & Matrikelstyrelsen Geodan Software Development & Technology 1Spatial The Finnish Geodetic Institute National Land Survey of Finland Institute of Geodesy, Cartography and Remote Sensing Statens kartverk EuroGeographics
  7. 7. Why put effort into federated access control? • Authentication is the process of verifying that claims made concerning a subject, eg, identity, who is attempting to access a resource are true, ie, authentic • Frequently, SDI content and service providers need to know who is accessing their valuable, secure, protected, data • The ability for a group of organisations with common objectives, ie, a federation, to securely exchange authentication information is a powerful SDI enabler • Even more so if removing some of the barriers to interoperability…
  8. 8. Shibboleth • Internet2 consortium • Open source package for web Single Sign On across admin boundaries based on standards: – Security Assertion Markup Language (SAML) • Organisations can exchange user information and make security assertions by obeying privacy policies • Small coordination centre, large federation of organisations (service and identity providers) • Devolved authentication – maintain and leverage existing user management • Enables finer grained authorisation through use of attributes • Many Shibboleth Access Management Federations across Globe
  9. 9. SP SPIdP IdP IdP IdP SP SP SP SP SP SP SP SPSP Coordinating Centre Federation Service Providers Identity Providers Users Organisations IdP IdP SP SP
  10. 10. Why put effort into federated access control round OGC Web Services? • Requested by the commission to focus on testing practical existing solutions • Opportunity to build on earlier work undertaken by same team (JISC funded SEE-GEO project) – Showed Shibboleth Access Control around WMS • Key findings current work; the solution required: – No changes to the OWS interface specifications – No changes to the core mainstream Shibboleth – BUT, does require changes to OWS desktop clients
  11. 11. IdP IdP IdP IdP INSPIRE Federation OWS Providers Member State organisations, eg, NMCAs IdP IdP WMS Key organisations, eg. EEA, JRC WMS WMS WMS WMS WMS WFS WFS WFS WFS WFS WFS
  12. 12. What we set out to do in this IE • Provide the OGC community with the opportunity to demonstrate their desktop client software being capable of consuming OWS within Shibboleth Access Management Federations – Protected ESDIN Federation OWS to develop against – Reference implementation of desktop client • Result: a variety of different clients capable of undergoing the Shibboleth/SAML interactions – Browser based clients, ie OpenLayers based – Desktop based clients • Result: a better understanding of the issues
  13. 13. OGC Interoperability Experiment • IEs are part of the OGC Interoperability program, which includes other activities, such as Pilots and Testbeds. • The IE is focused on an interoperability issue related to the OGC Technical Baseline. • The IE completion timeframe is reasonable (4-6 months). • The IE is “lightweight” – focuses on a single interoperability issue. • All materials, documents, lessons learned, and other findings developed as a result of the IE will be shared with the OGC membership. • The expected results: Engineering Report, Best Practice Report, and Change Requests.
  14. 14. What we intend to do today • Show these clients in action • But note. Aggressive timeline. The Kickoff telcon was on Sept 30th , ie, seven weeks ago. • Different clients, some browser based, some desktop, accessing various WMS and WFS • Series of Single Sign On scenarios The best-laid schemes o' mice an' men Gang aft agley, (Robert Burns)
  15. 15. Example: Desktop Client, WMS SSO, Desktop Client, WmS EDINA Cadcorp Envitia 1 Attempt access protected service User not previously authenticated 2 User picks IdP 3 Authenticates 4 Demonstrates access to data 5 Attempts access different protected services within the Federation Already authenticated 6 Demonstrates access to data
  16. 16. OGC Web Services Shibboleth Interoperability Experiment Some housekeeping • Audio separate from webinar. Phone in on: +1 512 225 3050 Participant Code: 55699# • Please mute if not speaking and in conversation with colleagues, or in a busy room, etc. • Submit questions via the “chat” pod. Will collate these and get through as many as possible at the end. • Session is being recorded

×