Some Academic Sector/NMCA outcomes from the OGC Web Service Shibboleth Interoperability Experiment


Published on

Presented by Chris Higgins at the International Cartographic Conference, Paris, July 2011

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Watch timing Original title “Authentication and the Shibboleth Test” Session is “C3-NMA day - Euro SDR: NMCAs, universities and private players gathered for applied research” 1330 room 251
  • Cannot assume all in audience know about Shibb Mostly in the academic sector Identity protected Millions of users Talk a bit about the ESDIN Federation
  • Effectively, develop the European academic SDi
  • Shibb IE related work emerged from the PTB The testbed aspect was valued by the IE participants Objectives have proven robust
  • Even if all open (free of charge online access) often still need to know who is accessing the data And some data will never be completely open due to personal privacy issues, eg, cadastral parcels?
  • Make scope clear, eg, not licencing, georm, authZ, etc Framework agreements
  • This diagram adapted from the Switch website
  • Not the only available technology, eg, OpenID Effectively the reference implementation for SAML
  • Access Management Federations (AMF) provide a practical organisational model for operational SDI Shibboleth is production strength Small centre, big network of organisations A fundamental SDI requirement demonstrated Additional SDI organisational requirements could be layered on top of the AMF, eg, governance Needs changes to the clients, but not the services or Shibboleth Potential INSPIRE compliant approach for establishing operational strength access control to ensure data provided is only available to legitimate government agencies!
  • Mention have not talked about SAML. Refer to INSPIRE paper
  • No more than a rephrasing of the PTB Objectives? If the NMCAs find a new market then great
  • Likely that multiple federations with no inter-federation interoperabi
  • Some Academic Sector/NMCA outcomes from the OGC Web Service Shibboleth Interoperability Experiment

    1. 1. Some Academic Sector/NMCA outcomes from the OGC Web Service Shibboleth Interoperability Experiment International Cartographic Conference, Paris, July, 2011 Chris Higgins, IE Manager, [email_address]
    2. 2. EDINA <ul><li>A National Data Centre for Tertiary Education since 1995 </li></ul><ul><li>to enhance the productivity of research, learning and teaching in UK higher and further education </li></ul><ul><li>Focus is on services but also undertake r&D </li></ul><ul><li>EDINA provides technical support in the operation of the UK Access Management Federation </li></ul><ul><ul><li>Approx 8 million users </li></ul></ul><ul><ul><li>837 Member Organisations </li></ul></ul>EDINA
    3. 3. ESDIN Project <ul><li>European Spatial Data Infrastructure Network </li></ul><ul><li>An eContent plus Best Practice Network project </li></ul><ul><li>September 2008 to March 2011 </li></ul><ul><li>Coordinated by EuroGeographics </li></ul><ul><li>Key goal: help member states prepare their data for INSPIRE Annex 1 spatial data themes and improve access </li></ul><ul><li>Been taking forward as the European Location Framework </li></ul>ESDIN Project
    4. 4. <ul><li>Our users; students, lecturers, etc, getting access to INSPIRE compliant services: </li></ul><ul><ul><li>for research </li></ul></ul><ul><ul><li>for education </li></ul></ul><ul><li>Our UK users getting access to European data </li></ul><ul><li>And European academic sector users getting access to UK data </li></ul><ul><li>Better understanding of academia as a market for NMCA data </li></ul>Steps towards...
    5. 5. Key vehicle - PTB <ul><li>European P ersistent Geospatial T est- B ed for Research and Teaching </li></ul><ul><ul><li> / </li></ul></ul><ul><li>A joint initiative between: </li></ul><ul><ul><li>OGC </li></ul></ul><ul><ul><li>Association GI Laboratories Europe (AGILE) </li></ul></ul><ul><ul><li>EuroSDR </li></ul></ul>
    6. 6. PTB Objectives <ul><li>To act as a research test-bed for collaborative European research in geospatial interoperability, </li></ul><ul><li>To aid the assessment of the current standards for geospatial interoperability in terms of research compatibility, completeness, consistency and ease of use and extensibility </li></ul><ul><li>To provide an environment for teaching standards and techniques for geospatial interoperability </li></ul><ul><li>To provide a resource to AGILE/EuroSDR/OGC for the coordination of research requirements as well as definition, testing, validation and development of open standards </li></ul>
    7. 7. So whats the problem? <ul><li>Many of the most valuable SDI resources are protected </li></ul><ul><li>These resources frequently in different admin domains </li></ul><ul><ul><li>Example: Article 19 of the INSPIRE Directive ”…Member States may limit public access…etc, etc”. </li></ul></ul><ul><li>No widely accept standard for securing these protected geospatial resources </li></ul><ul><ul><li>Consequence: lots of point solutions </li></ul></ul><ul><li>Major interoperability barrier, eg, how can a X-Border application consume protected OWS while having to deal with multiple different access control mechanism? </li></ul><ul><ul><li>Make everything open? or, </li></ul></ul><ul><ul><li>Access Management Federations (AMF’s)? or, …? </li></ul></ul>
    8. 8. What can Access Management Federations do for us? <ul><li>Fundamental requirement: information on who is accessing your valuable resource = authentication </li></ul><ul><li>An AMF allows secure sharing of authentication information across administrative domains </li></ul><ul><li>The members of the federation form a circle of trust and agree to a set of policies and technologies </li></ul><ul><li>Provides Single Sign On </li></ul><ul><li>My X-Border appl can now access a protected resource in country A, be challenged for credentials at home institution. Now I can also access additional federation resources (if authorised) in country A, B, C, …, without needing to re-authenticate </li></ul>
    9. 9. SP SP SP SP SP SP SP SP SP SP SP Coordinating Centre Federation Service Providers Identity Providers Users Organisations SP SP SP Authenticates here IdP IdP IdP IdP IdP
    10. 10. One Solution - Shibboleth <ul><li>Internet2 consortium </li></ul><ul><li>Open source package for web Single Sign On across admin boundaries based on standards: </li></ul><ul><ul><li>Security Assertion Markup Language (SAML)‏ </li></ul></ul><ul><li>Organisations can exchange user information and make security assertions by obeying privacy policies </li></ul><ul><li>Devolved authentication – maintain and leverage existing user management </li></ul><ul><li>Enables finer grained authorisation through use of attributes </li></ul>
    11. 11. INSPIRE Federation OWS Providers Member State organisations, eg, NMCAs WMS Key organisations, eg. EEA, JRC WMS WMS WMS WMS WMS WFS WFS WFS WFS WFS WFS IdP IdP IdP IdP IdP IdP Coordinating Centre
    12. 12. What we set out to in the Shibboleth IE <ul><li>Previous work by the same team had shown it was possible to protect WMS with Shibb so that: </li></ul><ul><ul><li>No mods required to OGC interfaces </li></ul></ul><ul><ul><li>No mods required to main Shibb download </li></ul></ul><ul><ul><li>BUT mods required to OWS clients </li></ul></ul><ul><li>Provide OGC software producing community with means and opportunity of modifying OWS client software to be able to work with Shibboleth AMF’s </li></ul><ul><li>Emphasis on desktop OWS client software </li></ul><ul><li>Provide participants with the opportunity to demonstrate their software in action. </li></ul>
    13. 13. Shibboleth IE - How <ul><li>Use the test ESDIN Federation to provide participants with services to develop against </li></ul><ul><li>Provide an open source reference implementation of a modified desktop client conformant with the SAML ECP Profile </li></ul><ul><ul><li>http:// </li></ul></ul><ul><li>Provide some technical support, eg, with OpenLayers clients conformant with the Web Browser SSO Profile </li></ul><ul><li>Regular telcons </li></ul><ul><li>Technology Integration Experiment event </li></ul><ul><li>Workshop at INSPIRE 2011 </li></ul>
    14. 14. How has the academic sector helped <ul><li>Shibboleth used primarily in academic sector </li></ul><ul><ul><li>https:// /links/ </li></ul></ul><ul><ul><li> </li></ul></ul><ul><li>The Persistent Testbed allowed the sector to provide a “united” front – valuable mandate </li></ul><ul><li>Academia is neutral; not selling anything, no hidden agenda. Our aim is to improve provision of services to European students </li></ul>
    15. 15. <ul><li>Public </li></ul><ul><li>Sector </li></ul>Aiming for mutual benefits Academic sector <ul><li>Real world SDI R&D requirements </li></ul><ul><li>Resources </li></ul><ul><li>Data </li></ul><ul><li>Better educated graduates </li></ul><ul><li>Future customers/employees used to using high quality public sector reference data via Geospatial Web Services </li></ul><ul><li>R&D requirements get met </li></ul>Virtuous Circle
    16. 16. Some options for going forward: <ul><li>One Federation and every every legally mandated organisation joins </li></ul><ul><li>Multiple federations: one in each country and one pan-European </li></ul><ul><li>One federation: one organisation in each country, the INSPIRE point of contact joins the single pan-European federation and acts as the gateway for all the other legally mandated organisations in the country that are standing up INSPIRE services </li></ul><ul><li>Multiple federations: one in each country and inter-federation interoperability ensures SSO </li></ul>
    17. 17. Some priorities for going forward… <ul><li>Take steps to encourage widespread use of Shibboleth for securing SDI’s </li></ul><ul><li>Maximise benefits of connections between existing federations and emerging geospatial federations </li></ul><ul><li>Maintain and strengthen united academic sector bloc in respect of SDI development </li></ul><ul><li>Maintain dialogue and continue to collaborate with key organisations like Eurogeographics, JRC, EEA, etc </li></ul><ul><li>If use of Shibboleth for securing SDI operationalised: </li></ul><ul><ul><li>good for students: </li></ul></ul><ul><ul><li>good for business </li></ul></ul><ul><ul><li>good for content providers </li></ul></ul><ul><ul><li>good for Europe </li></ul></ul>
    18. 18. http:// / Additional comments, questions, suggestions, etc, on blog very welcome Or email: [email_address] Questions?