Shibboleth Access Management Federations and Secure SDI: ESDIN Experience


Published on

Presentation given by Chris Higgens at the Annual Infrastructure for Spatial Information in European (INSPIRE) Conference Krakow, Poland. 22 June 2010.

Published in: Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • 15 mins + 5 mins questions
  • This slide explains in part how EDINA interacting with European academia Good stakeholder engagement as PTB is well representative of European academic SDI interest Good coordination with key groups such as JRC, EuroSDR, GIGAS, etc. In relation to the ESDIN DoW: Network of universities matches expected results and success indicators Good match with target users and there needs Emphasis on persistance matches sustainability
  • Introduce slide, …ESDIN has 12 WP’s… For more information, can refer people here to website, other ESDIN presentations and workshops that took place during the conference
  • Not just SDI, many kinds of information infrastructure require access control Typically, authentication is a pre-requisite. Some use cases where you don’t, eg, public Barriers to interoperability include; cost, vendor lock-in, lack of a support community, not standards based, etc Return later to those last points
  • And this slide helps explain why ESDIN is putting effort in and which WP it is coming from Emphasis is on implementation of services
  • And we are concentrating on these services The TC211/OGC stack underpins SDI and INSPIRE First bullet is a quote from the Athens 10 WP11 meeting
  • Mostly in the academic sector Identity protected Millions of users
  • ESDIN contributing Shibboleth As of recent OGC TC (Silver Spring, Washington), indications are that the AuthN IE will continue? For how long? No openID, ws-security for catalogue
  • Federations an obvious organisation model for SDI Mainstream IdP Shibb download does not support ECP. Plugin No need to reinvent the wheel, software there, use
  • Access management federations and SDI
  • Close the application
  • Shibboleth Access Management Federations and Secure SDI: ESDIN Experience

    1. 1. Shibboleth Access Management Federations and Secure SDI: ESDIN Experience from the OGC Authentication Interoperability Experiment C.I.Higgins, M.Koutroumpas, A.Seales, EDINA National Datacentre, Scotland A.Matheus, University of the Bundeswehr, Germany INSPIRE Conference 2010, Kraków, Friday, June 25
    2. 2. <ul><li>An eContent plus Best Practice Network project </li></ul><ul><li>Started September 2008. Ends March 2011 </li></ul><ul><li>Coordinated by EuroGeographics </li></ul><ul><li>Key goal : help member states, candidate countries and EFTA States prepare their data for INSPIRE Annex 1 spatial data themes and improve access: </li></ul><ul><ul><ul><li>Administrative Boundaries </li></ul></ul></ul><ul><ul><ul><li>Cadastral Parcels </li></ul></ul></ul><ul><ul><ul><li>Hydrography </li></ul></ul></ul><ul><ul><ul><li>Transport Networks </li></ul></ul></ul><ul><ul><ul><li>Geographical Names </li></ul></ul></ul>
    3. 3. ESDIN project info ( Interactive Instruments Bundesamt für Kartographie und Geodäsie Lantmäteriet National Technical University of Athens IGN Belgium Bundesamt für Eich- und Vermessungswesen Universität Münster EDINA, University Edinburgh National Agency for Cadastre and Real Estate Publicity Romania Helsinki University of Technology IGN France Kadaster Kort & Matrikelstyrelsen Geodan Software Development & Technology 1Spatial The Finnish Geodetic Institute National Land Survey of Finland Institute of Geodesy, Cartography and Remote Sensing Statens kartverk EuroGeographics
    4. 4. <ul><li>A National Data Centre for Tertiary Education since 1995 </li></ul><ul><ul><li>based at the University of Edinburgh, Scotland </li></ul></ul><ul><li>Our mission... </li></ul><ul><li>to enhance the productivity of research, learning and teaching in UK higher and further education </li></ul><ul><li>Focus is on service but also undertake r&D </li></ul><ul><ul><li>turn projects  services </li></ul></ul><ul><li>In ESDIN one of our roles is to try to represent interests of the European academic sector – one of the identified target user groups </li></ul>EDINA
    5. 5. European Persistent Testbed for Research and Teaching (PTB) Objectives : <ul><li>To act as a research test-bed for collaborative European research in geospatial interoperability, </li></ul><ul><li>To aid the assessment of the current standards for geospatial interoperability in terms of research compatibility, completeness, consistency and ease of use and extensibility </li></ul><ul><li>To provide an environment for teaching standards and techniques for geospatial interoperability </li></ul><ul><li>To provide a resource to AGILE/EuroSDR/OGC for the coordination of research requirements as well as definition, testing, validation and development of open standards </li></ul>
    6. 6. WP4: Data Access and Licensing Policy <ul><li>Business model, pricing, licensing models </li></ul><ul><li>Goal: maximise the use and re-use of reference geodata </li></ul><ul><li>Define a data policy </li></ul><ul><li>Define a policy for Geo Rights Management </li></ul><ul><li>Also cover access issues such as: protection of IPR, security, access management, privacy , subscriptions. </li></ul>
    7. 7. Why put effort into federated access control? <ul><li>Authentication is the process of verifying that claims made concerning a subject, eg, identity, who is attempting to access a resource are true, ie, authentic </li></ul><ul><li>Frequently, SDI content and service providers need to know who is accessing their valuable, secure, protected, etc, data </li></ul><ul><li>The ability for a group of organisations with common objectives, ie, a federation, to securely exchange authentication information is a powerful SDI enabler </li></ul><ul><li>Even more so if removing some of the barriers to interoperability… </li></ul>
    8. 8. WP 11 Interoperability Services, Goals <ul><li>1. Develop Best Practices for building </li></ul><ul><ul><li>INSPIRE-compliant content access services </li></ul></ul><ul><ul><ul><li>- View & Download </li></ul></ul></ul><ul><ul><li>… focusing on functionalities for </li></ul></ul><ul><ul><ul><li>- Content transformations: CRS, Schema, Edge-matching, Generalisation </li></ul></ul></ul><ul><ul><ul><li>Geo Rights Management </li></ul></ul></ul><ul><ul><ul><li>Authentication </li></ul></ul></ul><ul><li>2. Build services to provide access, in INSPIRE-compliant form: </li></ul><ul><ul><li>Small scale / medium scale / large scale </li></ul></ul>
    9. 9. Why put effort into federated access control round OGC Web Services? <ul><li>Requested by the commission to focus on testing practical existing solutions </li></ul><ul><li>Opportunity to build on earlier work undertaken by same team as giving this ppt (JISC funded SEE-GEO project) </li></ul><ul><ul><li>Demonstrated Shibboleth Access Control around WMS </li></ul></ul><ul><li>Key findings current work; the solution required: </li></ul><ul><ul><li>No changes to the OWS interface specifications </li></ul></ul><ul><ul><li>No changes to the core mainstream Shibboleth </li></ul></ul>
    10. 10. Shibboleth <ul><li>Internet2 consortium </li></ul><ul><li>Open source package for web Single Sign On across admin boundaries based on standards: </li></ul><ul><ul><li>Security Assertion Markup Language (SAML)‏ </li></ul></ul><ul><li>Organisations can exchange user information and make security assertions by obeying privacy policies </li></ul><ul><li>Small coordination centre, large federation of organisations (service and identity providers) </li></ul><ul><li>Devolved authentication – maintain and leverage existing user management </li></ul><ul><li>Enables finer grained authorisation through use of attributes </li></ul><ul><li>Many Shibboleth Access Management Federations across Globe </li></ul>
    11. 11. OGC Interoperability Experiments <ul><li>Intended as a relatively simple, low overhead, means for OGC members to get together and advance specific technical objectives within the OGC baseline </li></ul><ul><li>Facilitated by OGC staff </li></ul><ul><li>More lightweight than the OGC Web Services initiatives </li></ul><ul><li>Focussed on specific interoperability issues </li></ul><ul><li>Effort is viewed as voluntary and supported by in-kind contributions by participating member organisations </li></ul><ul><li>Duration normally around 6 months </li></ul>
    12. 12. Authentication IE <ul><li>OpenGIS Project Document 09-092r1 </li></ul><ul><li>Test standard ways of authentication between OGC clients and OGC Web Services </li></ul><ul><li>Intended that the following mechanisms would be tested: </li></ul><ul><ul><li>HTTP Authentication </li></ul></ul><ul><ul><li>HTTP Cookies </li></ul></ul><ul><ul><li>SSL/X509, SAML </li></ul></ul><ul><ul><li>Shibboleth </li></ul></ul><ul><ul><li>OpenID </li></ul></ul><ul><ul><li>WS-Security </li></ul></ul><ul><li>Main output an OGC Engineering Report </li></ul>
    13. 13. Status ESDIN Partners Participation <ul><li>ESDIN test federation established </li></ul><ul><li>Cooperating NMCAs so far: </li></ul><ul><ul><li>KMS (Denmark) </li></ul></ul><ul><ul><li>Kadaster (Netherlands) </li></ul></ul><ul><ul><li>Lantmatariet (Sweden) </li></ul></ul><ul><ul><li>Fomi (Hungary) </li></ul></ul><ul><li>2 clients interoperable: </li></ul><ul><ul><li>OpenLayers (browser) </li></ul></ul><ul><ul><li>OpenJump SAML Enhanced Client or Proxy profile (desktop) </li></ul></ul><ul><li>Shibboleth being integrated into ESDIN client under development by GeoDan </li></ul>
    14. 14. Status PTB Participation <ul><li>Access Management Phase 2 responses from: </li></ul><ul><ul><li>EDINA, University of Edinburgh </li></ul></ul><ul><ul><li>FIUGINET (Finnish Universities Geoinformatics Network) and CSC — IT Center for Science Ltd </li></ul></ul><ul><ul><li>Technical University of Dresden </li></ul></ul><ul><ul><li>Centre for Geospatial Science, University of Nottingham </li></ul></ul><ul><li>Pre-conference PTB workshop in association with AGILE 2010 discussing outcomes of the phase 2 CfP </li></ul><ul><li>Variety of OWS, including Web Processing Services </li></ul>
    15. 15. Some results <ul><li>Can use a production strength, standards based, widely used piece of open source software to share identity information and control access to OGC Web Services </li></ul><ul><li>Shibboleth used out the box, but ECP not currently part of mainstream IdP Shibboleth </li></ul><ul><li>Not much effort to install </li></ul><ul><li>Single Sign On </li></ul><ul><li>No changes required to OGC Web Services </li></ul><ul><li>But changes do need to be made to the desktop client </li></ul>
    16. 16. Whats the significance of all this? <ul><li>Access Management Federations (AMF) provide a practical organisational model for operational SDI </li></ul><ul><li>Shibboleth is production strength </li></ul><ul><li>Small centre, big network of organisations </li></ul><ul><li>A fundamental SDI requirement demonstrated </li></ul><ul><li>Additional SDI organisational requirements could be layered on top of the AMF, eg, governance </li></ul><ul><li>Needs changes to the clients, but not the services or Shibboleth </li></ul><ul><li>Potential INSPIRE compliant approach for establishing operational strength access control to ensure data provided is only available to legitimate government agencies! </li></ul>
    17. 17. Next steps… <ul><li>Show the kind of thing a SSO federation that allows NMCAs to securely grant access to each others harmonised data enables </li></ul><ul><li>Include a demonstration of PTB universities securely accessing ESDIN data </li></ul><ul><li>Based on outputs, an ESDIN Best Practice document </li></ul><ul><li>Make the client software we have created openly available </li></ul><ul><li>Consider what SAML assertions necessary to make these kinds of pan-European authorisation decisions </li></ul><ul><li>Consider cross-federation interoperability issues </li></ul>
    18. 18. <ul><li>Any questions? </li></ul><ul><li>[email_address] </li></ul>