1. GEOSS AIP History with
Authentication and SSO
Prepared by Steven F. Browdy
for COBWEB Meeting
2. Introduction
• Authentication and SSO first raised in AIP-3 effort:
– March – December, 2010
– Included in the Data Sharing Guidelines Working Group
activities
– Considered research and secondary focus
• Authentication and SSO not addressed in AIP-4 effort:
– AIP-4 reserved for a special development effort leading to the
2011 GEO Plenary meeting
• Authentication and SSO addressed in AIP-5 effort:
– May – December, 2012
– Included in the Data Sharing Working Group activities
– Considered a priority by the GEO Infrastructure Implementation
Board
3. AIP-3 Effort
• Suggested by work in the GEO Data
Sharing Task Force (DSTF) with the Data
Sharing Implementation Guidelines
• Avoid GEOSS Common Infrastructure
(GCI) impact as much as possible
• Avoid heavy impact on data providers
• Focused on open standards
– Researched OpenID
– Researched Shibboleth
4. AIP-3 Effort
• Possible strategies considered
– Federated solution between data providers
– Centralized solution using a GCI component
– Both strategies have some impact on the data providers
– Needs to work in a programmatic way, as well as interactively
with a user
• Recommendation
– Implement a central GCI component utilizing remote OpenID
identity servers
– Design appropriate service interfaces to support the interactions
between the central GCI component, the GEOSS users, and the
GEOSS data providers
– Continue to work with DSTF for guidance
5. AIP-5 Effort
• User Authentication is a 2012 IIB priority
• Goal is to operationalize authentication and SSO in 2013
– Test recommendations during AIP-6
– Engage data providers
– Disseminate process for the greater GEOSS architecture
• AIP-5 research (continued from AIP-3)
– OpenID and SAML2 to be used for authentication and SSO
– The idea of a “GEOSS User” is being considered to support data
use metrics within GEOSS
– Use cases developed
6. AIP-5 Effort
• Use cases
– Registration for Authentication via OpenID
– Registration as OpenID user for Authentication via SAML2
– Organizational user for Authentication via SAML2
– Identification as "GEOSS User" During Registration
– OpenID-Protected Data Access via OpenID Authentication
– SAML2-Protected Data Access via OpenID Authentication
– OpenID-Protected Data Access via SAML2 Authentication
– SAML2-Protected Data Access via SAML2 Authentication
– Registering and Modifying a New Identity or Service Provider
7. AIP-5 Effort
• Recommendations
– Federated solution (lightest impact on GCI)
– Data provider support for a set of “trusted” OpenID
identity servers to be used with SAML2 user
management systems
• USA has such a list
• Discussions planned for INSPIRE list
– Authentication is the current primary goal
• Access control is a future interest
– User interaction is the current primary goal
• Programmatic authentication is a future interest