Inspire2011 shibb am_fs_paper_v3
-
Upload
edina-university-of-edinburgh -
Category
Technology
-
view
254 -
download
0
Transcript of Inspire2011 shibb am_fs_paper_v3
![Page 1: Inspire2011 shibb am_fs_paper_v3](https://reader036.fdocuments.net/reader036/viewer/2022070319/55824bd9d8b42a213a8b5052/html5/thumbnails/1.jpg)
Shibboleth Access Management Federations as an Organisational Model for SDI
C.I.Higgins, M.Koutroumpas, A.Seales, EDINA National Datacentre, Scotland
A.Matheus, University of the Bundeswehr, Germany
INSPIRE Conference 2011,Wednesday 29th June
![Page 2: Inspire2011 shibb am_fs_paper_v3](https://reader036.fdocuments.net/reader036/viewer/2022070319/55824bd9d8b42a213a8b5052/html5/thumbnails/2.jpg)
ESDIN Project
• An eContentplus Best Practice Network project• Resourced EDINA’s to investigate ESDI and Access
Control– Principally using OGC Interoperability Experiments
• September 2008 to March 2011• Coordinated by EuroGeographics• Key goal: help member states prepare their data for
INSPIRE Annex 1 spatial data themes and improve access
• Been taking forward as the European Location Framework
![Page 3: Inspire2011 shibb am_fs_paper_v3](https://reader036.fdocuments.net/reader036/viewer/2022070319/55824bd9d8b42a213a8b5052/html5/thumbnails/3.jpg)
ESDIN project info (www.esdin.eu)
Interactive Instruments
Bundesamt für Kartographie
und Geodäsie
Lantmäteriet
National Technical University of Athens
IGN Belgium
Bundesamt für Eich- und
Vermessungswesen
Universität Münster
EDINA, University Edinburgh
National Agency for Cadastre and
Real Estate Publicity Romania
Helsinki University of Technology
IGN France
Kadaster
Kort & Matrikelstyrelsen
Geodan Software Development & Technology
1Spatial
The Finnish Geodetic Institute
National Land Survey of Finland
Institute of Geodesy,
Cartography and Remote
Sensing
Statens kartverk
EuroGeographics
![Page 4: Inspire2011 shibb am_fs_paper_v3](https://reader036.fdocuments.net/reader036/viewer/2022070319/55824bd9d8b42a213a8b5052/html5/thumbnails/4.jpg)
EDINA
• A National Data Centre for Tertiary Education since 1995 to enhance the productivity of research, learning and teaching in UK
higher and further education (mission statement)
• Focus is on services but also undertake r&D
• Shibboleth used primarily in academic sector– https://www.aai.dfn.de/links/
– https://spaces.internet2.edu/display/SHIB/ShibbolethFederations
• EDINA provides technical support in the operation of the UK Access Management Federation– Approx 8 million users
– 837 Member Organisations (IdPs and SPs)
![Page 5: Inspire2011 shibb am_fs_paper_v3](https://reader036.fdocuments.net/reader036/viewer/2022070319/55824bd9d8b42a213a8b5052/html5/thumbnails/5.jpg)
So whats the problem?
• Many of the most valuable SDI resources are protected• These resources frequently in different admin domains
– Example: Article 19 of the INSPIRE Directive ”…Member States may limit public access…etc, etc”.
• Many accepted standards for securing these protected geospatial resources but no consensus which to use– Consequence: lots of point solutions
• Major interoperability barrier, eg, how can a X-Border application consume protected OWS while having to deal with multiple different access control mechanism?– Make everything open? or– Scale back ambitions? or– Access Management Federations (AMF’s)? or, …?
![Page 6: Inspire2011 shibb am_fs_paper_v3](https://reader036.fdocuments.net/reader036/viewer/2022070319/55824bd9d8b42a213a8b5052/html5/thumbnails/6.jpg)
What can Access Management Federations do for us?
• Fundamental requirement: information on who is accessing your valuable resource = authentication
• An AMF allows secure sharing of authentication information across administrative domains
• The members of the federation form a circle of trust and agree to a set of policies and technologies
• Provides Single Sign On• My X-Border appl can now access a protected resource in
country A, be challenged for credentials at home institution. Now I can also access additional federation resources (if authorised) in country A, B, C, …, without needing to re-authenticate
![Page 7: Inspire2011 shibb am_fs_paper_v3](https://reader036.fdocuments.net/reader036/viewer/2022070319/55824bd9d8b42a213a8b5052/html5/thumbnails/7.jpg)
One Solution - Shibboleth
• Internet2 consortium• Open source package for web Single Sign On across
admin boundaries based on standards:– Security Assertion Markup Language (SAML)
• Organisations can exchange user information and make security assertions by obeying privacy policies
• Devolved authentication – maintain and leverage existing user management
• Enables finer grained authorisation through use of attributes
![Page 8: Inspire2011 shibb am_fs_paper_v3](https://reader036.fdocuments.net/reader036/viewer/2022070319/55824bd9d8b42a213a8b5052/html5/thumbnails/8.jpg)
SP
SPIdP
IdP
IdP
IdP
SP
SP
SP
SP
SP
SP
SP
SPSP
Coordinating
Centre
Federation Service Providers
Identity Providers
Users
Organisations
IdP
SP
SP
SP
Authenticates here
![Page 9: Inspire2011 shibb am_fs_paper_v3](https://reader036.fdocuments.net/reader036/viewer/2022070319/55824bd9d8b42a213a8b5052/html5/thumbnails/9.jpg)
“Twelve required attributes for a solution to securing SDI”
• Paper submitted to the International Journal SDI Research to accompany this presentation
• Premise is that a concomitant security infrastructure is necessary to realise SDI objectives where protected resources are involved
• Table 1 posits:
![Page 10: Inspire2011 shibb am_fs_paper_v3](https://reader036.fdocuments.net/reader036/viewer/2022070319/55824bd9d8b42a213a8b5052/html5/thumbnails/10.jpg)
1.Based on open security interoperability standards
– Security Assertion Markup Language (SAML) from OASIS
![Page 11: Inspire2011 shibb am_fs_paper_v3](https://reader036.fdocuments.net/reader036/viewer/2022070319/55824bd9d8b42a213a8b5052/html5/thumbnails/11.jpg)
2.Works across administrative domains
– Fundamental reason for Access Management Federations
![Page 12: Inspire2011 shibb am_fs_paper_v3](https://reader036.fdocuments.net/reader036/viewer/2022070319/55824bd9d8b42a213a8b5052/html5/thumbnails/12.jpg)
3.Single Sign On
– Basic Use Case for SAML
– Principals authenticate at one web site, access the resource of interest, and are then able to access additional protected resources at other web sites without having to re-authenticate
![Page 13: Inspire2011 shibb am_fs_paper_v3](https://reader036.fdocuments.net/reader036/viewer/2022070319/55824bd9d8b42a213a8b5052/html5/thumbnails/13.jpg)
4. Does not require any changes to the OGC interfaces being protected
– OGC Interoperability Experiments have demonstrated use with range of familiar industry implementations, eg, geoserver, mapserver, Snowflake
– No need for SOAP bindings
![Page 14: Inspire2011 shibb am_fs_paper_v3](https://reader036.fdocuments.net/reader036/viewer/2022070319/55824bd9d8b42a213a8b5052/html5/thumbnails/14.jpg)
5. Requires minimal changes to the OGC Web Service clients– SAML 2 ECP must be implemented– Reference implementation available– 6 organisations through OGC Interoperability
Experiment have made changes– Some products now commercially available– Browser relatively easy, desktop harder– Took weeks, not months
![Page 15: Inspire2011 shibb am_fs_paper_v3](https://reader036.fdocuments.net/reader036/viewer/2022070319/55824bd9d8b42a213a8b5052/html5/thumbnails/15.jpg)
6. Proven production strength
– Already in daily use by millions
– Possibly already in your country
![Page 16: Inspire2011 shibb am_fs_paper_v3](https://reader036.fdocuments.net/reader036/viewer/2022070319/55824bd9d8b42a213a8b5052/html5/thumbnails/16.jpg)
7. Satisfies data privacy requirements
– What set of SAML assertions are required for pan-European SDI authorisation decisions?
![Page 17: Inspire2011 shibb am_fs_paper_v3](https://reader036.fdocuments.net/reader036/viewer/2022070319/55824bd9d8b42a213a8b5052/html5/thumbnails/17.jpg)
8. Flexible in order to accommodate a wide variety of different use cases
– Different SAML workflows• Portal flow• Service Provider flow
– SAML already used by GI community• European Space Agency “User Management
Interfaces for Earth Observation Services”• Where are the interoperability points?
![Page 18: Inspire2011 shibb am_fs_paper_v3](https://reader036.fdocuments.net/reader036/viewer/2022070319/55824bd9d8b42a213a8b5052/html5/thumbnails/18.jpg)
9. Should be an open source “reference implementation”
– Shibboleth
![Page 19: Inspire2011 shibb am_fs_paper_v3](https://reader036.fdocuments.net/reader036/viewer/2022070319/55824bd9d8b42a213a8b5052/html5/thumbnails/19.jpg)
10. Not geospatial specific and in widespread mainstream IT use
– Leverage broad participation in technology development
– Stay flexible as much as possible
– Maximise potential for interoperability
![Page 20: Inspire2011 shibb am_fs_paper_v3](https://reader036.fdocuments.net/reader036/viewer/2022070319/55824bd9d8b42a213a8b5052/html5/thumbnails/20.jpg)
11. Should, in so far as is possible, be built on information systems already in place– Huge amount of prior investment in
identity management– Organisations know best how to manage
their users– Many Shibb Federations in place already
in academic sector across Europe• A source of expertise, collaboration and
potentially extremely valuable interoperability link across sectors
![Page 21: Inspire2011 shibb am_fs_paper_v3](https://reader036.fdocuments.net/reader036/viewer/2022070319/55824bd9d8b42a213a8b5052/html5/thumbnails/21.jpg)
12. Should not be centralised
– No huge databases with users credentials
– Needs to be decentralised to scale
![Page 22: Inspire2011 shibb am_fs_paper_v3](https://reader036.fdocuments.net/reader036/viewer/2022070319/55824bd9d8b42a213a8b5052/html5/thumbnails/22.jpg)
From the European Interoperability Framework for Pan-European eGovernment Services (http://ec.europa.eu/idabc/servlets/Docb0db.pdf?id=31597)
Hard
![Page 23: Inspire2011 shibb am_fs_paper_v3](https://reader036.fdocuments.net/reader036/viewer/2022070319/55824bd9d8b42a213a8b5052/html5/thumbnails/23.jpg)
IdP
IdP
IdP
IdP
INSPIRE Federation OWS Providers
Member State organisations, eg, NMCAs
IdP
IdP
WMS
Key organisations, eg. EEA, JRC
WMS
WMS
WMS
WMS
WMS
WFS
WFS
WFS
WFSWFS
WFS
Coordinating
Centre
![Page 24: Inspire2011 shibb am_fs_paper_v3](https://reader036.fdocuments.net/reader036/viewer/2022070319/55824bd9d8b42a213a8b5052/html5/thumbnails/24.jpg)
Some options for going forward:
1. One Federation and every every legally mandated organisation joins
2. Multiple federations: one in each country and one pan-European
3. One federation: one organisation in each country, the INSPIRE point of contact joins the single pan-European federation and acts as the gateway for all the other legally mandated organisations in the country that are standing up INSPIRE services
4. Multiple federations: one in each country and inter-federation interoperability ensures SSO
![Page 25: Inspire2011 shibb am_fs_paper_v3](https://reader036.fdocuments.net/reader036/viewer/2022070319/55824bd9d8b42a213a8b5052/html5/thumbnails/25.jpg)
All material will be available from:
http://igibs.blogs.edina.ac.uk/inspire2011/
Comments, questions, suggestions, etc, on blog very welcome
Or email: [email protected]