Previous work onAccess Management Federations

Andreas Matheus

Secure Dimensions

Previous work by this team

• SEE-GEO

• The eContentPlusESDIN work

• OGC Web Services Shibboleth Interoperability Experiment

• German Spatial Data Infrastructure (Concept)

Secure Dimensions Previous work on Access Management Federations 2

2007 ... 2012 ... 2016

SEE-GEO

• SEcurE access to GEOspatial services

• UK JISC funded process in 2007

• Cross border map (Germany / The Netherlands)

• Secure WFS with styled layer descriptor

– Depending on style and origin of rescue centre maps is loaded or access is denied

Secure Dimensions 3Previous work on Access Management Federations

eContentPlus ESDIN

• eContentPlus project (http://www.esdin.eu/)

• Participants from all over Europe

• Establish a pan-European access management federation with

NMCAsservices:

– OGC WMS

– OGC WFS

– ...

Secure Dimensions Previous work on Access Management Federations 4

Shibboleth IE

• OGC Interoperability Experiment

– 2011

– OGC® Engineering Report for the OWS Shibboleth Interoperability Experiment

– https://portal.opengeospatial.org/files/?artifact_id=47852

• Objectives

– Use of the access management federation with OGC Web Services using SAML 2 authentication

– Implement SAML 2 Enhanced Client & Proxy Profile in Desktop GIS product

Secure Dimensions Previous work on Access Management Federations 5

Shibboleth IE

• OGC Interoperability Experiment 2011

• Participants

– Cadcorp, Envitia, con terra, snowflake, JRC

• Objective

– Connect to protected OGC Web Services provided by esdin and German SDI prototype federation

– Implement SAML 2 Enhanced Client Proxy Profile

• Result

– Desktop GIS: Cadcorp, Envitia, snowflake

– Browser based Client: JRC

– Client Proxy: con terraSecure Dimensions Previous work on Access Management Federations 6

INSPIRE 2011 Workshop

• INSPIRE annual conference 2011 Edinburgh

• Objective was to introduce the use of Access Management Federation with SAML2 to protect OGC Web Services

– Access Management Federation prototype

• The result confirmedthat the introduced concept is INSPIRE conformant

Secure Dimensions Previous work on Access Management Federations 7

Prototype Federation German SDI

• https://sp.gdi-de.org

Secure Dimensions Previous work on Access Management Federations 8

Prototype Federation German SDI

Secure Dimensions 9Previous work on Access Management Federations

SPGDI.DE

(gdi-de.org)

applicationloaded from

DSGDI.DE

(gdi-de.org)

SP

GDI.BY(gdi-by.org)

SP

IHK Bavaria(win.bihk.de)

Secure Dimensions(secure-dimensions.net)

IdP

login with

WMS GetFeatureInfo

WMS GetMap

Conclusion from previous work

• Access Management Federation based on SAML is a productive solution for sharing protected resources in various countries around the world

– https://www.aai.dfn.de/links/ [German Federation]

• Strength

– Single-Sign-On support

– High level of assurance about real user identity

– Exchange of SAML user credentials support privacy and anonymity of the user

– Managed list of trusted entities = federation

Secure Dimensions Previous work on Access Management Federations 10

Conclusion from previous work

• Protected services can be consumed via

– Web Browser (e.g. OpenLayers) applications

– Desktop GIS applications

• Web Browser with full support*1

– IE 10, Google Chrome, Firefox, Safari

• Desktop GIS must implement SAML2 ECP

– Cadcorp, Envitia got tested successfully during Shibboleth IE

– QGIS (open source GIS) SAML2 extension provided by Secure Dimensions

Secure Dimensions Previous work on Access Management Federations 11

*1: This is the list of tested web browsers

Thank You

It is important,to do security right...

Secure Dimensions GmbH

Holistic Geosecurity

Dr. Andreas Matheus

Waxensteinstr. 28 D-81377 München, Germany

Phone +49 (0)89 38151813-0Mobile +49 (0)160 1066366Telefax +49 (0)89 38151813-9Email am@secure-dimensions.comWeb www.secure-dimensions.com

Secure Dimensions Slide 12Previous work on Access Management Federations