SlideShare a Scribd company logo

Shibboleth Access Management Federations as an Organisational Model for SDI

Download as PPT, PDF
EDINA, University of Edinburgh
EDINA, University of Edinburgh

Presented by C.I. Higgins, M. Koutroumpas, A. Seales and A. Matheus at the INSPIRE Conference 2011, 27 June 2011.

Related slideshows

OGC Interoperability Experiments and Authentication
OGC Interoperability Experiments and AuthenticationOGC Interoperability Experiments and Authentication
OGC Interoperability Experiments and Authentication
 
SDI – National to Global: perspectives from the UK academic sector
SDI – National to Global: perspectives from the UK academic sector SDI – National to Global: perspectives from the UK academic sector
SDI – National to Global: perspectives from the UK academic sector
 
Guiding users through data deposit
Guiding users through data depositGuiding users through data deposit
Guiding users through data deposit
 
1 of 25
Shibboleth Access Management Federations as an Organisational Model for SDI C.I.Higgins, M.Koutroumpas, A.Seales, EDINA National Datacentre, Scotland A.Matheus, University of the Bundeswehr, Germany INSPIRE Conference 2011, Wednesday 29 th June
ESDIN Project An eContent plus Best Practice Network project Resourced EDINA’s to investigate ESDI and Access Control Principally using OGC Interoperability Experiments September 2008 to March 2011 Coordinated by EuroGeographics Key goal : help member states prepare their data for INSPIRE Annex 1 spatial data themes and improve access Been taking forward as the European Location Framework
ESDIN project info (www.esdin.eu) Interactive Instruments Bundesamt für Kartographie und Geodäsie Lantmäteriet National Technical University of Athens IGN Belgium Bundesamt für Eich- und Vermessungswesen Universität Münster EDINA, University Edinburgh National Agency for Cadastre and Real Estate Publicity Romania Helsinki University of Technology IGN France Kadaster Kort & Matrikelstyrelsen Geodan Software Development & Technology 1Spatial The Finnish Geodetic Institute National Land Survey of Finland Institute of Geodesy, Cartography and Remote Sensing Statens kartverk EuroGeographics
EDINA A National Data Centre for Tertiary Education since 1995 to enhance the productivity of research, learning and teaching in UK higher and further education (mission statement) Focus is on services but also undertake r&D Shibboleth used primarily in academic sector https:// www.aai.dfn.de /links/ https://spaces.internet2.edu/display/SHIB/ShibbolethFederations EDINA provides technical support in the operation of the UK Access Management Federation Approx 8 million users 837 Member Organisations (IdPs and SPs)
So whats the problem? Many of the most valuable SDI resources are protected These resources frequently in different admin domains Example: Article 19 of the INSPIRE Directive ”…Member States may limit public access…etc, etc”. No widely accept standard for securing these protected geospatial resources Consequence: lots of point solutions Major interoperability barrier, eg, how can a X-Border application consume protected OWS while having to deal with multiple different access control mechanism? Make everything open? or Scale back ambitions? or Access Management Federations (AMF’s)? or, …?
What can AMF’s do for us? Fundamental requirement: information on who is accessing your valuable resource = authentication An AMF allows secure sharing of authentication information across administrative domains The members of the federation form a circle of trust and agree to a set of policies and technologies Allows Single Sign On My X-Border appl can now access a protected resource in country A, be challenged for credentials, I authenticate and get access if authorised. Now I can also access additional federation resources (if authorised) in country A, B, C, …, without needing to reauthenticate
One Way - Shibboleth Internet2 consortium Open source package for web Single Sign On across admin boundaries based on standards: Security Assertion Markup Language (SAML)‏ Organisations can exchange user information and make security assertions by obeying privacy policies Devolved authentication – maintain and leverage existing user management Enables finer grained authorisation through use of attributes
SP SP SP SP SP SP SP SP SP SP SP Coordinating Centre Federation Service Providers Identity Providers Users Organisations SP SP SP Authenticates here IdP IdP IdP IdP IdP
“ Twelve required attributes for a solution to securing SDI” Paper submitted to the International Journal SDI Research to accompany this presentation Premise is that a concomitant security infrastructure is necessary to realise SDI objectives where protected resources are involved Table 1 posits:
Based on open security interoperability standards Security Assertion Markup Language (SAML) from OASIS
Works across administrative domains Fundamental reason for Access Management Federations
Single Sign On Basic Use Case for SAML Principals authenticate at one web site, access the resource of interest, and are then able to access additional protected resources at other web sites without having to re-authenticate
4. Does not require any changes to the OGC interfaces being protected OGC Interoperability Experiments have demonstrated use with range of familiar industry implementations, eg, geoserver, mapserver, Snowflake No need for SOAP bindings
5. Requires minimal changes to the OGC Web Service clients Reference implementation available 6 organisations through OGC Interoperability Experiment have made changes Some products now commercially available Browser relatively easy, desktop harder Took weeks, not months
6. Proven production strength Already in daily use by millions Possibly already in your country
7. Satisfies data privacy requirements What set of SAML assertions are required for pan-European SDI authorisation decisions?
8. Flexible in order to accommodate a wide variety of different use cases Different SAML workflows Portal flow Service Provider flow SAML already used by GI community European Space Agency “User Management Interfaces for Earth Observation Services” Where are the interoperability points?
9. Should be an open source “reference implementation” Shibboleth
10. Not geospatial specific and in widespread mainstream IT use Leverage broad participation in technology development Stay flexible as much as possible Maximise potential for interoperability
11. Should, in so far as is possible, be built on information systems already in place Huge amount of prior investment in identity management Organisations know best how to manage their users Many Shibb Federations in place already in academic sector across Europe A source of expertise, collaboration and potentially extremely valuable interoperability link across sectors
12. Should not be centralised No huge databases with users credentials Needs to be decentralised to scale
From the European Interoperability Framework for Pan-European eGovernment Services ( http://ec.europa.eu/idabc/servlets/Docb0db.pdf?id=31597 ) Hard
INSPIRE Federation OWS Providers Member State organisations, eg, NMCAs WMS Key organisations, eg. EEA, JRC WMS WMS WMS WMS WMS WFS WFS WFS WFS WFS WFS IdP IdP IdP IdP IdP IdP Coordinating Centre
Some options for going forward: One Federation and every every legally mandated organisation joins Multiple federations: one in each country and one pan-European One federation: one organisation in each country, the INSPIRE point of contact joins the single pan-European federation and acts as the gateway for all the other legally mandated organisations in the country that are standing up INSPIRE services Multiple federations: one in each country and inter-federation interoperability ensures SSO
All material will be available from: http://igibs.blogs.edina.ac.uk/inspire2011/ Comments, questions, suggestions, etc, on blog very welcome Or email: [email_address]

More Related Content

Shibboleth Access Management Federations as an Organisational Model for SDI

  • 1. Shibboleth Access Management Federations as an Organisational Model for SDI C.I.Higgins, M.Koutroumpas, A.Seales, EDINA National Datacentre, Scotland A.Matheus, University of the Bundeswehr, Germany INSPIRE Conference 2011, Wednesday 29 th June
  • 2. ESDIN Project An eContent plus Best Practice Network project Resourced EDINA’s to investigate ESDI and Access Control Principally using OGC Interoperability Experiments September 2008 to March 2011 Coordinated by EuroGeographics Key goal : help member states prepare their data for INSPIRE Annex 1 spatial data themes and improve access Been taking forward as the European Location Framework
  • 3. ESDIN project info (www.esdin.eu) Interactive Instruments Bundesamt für Kartographie und Geodäsie Lantmäteriet National Technical University of Athens IGN Belgium Bundesamt für Eich- und Vermessungswesen Universität Münster EDINA, University Edinburgh National Agency for Cadastre and Real Estate Publicity Romania Helsinki University of Technology IGN France Kadaster Kort & Matrikelstyrelsen Geodan Software Development & Technology 1Spatial The Finnish Geodetic Institute National Land Survey of Finland Institute of Geodesy, Cartography and Remote Sensing Statens kartverk EuroGeographics
  • 4. EDINA A National Data Centre for Tertiary Education since 1995 to enhance the productivity of research, learning and teaching in UK higher and further education (mission statement) Focus is on services but also undertake r&D Shibboleth used primarily in academic sector https:// www.aai.dfn.de /links/ https://spaces.internet2.edu/display/SHIB/ShibbolethFederations EDINA provides technical support in the operation of the UK Access Management Federation Approx 8 million users 837 Member Organisations (IdPs and SPs)
  • 5. So whats the problem? Many of the most valuable SDI resources are protected These resources frequently in different admin domains Example: Article 19 of the INSPIRE Directive ”…Member States may limit public access…etc, etc”. No widely accept standard for securing these protected geospatial resources Consequence: lots of point solutions Major interoperability barrier, eg, how can a X-Border application consume protected OWS while having to deal with multiple different access control mechanism? Make everything open? or Scale back ambitions? or Access Management Federations (AMF’s)? or, …?
  • 6. What can AMF’s do for us? Fundamental requirement: information on who is accessing your valuable resource = authentication An AMF allows secure sharing of authentication information across administrative domains The members of the federation form a circle of trust and agree to a set of policies and technologies Allows Single Sign On My X-Border appl can now access a protected resource in country A, be challenged for credentials, I authenticate and get access if authorised. Now I can also access additional federation resources (if authorised) in country A, B, C, …, without needing to reauthenticate
  • 7. One Way - Shibboleth Internet2 consortium Open source package for web Single Sign On across admin boundaries based on standards: Security Assertion Markup Language (SAML)‏ Organisations can exchange user information and make security assertions by obeying privacy policies Devolved authentication – maintain and leverage existing user management Enables finer grained authorisation through use of attributes
  • 8. SP SP SP SP SP SP SP SP SP SP SP Coordinating Centre Federation Service Providers Identity Providers Users Organisations SP SP SP Authenticates here IdP IdP IdP IdP IdP
  • 9. “ Twelve required attributes for a solution to securing SDI” Paper submitted to the International Journal SDI Research to accompany this presentation Premise is that a concomitant security infrastructure is necessary to realise SDI objectives where protected resources are involved Table 1 posits:
  • 10. Based on open security interoperability standards Security Assertion Markup Language (SAML) from OASIS
  • 11. Works across administrative domains Fundamental reason for Access Management Federations
  • 12. Single Sign On Basic Use Case for SAML Principals authenticate at one web site, access the resource of interest, and are then able to access additional protected resources at other web sites without having to re-authenticate
  • 13. 4. Does not require any changes to the OGC interfaces being protected OGC Interoperability Experiments have demonstrated use with range of familiar industry implementations, eg, geoserver, mapserver, Snowflake No need for SOAP bindings
  • 14. 5. Requires minimal changes to the OGC Web Service clients Reference implementation available 6 organisations through OGC Interoperability Experiment have made changes Some products now commercially available Browser relatively easy, desktop harder Took weeks, not months
  • 15. 6. Proven production strength Already in daily use by millions Possibly already in your country
  • 16. 7. Satisfies data privacy requirements What set of SAML assertions are required for pan-European SDI authorisation decisions?
  • 17. 8. Flexible in order to accommodate a wide variety of different use cases Different SAML workflows Portal flow Service Provider flow SAML already used by GI community European Space Agency “User Management Interfaces for Earth Observation Services” Where are the interoperability points?
  • 18. 9. Should be an open source “reference implementation” Shibboleth
  • 19. 10. Not geospatial specific and in widespread mainstream IT use Leverage broad participation in technology development Stay flexible as much as possible Maximise potential for interoperability
  • 20. 11. Should, in so far as is possible, be built on information systems already in place Huge amount of prior investment in identity management Organisations know best how to manage their users Many Shibb Federations in place already in academic sector across Europe A source of expertise, collaboration and potentially extremely valuable interoperability link across sectors
  • 21. 12. Should not be centralised No huge databases with users credentials Needs to be decentralised to scale
  • 22. From the European Interoperability Framework for Pan-European eGovernment Services ( http://ec.europa.eu/idabc/servlets/Docb0db.pdf?id=31597 ) Hard
  • 23. INSPIRE Federation OWS Providers Member State organisations, eg, NMCAs WMS Key organisations, eg. EEA, JRC WMS WMS WMS WMS WMS WFS WFS WFS WFS WFS WFS IdP IdP IdP IdP IdP IdP Coordinating Centre
  • 24. Some options for going forward: One Federation and every every legally mandated organisation joins Multiple federations: one in each country and one pan-European One federation: one organisation in each country, the INSPIRE point of contact joins the single pan-European federation and acts as the gateway for all the other legally mandated organisations in the country that are standing up INSPIRE services Multiple federations: one in each country and inter-federation interoperability ensures SSO
  • 25. All material will be available from: http://igibs.blogs.edina.ac.uk/inspire2011/ Comments, questions, suggestions, etc, on blog very welcome Or email: [email_address]

Editor's Notes

  1. Refer to other ESDIN presentations during the conference
  2. A good example of how EU funded projects might interact with the OGC Mention that the main use case is Key Users accessing pan-European large scale reference data from NMCA’s
  3. Even if all open (free of charge online access) often still need to know who is accessing the data And some data will never be completely open due to personal privacy issues, eg, cadastral parcels?
  4. Make scope clear, eg, not licencing, georm, authZ, etc Framework agreements
  5. Not the only available technology, eg, OpenID
  6. This diagram adapted from the Switch website
  7. Some obvious, but rattle through anyway
  8. Not officially recognised as such
  9. True for both SAML and Shibboleth Don’t go down a geospatial rathole
  10. True for both SAML and Shibboleth
  11. True for both SAML and Shibboleth
  12. Technically doable, now move on Financial implications
  13. Access Management Federations (AMF) provide a practical organisational model for operational SDI Shibboleth is production strength Small centre, big network of organisations A fundamental SDI requirement demonstrated Additional SDI organisational requirements could be layered on top of the AMF, eg, governance Needs changes to the clients, but not the services or Shibboleth Potential INSPIRE compliant approach for establishing operational strength access control to ensure data provided is only available to legitimate government agencies!