®
Practical Approaches toPractical Approaches toWeb Services AuthenticationWeb Services Authentication
72nd OGC Technical Committee
Frascati, Italy
Fiona Culloch
March 9, 2010
Sponsored and hosted byESA/ESRIN
OGC®
Federated Authentication
OGC®
User Selects Identity Provider
OGC®
Enters Credentials at IdP
OGC®
Logged in to Service Provider
OGC®
Browser-Based Federation Mature
• Implementations– Open-source
• Shibboleth
• SimpleSAMLphp, …
– Commercial• OpenAthens
• Sun
• Novell, …
• Policy infrastructure– Many national federations
OGC®
But…
• Doesn’t work for non-browser clients!
OGC®
Why Not?
• The protocols (SAML) require:– HTTP redirection– Cookies– SSL/TLS– User input (usernames, passwords, etc.)– (X)HTML processing
• Web service clients may not support any of these!– (OGC Authentication IE client survey)
• Making IdP discovery/interaction impossible
OGC®
One Solution Identified
• By UK JISC-funded EDINA project SEE-GEO (2006–08)– Initiated and led by EDINA geospatial team– With input from
• AM Consult (Andreas Matheus)
• UK federation (JISC/EDINA SDSS project)
• Shibboleth Core Team (Chad La Joie)
OGC®
Concept
• Separate– Client flow (XML over HTTP)– From browser authentication flow (HTML, SAML over HTTP)
• In the client flow– URI must contain valid token– Token validated by browser authentication flow
OGC®
Authenticating Proxy (“Façade”)
OWS
Façade
Client
http://proxy/...438657...XML
XML
OGC®
Façade Has Two Faces
OWS
Façade
Client
http://url1/...438657...XML
XMLBrowserSAML
HTML
SP
http://url2/...438657...
OGC®
Façade Separates Auth. from Application
Façade OWS
SAML, Fed., X.509, Auth. Policy, …
OWS,WMS, WFS, …
Sys. admin.,Auth. policy
(Someone else’s problem!)
App. design,OGC standards,…
(Your problem)
OGC®
SEE-GEO Work Being Taken Forward
• In the OGC (1H 2010)– Authentication Interoperability Experiment
• Interoperability testing
• Investigate best choice of SAML protocols, bindings
• At EDINA– JISC-funded project WSTIERIA (2010)
• Generalise from OWS to any WS
• Abstract from SAML protocols, bindings to Shibboleth concept of “protected service”
OGC®
Meanwhile, Elsewhere…
• Shibboleth Core Team / U. of Chicago have developed– Shibboleth extension for web services
• Based on SAML 2.0 Enhanced Client Proxy (ECP)
• Client libraries (for Java, …)
• Supports N-tier use cases!
OGC®
So Why Bother With Façade?
• No client library required• SAML 2.x / Shibboleth 2.x not required
– As of December 2009, only ~20% of UK federation IdPs SAML 2.0
• Few / zero client modifications required• WSTIERIA taking both approaches forward