shibboleth federations and secure sdi
DESCRIPTION
Presented by Chris Higgins at the Inspire Conference 2011, 27 June 2011TRANSCRIPT
![Page 1: Shibboleth Federations and Secure SDI](https://reader035.vdocuments.mx/reader035/viewer/2022062419/558571ecd8b42a3d2c8b4b70/html5/thumbnails/1.jpg)
WORKSHOP: Shibboleth Federations and Secure SDI: Outcomes and Demonstrations from the OGC Web Service Shibboleth Interoperability Experiment
Chris Higgins, IE Manager,
EDINA National Datacentre,
University of Edinburgh, Scotland
INSPIRE Conference 2011,Monday 27th June
![Page 2: Shibboleth Federations and Secure SDI](https://reader035.vdocuments.mx/reader035/viewer/2022062419/558571ecd8b42a3d2c8b4b70/html5/thumbnails/2.jpg)
Workshop Agenda
Time Topic
1 1600-1620 Introduction
2 1620-1640 Member States investigating use of Shibb for their NSDI’s
3 1640-1710 Demonstration of software working with the test Federation
4 1710-1730 Questions and concluding remarks
![Page 3: Shibboleth Federations and Secure SDI](https://reader035.vdocuments.mx/reader035/viewer/2022062419/558571ecd8b42a3d2c8b4b70/html5/thumbnails/3.jpg)
ESDIN Project
• Resourced EDINAs participation in OSI • An eContentplus Best Practice Network project• September 2008 to March 2011• Coordinated by EuroGeographics• Key goal: help member states prepare their data for
INSPIRE Annex 1 spatial data themes and improve access
• Been taking forward as the European Location Framework
![Page 4: Shibboleth Federations and Secure SDI](https://reader035.vdocuments.mx/reader035/viewer/2022062419/558571ecd8b42a3d2c8b4b70/html5/thumbnails/4.jpg)
ESDIN project info (www.esdin.eu)
Interactive Instruments
Bundesamt für Kartographie
und Geodäsie
Lantmäteriet
National Technical University of Athens
IGN Belgium
Bundesamt für Eich- und
Vermessungswesen
Universität Münster
EDINA, University Edinburgh
National Agency for Cadastre and
Real Estate Publicity Romania
Helsinki University of Technology
IGN France
Kadaster
Kort & Matrikelstyrelsen
Geodan Software Development & Technology
1Spatial
The Finnish Geodetic Institute
National Land Survey of Finland
Institute of Geodesy,
Cartography and Remote
Sensing
Statens kartverk
EuroGeographics
![Page 5: Shibboleth Federations and Secure SDI](https://reader035.vdocuments.mx/reader035/viewer/2022062419/558571ecd8b42a3d2c8b4b70/html5/thumbnails/5.jpg)
EDINA
• A National Data Centre for Tertiary Education since 1995 to enhance the productivity of research, learning and teaching in UK
higher and further education (mission statement)
• Focus is on services but also undertake r&D
• Shibboleth used primarily in academic sector– https://www.aai.dfn.de/links/
– https://spaces.internet2.edu/display/SHIB/ShibbolethFederations
• EDINA provides technical support in the operation of the UK Access Management Federation– Approx 8 million users
– 837 Member Organisations (IdPs and SPs)
![Page 6: Shibboleth Federations and Secure SDI](https://reader035.vdocuments.mx/reader035/viewer/2022062419/558571ecd8b42a3d2c8b4b70/html5/thumbnails/6.jpg)
OGC Web Service Shibboleth Interoperability Experiment (OSI)
• OGC Interoperability Experiments are:– Simple, low overhead, means for OGC members to get together
and advance specific technical objectives within the OGC baseline– Voluntary– Facilitated by OGC staff
• OSI Press release inviting participation 31st Aug 2010• Technology Integration Experiment on 18th Nov 2010• Draft version of the Engineering Report (OGC 11-019)
– ER to be completed before September 2011 OGC Technical Committee meeting
![Page 7: Shibboleth Federations and Secure SDI](https://reader035.vdocuments.mx/reader035/viewer/2022062419/558571ecd8b42a3d2c8b4b70/html5/thumbnails/7.jpg)
So whats the problem?
• Many of the most valuable SDI resources are protected
• These resources frequently in different admin domains– Example: Article 19 of the INSPIRE Directive ”…Member States may
limit public access…etc, etc”.
• No widely accept standard for securing these protected geospatial resources– Consequence: lots of point solutions
• Major interoperability barrier, eg, how can a X-Border application consume protected OWS while having to deal with multiple different access control mechanism?– Make everything open? or,
– Access Management Federations (AMF’s)? or, …?
![Page 8: Shibboleth Federations and Secure SDI](https://reader035.vdocuments.mx/reader035/viewer/2022062419/558571ecd8b42a3d2c8b4b70/html5/thumbnails/8.jpg)
What can AMF’s do for us?
• Fundamental requirement: information on who is accessing your valuable resource = authentication
• An AMF allows secure sharing of authentication information across administrative domains
• Members of a federation form a circle of trust and agree to procedures to enable these cross domain interactions
• Allows Single Sign On
• My X-Border appl can now access a protected resource in country A, be challenged for credentials, I authenticate and get access if authorised. Now I can also access additional federation resources (if authorised) in country A, B, C, …, without needing to reauthenticate
![Page 9: Shibboleth Federations and Secure SDI](https://reader035.vdocuments.mx/reader035/viewer/2022062419/558571ecd8b42a3d2c8b4b70/html5/thumbnails/9.jpg)
One Way - Shibboleth
• Internet2 consortium• Open source package for web Single Sign On across
admin boundaries based on standards:– Security Assertion Markup Language (SAML)
• Organisations can exchange user information and make security assertions by obeying privacy policies
• Devolved authentication – maintain and leverage existing user management
• Enables finer grained authorisation through use of attributes
![Page 10: Shibboleth Federations and Secure SDI](https://reader035.vdocuments.mx/reader035/viewer/2022062419/558571ecd8b42a3d2c8b4b70/html5/thumbnails/10.jpg)
SP
SPIdP
IdP
IdP
IdP
SP
SP
SP
SP
SP
SP
SP
SPSP
Coordinating
Centre
Federation Service Providers
Identity Providers
Users
Organisations
IdP
SP
SP
SP
Authenticates here
![Page 11: Shibboleth Federations and Secure SDI](https://reader035.vdocuments.mx/reader035/viewer/2022062419/558571ecd8b42a3d2c8b4b70/html5/thumbnails/11.jpg)
Why put effort into federated access control round OGC Web Services?
• Open geospatial interoperability standards underpin SDI• OGC standards agnostic about security• Lack of a genuinely interoperable security solution a major barrier in
all sectors• INSPIRE-like, the EU requested that the ESDIN project focus on
testing practical existing solutions– Shibb integrates with existing identity management systems
– Possibility of reusing existing member state federations and/or leveraging expertise
![Page 12: Shibboleth Federations and Secure SDI](https://reader035.vdocuments.mx/reader035/viewer/2022062419/558571ecd8b42a3d2c8b4b70/html5/thumbnails/12.jpg)
What we set out to do in OSI
• Previous work by the same team had shown it was possible to protect WMS with Shibb so that:– No mods required to OGC interfaces– No mods required to main Shibb download– BUT mods required to OWS clients
• Provide OGC software producing community with means and opportunity of modifying OWS client software to be able to work with Shibboleth AMF’s
• Emphasis on desktop OWS client software• Provide participants with the opportunity to demonstrate their
software in action.
![Page 13: Shibboleth Federations and Secure SDI](https://reader035.vdocuments.mx/reader035/viewer/2022062419/558571ecd8b42a3d2c8b4b70/html5/thumbnails/13.jpg)
OSI - How
• Use the test ESDIN Federation to provide OSI participants with services to develop against
• Provide an open source reference implementation of a modified desktop client conformant with the SAML ECP Profile– http://esdin.fgi.fi/wiki/index.php/Esdin:AuthIE:Client
• Provide some technical support, eg, with OpenLayers clients conformant with the Web Browser SSO Profile
• Regular telcons• OSI Technology Integration Experiment event
![Page 14: Shibboleth Federations and Secure SDI](https://reader035.vdocuments.mx/reader035/viewer/2022062419/558571ecd8b42a3d2c8b4b70/html5/thumbnails/14.jpg)
OSI - Who
• 36 individuals registered Shibb OGC portal site• EDINA, Snowflake, Cadcorp, Envitia, con terra/ESRI,
Joint Research Centre all modified their OWS client software or open source
• Federal Agency for Cartography and Geodesy (BKG) contributed another test Shibb federation they have been using for similar purposes
![Page 15: Shibboleth Federations and Secure SDI](https://reader035.vdocuments.mx/reader035/viewer/2022062419/558571ecd8b42a3d2c8b4b70/html5/thumbnails/15.jpg)
Who modified what
Type of Client
Organisation Name
EDINA(open source)
Snowflake Cadcorp con terra JRC(open source)
Envitia
WMS X X X X X
WFS X X X X
Desktop X X X X
Browser X X
Proxy X X
![Page 16: Shibboleth Federations and Secure SDI](https://reader035.vdocuments.mx/reader035/viewer/2022062419/558571ecd8b42a3d2c8b4b70/html5/thumbnails/16.jpg)
Technology Integration Experiment Webinar
• Afternoon of Thurs 18th November, 2010• Approx 30 people turned up on the day• EDINA, Snowflake, Cadcorp, Envitia, con terra, JRC,
demonstrated:– Different clients (desktop, browser, proxy)– Different services (WMS and WFS)– Different federations (ESDIN and BKG)
![Page 17: Shibboleth Federations and Secure SDI](https://reader035.vdocuments.mx/reader035/viewer/2022062419/558571ecd8b42a3d2c8b4b70/html5/thumbnails/17.jpg)
OSI – Outcomes #1
• Using Shibboleth to protect OWS is practical• Not particularly difficult on server side• Not particularly difficult with browser based clients• More subtle with desktop based clients but possible with
some effort in short space of time; weeks, not months• This kind of “IE testbed” approach appreciated by
participating OGC members• Operationalise and community support and tooling will
be available
![Page 18: Shibboleth Federations and Secure SDI](https://reader035.vdocuments.mx/reader035/viewer/2022062419/558571ecd8b42a3d2c8b4b70/html5/thumbnails/18.jpg)
OSI/ESDIN Outcomes #2
From the European Interoperability Framework for Pan-European eGovernment Services (http://ec.europa.eu/idabc/servlets/Docb0db.pdf?id=31597)
Hard
![Page 19: Shibboleth Federations and Secure SDI](https://reader035.vdocuments.mx/reader035/viewer/2022062419/558571ecd8b42a3d2c8b4b70/html5/thumbnails/19.jpg)
IdP
IdP
IdP
IdP
INSPIRE Federation OWS Providers
Member State organisations, eg, NMCAs
IdP
IdP
WMS
Key organisations, eg. EEA, JRC
WMS
WMS
WMS
WMS
WMS
WFS
WFS
WFS
WFSWFS
WFS
Coordinating
Centre
![Page 20: Shibboleth Federations and Secure SDI](https://reader035.vdocuments.mx/reader035/viewer/2022062419/558571ecd8b42a3d2c8b4b70/html5/thumbnails/20.jpg)
Some options for going forward:
1. One Federation and every every legally mandated organisation joins
2. Multiple federations: one in each country and one pan-European
3. One federation: one organisation in each country, the INSPIRE point of contact joins the single pan-European federation and acts as the gateway for all the other legally mandated organisations in the country that are standing up INSPIRE services
4. Multiple federations: one in each country and inter-federation interoperability ensures SSO
![Page 21: Shibboleth Federations and Secure SDI](https://reader035.vdocuments.mx/reader035/viewer/2022062419/558571ecd8b42a3d2c8b4b70/html5/thumbnails/21.jpg)
All material will be available from:
http://igibs.blogs.edina.ac.uk/inspire2011/
Comments, questions, suggestions, etc, on blog very welcome
Or email: [email protected]
![Page 22: Shibboleth Federations and Secure SDI](https://reader035.vdocuments.mx/reader035/viewer/2022062419/558571ecd8b42a3d2c8b4b70/html5/thumbnails/22.jpg)
Workshop Agenda
Time Topic
1 1600-1620 Introduction
2 1620-1640 Member States investigating use of Shibb for their NSDI’s
3 1640-1710 Demonstration of software working with the test Federation
4 1710-1730 Questions and concluding remarks