www.jrc.ec.europa.eu

Serving societyStimulating innovationSupporting legislation

Danny Vandenbroucke & Ann CrabbéKU Leuven (SADL)

AAA-architecture for INSPIREStandards & technologies

Outline• Background & context

• Defining AAA and AMF

• Overview of relevant standards

• Overview of technologies

• AMF: how it works ...

Outline• Background & context

• Defining AAA and AMF

• Overview of relevant standards

• Overview of technologies

• AMF: how it works ...

Background and context

• INSPIRE Directive entered into force 15 May 2007 Cross-border and cross-sector sharing of interoperable

spatial data resources SOA based architecture

18.113 data sets– > 1316 providers

7.088 services– > 1546 providers

Background & context• Public access to the spatial data through services

The goal is to have as few access barriers as possible (direct access, free, ...)

• Public access can be limited for particular reasons Discovery service

– “such access would adversely affect international relations, public security or national defence”

Viewing, download, ... services and e-commerce– Because of IPR, privacy, protection of particular habitats, ...– E.g. Downloading data can be set-up through a controlled

access mechanism and payment scheme Need for secure access ...

Outline• Background & context

• Defining AAA and AMF

• Overview of relevant standards

• Overview of technologies

• AMF: how it works ...

AAA and AMF• Defining AAA

Authentication– Verification that a potential partner in a conversation is

capable of representing a person or organisation Authorisation

– Determination whether a subject is allowed to have the specified type of access to a particular resource

Accounting or rights management – Tracking and controlling the use of content, rights, licences

and associated information

AAA and AMF

• Defining Access Management Federation Federated authentication and local authorization

Identity providersService providersCoordination Center

AAA and AMF• AMF is a dynamic concept

An organization can join the federation – by applying to the coordination centre as a service provider,

an identity provider or both It becomes a trusted party

– the CC checks technical compliance according to the policies and procedures of the federation

The CC will add the organization’s credentials to the federation metadata– is an XML file hosted online by the CC that defines the circle

of trust of the federation Single Sign-On

– ensures that the user gets a session established with all service providers of the federation

Outline• Background & context

• Defining AAA and AMF

• Overview of relevant standards

• Overview of technologies

• AMF: how it works ...

Standards• There are many (related) standards

General ICT with few exceptions

CommunicationAuthenticationAuthorization

Standards

• Secure communication HTTP protocol (IETF RFC 2616) with an encription protocol

such as TLS (Transport Security Layer – IEF RFC 6176)– HTTPS (IETF RFC 2818)

• Authentication Redirection to IdP, login, forward attributes to SP Security Assertion Markup Language (SAML)

– Protocol for communicating user authentication, entitlement and attribute information

– Metadata – trusted SP & IdP, SAML endpoints, public keys, ... OpenID exist as alternative protocol

Standards Higgins et al., 2014; Chadwick, 2008

Standards• Authorization

Managed at the SP side based on access rights to a resource– Based on attributes – e.g. User ID, role, ...

eXtensible Access Control Markup Language (XACML)– GeoXACML allows geographical functions

OAuth as an alternative but ...Table 1 – Comparison of different authorization standards

Standard What? Pro Con XACML XML-based open standard by OASIS General purpose Complexity GeoXACML Geo-extension to XACML As XACML but with ability to index

Rules and Policie based on geospatial conditions

Complexity

OAuth Category or scoped based decisions Enable to act “on behalf of” Simplicity may not support complicated rights

Outline• Background & context

• Defining AAA and AMF

• Overview of relevant standards

• Overview of technologies

• AMF: how it works ...

Technologies• Authentication information can be stored and

managed in different ways E.g. LDAP, Kerberos, PKI, ...

• For implementing SAML many tools exist (OSS and proprietary) Extensive list with supported protocols and roles in report Shibboleth (Internet2)

– Supports IdP, SP, discovery– Supports additional encryption capacity– Attributes described in Java or from databases– Additional attributes can be defined

Outline• Background & context

• Defining AAA and AMF

• Overview of relevant standards

• Overview of technologies

• AMF: how it works ...

AMF: how it works ...

1

2

34

5

6

78

9

10

11

THANK YOU ! QUESTIONS ?