NPS Natural Resource & GIS Programs Inventory and Monitoring Program 2009 Data Manager’s Meeting Identity Management

NPS Natural Resource & GIS ProgramsInventory and Monitoring Program

2009 Data Manager’s Meeting

Identity Management



Authentication(Prove who you are)

• Authentication techniques– Prompt for username / password– Relay network domain credentials– Digital Certificates– Smart Cards

• Username / passwords the most common in our apps right now– Every application stores user information, including passwords– Every application is authenticating users only within the context of a single application– Security Risk:

• Passwords stored in variety of locations• Individual applications may not have the resources to keep up with DOI password policies

• Resolution – Security Token Services (STS)– Centralize user information in STSs

• Only the STS knows the passwords, and/or other user information• DOI security policies are addressed in one place

– STS exchange user credentials for an industry standard digitally signed token• Token is then passed around to apps and services• Applications/Services only have to know how to interpret the token



Security Token Service• Validate User Credentials

– Domain accounts / Windows NTLM• DOI’s Active Directory • For users on the DOI network

– Usernames / Passwords• ADAM / AD LDS a light weight implementation of Active Directory• For users not on the DOI network

– Other credential types• Digital Certificates• Authenticating partner applications / services running automated

processes

• Transform User Credentials– Make claims about a user– Wrap the claims within a digitally signed SAML Token



Security Token Process

Account Management Service

Species Service

Web Portal

Security Token Service(Forms-based)

Browser

1. User requests Login

2. Redirect to STS

5. Redirect to Portal

11. Return secure data

7. Send Request with SAML Token10. Provide secure data

4. User requests Login, add role claims

3a. Internal N

etwork… go to Windows-based STS

3c. Non-Internal Network… go to Forms-based STS

3d. For partner STS… redirect to wrap their SAML

token with our SAML token

6. User request secure data

8. Validate SAML Signature

9. Compare “Role Claim” with permissions for secure operation

Security Token Service(Windows-based)

Security Token Service(Partner Organization)

DOI’s ADFS

0. External user m

ay pre-

authenticate at own site

3b. Forward to DOI’s ADFS

• Apps and Services will never see usernames and passwords, just SAML tokens



Authorization(What are you allowed to do)

• Role based authorization– Users are placed in groups (roles) and permissions are applied to the group– Access to a resource is done by comparing the users role to roles defined for the

resource– Advantages:

• Permission management on small number of groups instead of many users– Limitations:

• Permissions are applied to resources at a very broad level. Granular rules will require more and more groups

• Roles only have meaning within individual applications

• Resource based authorization (Access Control Lists)– Permissions are defined on the resource itself

• Specify what operation / group / user can access a resource– Advantages:

• Authorization rules are up held independent of what service is requesting it– Limitations

• Every resource would have to implement attributes that identify what it is• In the case of system files, often requires some form of impersonation to get through operating

system process rules



• Claims based authorization– Claims are properties that describe the capabilities of an entity

• Type – allow services consuming claims to know what the claim is in reference to

• Right –describes the capability the entity has over a resource• Resource - something to which a claim is made over

– Essentially does role based authorization and more• Roles are based on identity. Identity one of many claims that can

be made about a user

– Advantages:• Separates authorization rules from the mechanisms used for

authentication • Authorization policies, based on claims, can be created down to a

very granular level• Very good at controlling access across platforms and applications



Challenges Solved and Still to Solve• Authentication from multiple sources

– Currently can do multiple types of STS• Transparent logins for domain users• Form based username / passwords against ADAM / AD LDS• Digital Certificates

• Will be developing a flexible and reusable API for authorization– Determine general claim types that are needed across our services– Identify service specific claim types that will be needed– Make it all work for client applications other then web browser

• Excel• Access• Etc.



Unit

IRMA Infrastructure Services



Problems to Solve

• Multiple copies of unit, park, etc. databases being used (every app had a different one!)

• Inconsistent park codes and names used

• No common maintenance practices



Version 1.0.0

• Centralized data source

• Initial IRMA coding standards, service structure

• Very atomic methods (not user-friendly, but they work)



Example

• Reference Service – Search Page

http://nrinfo.nps.gov

• Pick List = data + web controls:



Short-term Vision• Full integration with IRMA practices

• Standardized park codes

• More efficient fetch methods

• More sophisticated web controls



Longer-term Vision

• Customizable web controls

• Accessible service for networks and parks

• Search and report page in NRInfo Portal

• Subunits: – Management districts, ranger districts, etc.

• Maintenance functions



Taxonomy

IRMA Infrastructure Services



Problems to be Solved

• Multiple applications need to manage information about taxa

• We need a common currency for discussing taxa

• We would like to use other taxonomic datasets besides ITIS, such as USDA Plants



Version 1.0

• Four primary parts– Names– Categories– Sources– Classifications

• Searching by Name and by Code• Taxon Profile pages• Integration with Species



Search by Name



Search by Code



Search Results



Taxon Profile



Short-term Vision• Include authorities• Integrate USDA Plants list• Downloadable taxonomy lists• Saved searches and layouts• Transform a taxa list using

Crosswalks• Links to external

Classification Sources• More search options



Long-term Vision

• Adding and editing Taxa • Roll-up to Ranks• Authentication• Change History Management• Commenting• Other types of taxonomies



Benefits

• One-stop shopping for Taxonomy

• NPS Taxon Code serves as common currency

• New Classification Sources can be loaded, adding new sets of names



Reference Service Update

Data Manager’s Conference

April, 2009



Overview

• Problem

• Current Status

• Short-Term Plans

• Long-Term Vision

• Benefits of Service



What is the Problem?• Fundamental need to manage citations/metadata

– Documents– Datasets– Photos– Other

• Citations/Metadata in different systems• Hard to associate/group references• Applications do not adequately serve the needs

of the natural resources program



Reference Service 1.0

• Active, non-sensitive, and non-proprietary citations from NatureBib and Data Store

• Limited subset of the Reference attributes• Basic searching and read-only viewing• No user-name or password required to search• Download attachments• Creating/Editing still done through NatureBib

and Data Store





Search

• Simple search (search logic behind the scenes)• Must be easy to use



Search Results



Detailed View



Short-Term Plans

• 1.x Iterations– Functionality of NatureBib and DataStore

– Begin to clarify definitions

– Introduce Reference Owner and Unit Steward roles

– Begin Reference Relationships• Split into related references (e.g., book chapter is part of book)• Begin to Combine duplicates• Show related references as one in Portal

– Create Reference from XML record

– Integrate with other services

• 2.0 +– Turn off NatureBib and Data Store

– Begin following Long-Term Road Map for adding functionality



Long-Term Road Map

• Stakeholder Interviews

• Project Scope

• Version Timeline



Stakeholder Interviews

• Fall of 2008

• Gather user needs

• 100+ people interviewed

• 25+ meetings



Road Map - Project Scope

• Out for review - March 2009• Integrates user needs• Proposes long-term functionality• Very general and… dry• Minimize risks

– Get everyone on the same page– Identify logical flaws

• Survey to Get Feedback/Comments



Survey ResultsChapter Title Average StDev

Reference Collections 1.2 0.5Change History Management 1.2 0.5Notification 1.2 0.5Search/Query References 1.2 0.4Introduction 1.2 0.6

System Level User Groups and Role Management 1.3 0.7Reference-Reference Relationships 1.4 0.7Import/Export References 1.5 1.0Reference-Taxonomy Relationships 1.5 0.7Holdings 1.5 0.9Reference Unit Relationships 1.5 0.8Reference Management 1.6 0.9User Comments and Discussion Threads 1.8 1.3Appendix 1.9 1.2

Accessing the Reference Service via SOAP Messages 2.0 1.1



Road Map – Version Timeline

• Prioritize functionality in Project Scope

• Can begin once Project Scope is completed

• Very important beyond 2.0



Further Development and Refinement

• Progressive elaboration

• Regular user feedback

Develop Service Version

Obtain User Feedback

Modify Versions Timeline

Progressive Elaboration of Project Scope

bugs



Benefits

• Leverages functionality of other services– Taxonomy– Units– Authentication– File

• Can be leveraged by other services– Species– Project– Data Clearinghouses



NPSpecies Update

Presented by: Alison Loar



New NPSpecies is Useful Because

• Shared infrastructure– Units, Taxonomy, Authentication, etc

• Reusable controls

• New user friendly user interface on the NRInfo Portal

• Ability to access service fetch operations to “build your own”



Current Status

• NPSpecies 2.0.3 on NRInfo Portal

• Certified Species Lists– For data that have been certified– ability to download lists

• Live Demo…



Upcoming Release

• NPSpecies 2.1.0 – Released next month– Species lists with more views– Park-Species Profile– Simple stats– List of Units (where one species is found)– Live Demo…



Roadmap Release PlanShort Term

• NPSpecies 2.2• Integrate NPSpecies with New Match List Application

• NPSpecies 2.3 • Integrate NPSpecies with New Evidence Applications

(Vouchers, Observations, References)

• NPSpecies 3.0• Add/Edit/Delete• Turn off NPSpecies 1.0



Roadmap Release PlanLong Term

• NPSpecies 3.1 – Ability to have multiple species lists for one

category & one unit in NPSpecies– Tools to Compare and Merge data

• NPSpecies 3.2– QA toolbox with QA Filters– Automated workflow



IRMA Summary: What this Means for You

Data Manager’s Conference

April, 2009



Accessing Information• Web Portal

– Consistent Interface– Brings multiple services together

• SOAP Messages



SOAP Messages•Simple Object Access Protocol•Get information without a web interface•Text messages•Industry Standard (e.g., Travelocity)•Supported by other Languages and Applications

•MS Products•Python



Example SOAP Message

•<CreateReference> • <Title>Birds of ROMO<\Title> <Publisher> NPS<\Publisher>• <DateOfIssue>20080104</DateOfIssue>• <\CreateReference>



Example Messages•FetchReferenceList•CreateReference•FetchReferenceHolding•DeleteReference



Application to Networks•Custom applications•Integrate multiple services for higher level functionality

•Automatic update of web pages