Embed Size (px)
DESCRIPTION
OGC Web Services Shibboleth Interoperability Experiment (OSI). Chris Higgins, IE Manager , EDINA National Datacentre, Scotland Webinar, Thursday, Nov 18, 2010. OGC Web Services Shibboleth Interoperability Experiment Some housekeeping. Audio separate from webinar. Phone in on: - PowerPoint PPT Presentation
Citation preview
OGC Web Services Shibboleth Interoperability Experiment (OSI)
Chris Higgins, IE Manager, EDINA National Datacentre, Scotland
Webinar,Thursday, Nov 18, 2010
OGC Web Services Shibboleth Interoperability Experiment
Some housekeeping
• Audio separate from webinar. Phone in on:
+1 512 225 3050 Participant Code: 55699#• Please mute if not speaking and in conversation with
colleagues, or in a busy room, etc.• Submit questions via the “chat” pod. Will collate these
and get through as many as possible at the end.• Session is being recorded
Some introductions
• Team that has worked on integrating Shibboleth/OWS: – Self, Andrew Seales, Michael Koutroumpas and Andreas
Matheus• IE Initiating Organisations:
– EDINA, Snowflake and Cadcorp• IE Participants
– EDINA, Snowflake, Cadcorp, Envitia, con terra, JRC– BKG (German NMA) provided another federation
• OGC IE Facilitator:– Luis Bermudez
EDINA • A National Data Centre for Tertiary Education since
1995– based at the University of Edinburgh, Scotland
• Our mission...
to enhance the productivity of research, learning and teaching in UK higher and further education
• Focus is on service but also undertake r&D– turn projects services
• In ESDIN one of our roles is to try to represent interests of the European academic sector – one of the identified target user groups
• An eContentplus Best Practice Network project• Started September 2008. Ends March 2011• Coordinated by EuroGeographics
• Key goal: help member states, candidate countries and EFTA States prepare their data for INSPIRE Annex 1 spatial data themes and improve access:
1. Administrative Boundaries2. Cadastral Parcels3. Hydrography4. Transport Networks5. Geographical Names
ESDIN Project
ESDIN project info (www.esdin.eu)
Interactive Instruments
Bundesamt für Kartographie
und Geodäsie
Lantmäteriet
National Technical University of Athens
IGN Belgium
Bundesamt für Eich- und
Vermessungswesen
Universität Münster
EDINA, University Edinburgh
National Agency for Cadastre and
Real Estate Publicity Romania
Helsinki University of Technology
IGN France
Kadaster
Kort & Matrikelstyrelsen
Geodan Software Development & Technology
1Spatial
The Finnish Geodetic Institute
National Land Survey of Finland
Institute of Geodesy,
Cartography and Remote
Sensing
Statens kartverk
EuroGeographics
Why put effort into federated access control?
• Authentication is the process of verifying that claims made concerning a subject, eg, identity, who is attempting to access a resource are true, ie, authentic
• Frequently, SDI content and service providers need to know who is accessing their valuable, secure, protected, data
• The ability for a group of organisations with common objectives, ie, a federation, to securely exchange authentication information is a powerful SDI enabler
• Even more so if removing some of the barriers to interoperability…
Shibboleth
• Internet2 consortium• Open source package for web Single Sign On across admin
boundaries based on standards:– Security Assertion Markup Language (SAML)
• Organisations can exchange user information and make security assertions by obeying privacy policies
• Small coordination centre, large federation of organisations (service and identity providers)
• Devolved authentication – maintain and leverage existing user management
• Enables finer grained authorisation through use of attributes • Many Shibboleth Access Management Federations across Globe
SP
SPIdP
IdP
IdP
IdP
SP
SP
SP
SP
SP
SP
SP
SPSP
Coordinating
Centre
Federation Service Providers
Identity Providers
Users
Organisations
IdP
IdP
SP
SP
Why put effort into federated access control round OGC Web Services?
• Requested by the commission to focus on testing practical existing solutions
• Opportunity to build on earlier work undertaken by same team (JISC funded SEE-GEO project)– Showed Shibboleth Access Control around WMS
• Key findings current work; the solution required:– No changes to the OWS interface specifications– No changes to the core mainstream Shibboleth– BUT, does require changes to OWS desktop clients
IdP
IdP
IdP
IdP
INSPIRE Federation OWS Providers
Member State organisations, eg, NMCAs
IdP
IdP
WMS
Key organisations, eg. EEA, JRC
WMS
WMS
WMS
WMS
WMS
WFS
WFS
WFS
WFSWFS
WFS
What we set out to do in this IE
• Provide the OGC community with the opportunity to demonstrate their desktop client software being capable of consuming OWS within Shibboleth Access Management Federations – Protected ESDIN Federation OWS to develop against– Reference implementation of desktop client
• Result: a variety of different clients capable of undergoing the Shibboleth/SAML interactions– Browser based clients, ie OpenLayers based– Desktop based clients
• Result: a better understanding of the issues
OGC Interoperability Experiment
• IEs are part of the OGC Interoperability program, which includes other activities, such as Pilots and Testbeds.
• The IE is focused on an interoperability issue related to the OGC Technical Baseline.
• The IE completion timeframe is reasonable (4-6 months).• The IE is “lightweight” – focuses on a single interoperability issue.• All materials, documents, lessons learned, and other findings
developed as a result of the IE will be shared with the OGC membership.
• The expected results: Engineering Report, Best Practice Report, and Change Requests.
What we intend to do today
• Show these clients in action• But note. Aggressive timeline. The Kickoff telcon was
on Sept 30th, ie, seven weeks ago. • Different clients, some browser based, some desktop,
accessing various WMS and WFS• Series of Single Sign On scenarios
The best-laid schemes o' mice an' menGang aft agley, (Robert Burns)
Example: Desktop Client, WMS
SSO,Desktop Client,WmS
ED
INA
Cadcorp
Envitia
1 Attempt access protected service User not previously authenticated
2 User picks IdP
3 Authenticates
4 Demonstrates access to data
5 Attempts access different protected services within the Federation
Already authenticated
6 Demonstrates access to data
OGC Web Services Shibboleth Interoperability Experiment
Some housekeeping
• Audio separate from webinar. Phone in on:
+1 512 225 3050 Participant Code: 55699#• Please mute if not speaking and in conversation with
colleagues, or in a busy room, etc.• Submit questions via the “chat” pod. Will collate these
and get through as many as possible at the end.• Session is being recorded
