®

Practical Approaches toPractical Approaches toWeb Services AuthenticationWeb Services Authentication

72nd OGC Technical Committee

Frascati, Italy

Fiona Culloch

March 9, 2010

Sponsored and hosted byESA/ESRIN

OGC®

Federated Authentication

OGC®

User Selects Identity Provider

OGC®

Enters Credentials at IdP

OGC®

Logged in to Service Provider

OGC®

Browser-Based Federation Mature

• Implementations– Open-source

• Shibboleth

• SimpleSAMLphp, …

– Commercial• OpenAthens

• Sun

• Novell, …

• Policy infrastructure– Many national federations

OGC®

But…

• Doesn’t work for non-browser clients!

OGC®

Why Not?

• The protocols (SAML) require:– HTTP redirection– Cookies– SSL/TLS– User input (usernames, passwords, etc.)– (X)HTML processing

• Web service clients may not support any of these!– (OGC Authentication IE client survey)

• Making IdP discovery/interaction impossible

OGC®

One Solution Identified

• By UK JISC-funded EDINA project SEE-GEO (2006–08)– Initiated and led by EDINA geospatial team– With input from

• AM Consult (Andreas Matheus)

• UK federation (JISC/EDINA SDSS project)

• Shibboleth Core Team (Chad La Joie)

OGC®

Concept

• Separate– Client flow (XML over HTTP)– From browser authentication flow (HTML, SAML over HTTP)

• In the client flow– URI must contain valid token– Token validated by browser authentication flow

OGC®

Authenticating Proxy (“Façade”)

OWS

Façade

Client

http://proxy/...438657...XML

XML

OGC®

Façade Has Two Faces

OWS

Façade

Client

http://url1/...438657...XML

XMLBrowserSAML

HTML

SP

http://url2/...438657...

OGC®

Façade Separates Auth. from Application

Façade OWS

SAML, Fed., X.509, Auth. Policy, …

OWS,WMS, WFS, …

Sys. admin.,Auth. policy

(Someone else’s problem!)

App. design,OGC standards,…

(Your problem)

OGC®

SEE-GEO Work Being Taken Forward

• In the OGC (1H 2010)– Authentication Interoperability Experiment

• Interoperability testing

• Investigate best choice of SAML protocols, bindings

• At EDINA– JISC-funded project WSTIERIA (2010)

• Generalise from OWS to any WS

• Abstract from SAML protocols, bindings to Shibboleth concept of “protected service”

OGC®

Meanwhile, Elsewhere…

• Shibboleth Core Team / U. of Chicago have developed– Shibboleth extension for web services

• Based on SAML 2.0 Enhanced Client Proxy (ECP)

• Client libraries (for Java, …)

• Supports N-tier use cases!

OGC®

So Why Bother With Façade?

• No client library required• SAML 2.x / Shibboleth 2.x not required

– As of December 2009, only ~20% of UK federation IdPs SAML 2.0

• Few / zero client modifications required• WSTIERIA taking both approaches forward

OGC®

Call to Action

• Any volunteer clients?

• Contact us! fiona.culloch@ed.ac.uk