Upload
moe
View
43
Download
0
Embed Size (px)
DESCRIPTION
Sponsored and hosted by ESA/ESRIN. Practical Approaches to Web Services Authentication. 72nd OGC Technical Committee Frascati, Italy Fiona Culloch March 9, 2010. Federated Authentication. User Selects Identity Provider. Enters Credentials at IdP. Logged in to Service Provider. - PowerPoint PPT Presentation
Citation preview
®
Practical Approaches toPractical Approaches toWeb Services AuthenticationWeb Services Authentication
72nd OGC Technical Committee
Frascati, Italy
Fiona Culloch
March 9, 2010
Sponsored and hosted byESA/ESRIN
OGC®
Federated Authentication
OGC®
User Selects Identity Provider
OGC®
Enters Credentials at IdP
OGC®
Logged in to Service Provider
OGC®
Browser-Based Federation Mature
• Implementations– Open-source
• Shibboleth
• SimpleSAMLphp, …
– Commercial• OpenAthens
• Sun
• Novell, …
• Policy infrastructure– Many national federations
OGC®
But…
• Doesn’t work for non-browser clients!
OGC®
Why Not?
• The protocols (SAML) require:– HTTP redirection– Cookies– SSL/TLS– User input (usernames, passwords, etc.)– (X)HTML processing
• Web service clients may not support any of these!– (OGC Authentication IE client survey)
• Making IdP discovery/interaction impossible
OGC®
One Solution Identified
• By UK JISC-funded EDINA project SEE-GEO (2006–08)– Initiated and led by EDINA geospatial team– With input from
• AM Consult (Andreas Matheus)
• UK federation (JISC/EDINA SDSS project)
• Shibboleth Core Team (Chad La Joie)
OGC®
Concept
• Separate– Client flow (XML over HTTP)– From browser authentication flow (HTML, SAML over HTTP)
• In the client flow– URI must contain valid token– Token validated by browser authentication flow
OGC®
Authenticating Proxy (“Façade”)
OWS
Façade
Client
http://proxy/...438657...XML
XML
OGC®
Façade Has Two Faces
OWS
Façade
Client
http://url1/...438657...XML
XMLBrowserSAML
HTML
SP
http://url2/...438657...
OGC®
Façade Separates Auth. from Application
Façade OWS
SAML, Fed., X.509, Auth. Policy, …
OWS,WMS, WFS, …
Sys. admin.,Auth. policy
(Someone else’s problem!)
App. design,OGC standards,…
(Your problem)
OGC®
SEE-GEO Work Being Taken Forward
• In the OGC (1H 2010)– Authentication Interoperability Experiment
• Interoperability testing
• Investigate best choice of SAML protocols, bindings
• At EDINA– JISC-funded project WSTIERIA (2010)
• Generalise from OWS to any WS
• Abstract from SAML protocols, bindings to Shibboleth concept of “protected service”
OGC®
Meanwhile, Elsewhere…
• Shibboleth Core Team / U. of Chicago have developed– Shibboleth extension for web services
• Based on SAML 2.0 Enhanced Client Proxy (ECP)
• Client libraries (for Java, …)
• Supports N-tier use cases!
OGC®
So Why Bother With Façade?
• No client library required• SAML 2.x / Shibboleth 2.x not required
– As of December 2009, only ~20% of UK federation IdPs SAML 2.0
• Few / zero client modifications required• WSTIERIA taking both approaches forward