OGC Interoperability Experiments and Authentication

OGC Interoperability Experiments and Authentication

• 1.
  OGC Interoperability Experiments& Authentication Association GI Laboratories Europe (AGILE) pre-conference work shop. Testbed research: Testing Geospatial and Services/Persistent Testbed, Utrecht, The Netherlands, 18 th April, 2011. [email_address] EDINA National Data Centre, University of Edinburgh
• 2.
  Shibboleth Internet2 consortiumOpen source package for web Single Sign On across admin boundaries based on standards: Security Assertion Markup Language (SAML)‏ Organisations can exchange user information and make security assertions by obeying privacy policies Devolved authentication – maintain and leverage existing user management Enables finer grained authorisation through use of attributes Small coordination centre, large federation of organisations (service and identity providers)
• 3.
  Key Roles withinan Access Management Federation SP SP SP SP SP SP SP SP SP SP SP Coordinating Centre Federation Service Providers Identity Providers Users Organisations SP SP IdP IdP IdP IdP IdP IdP
• 4.
  EDINA A NationalData Centre for Tertiary Education since 1995 … enhance the productivity of research, learning and teaching in UK higher and further education Focus is on services but also undertake r&D Shibboleth used primarily in academic sector https:// www.aai.dfn.de /links/ https://spaces.internet2.edu/display/SHIB/ShibbolethFederations EDINA provides technical support in the operation of the UK Access Management Federation Approx 8 million users 837 Member Organisations (IdPs and SPs) EDINA
• 5.
  Why put effortinto federated access control? Authentication is the process of verifying that claims made concerning a subject, eg, identity, who is attempting to access a resource are true, ie, authentic Frequently, SDI content and service providers need to know who is accessing their valuable, secure, protected, etc, data The ability for a group of organisations with common objectives, ie, a federation, to securely exchange authentication information is a powerful SDI enabler Example: Article 19 of the INSPIRE Directive ”…Member States may limit public access…etc, etc”. Even more so if removing some of the barriers to interoperability…
• 6.
  Why put effortinto federated access control round OWS? Open geospatial interoperability standards underpin SDI OGC Standards agnostic about security Grand challenge: lack of a genuinely interoperable security solution a major barrier to all sectors EU requested that ESDIN project focus on testing practical existing solutions
• 7.
  Work to Date:ESDIN Project Resourced EDINA to build on in-house access control expertise An eContent plus Best Practice Network project Ran from Sept 2008 until end Feb 2011 Coordinated by EuroGeographics From AuthN perspective, the main ESDIN Use Case was Key Users, eg, EEA, EuroStat, JRC, accessing INSPIRE Annex 1 services from different member states Key goal : help member states prepare their data for INSPIRE Annex 1 themes
• 8.
  EDINA’s Role inESDIN Bring experience of: putting up operational OGC Web Services access management A point of contact for the European academic sector Help the NMCAs understand academic sector market Bring academic users Report on work done: http://www.esdin.eu/sites/esdin.eu/files/ESDIN%20D11%206%20services%20academic%20sector%20v4%200.pdf
• 9.
  Our users; students,lecturers, etc, getting access to INSPIRE compliant services: for research for education Our UK users getting access to European data And European academic sector users getting access to UK data Development of a European academic SDI Steps towards...
• 10.
  Key Vehicle -PTB Objectives To act as a research test-bed for collaborative European research in geospatial interoperability, To aid the assessment of the current standards for geospatial interoperability in terms of research compatibility, completeness, consistency and ease of use and extensibility To provide an environment for teaching standards and techniques for geospatial interoperability To provide a resource to AGILE/EuroSDR/OGC for the coordination of research requirements as well as definition, testing, validation and development of open standards
• 11.
  Overall Goal Public sector Academic sector Real world SDI R&D requirements Resources Data Better educated graduates Future customers/employees used to using high quality public sector reference data via Geospatial Web Services R&D requirements get met Virtuous Circle
• 12.
  OGC Interoperability Experiments(IE’s) Key vehicle for taking the work forward Simple, low overhead, means for OGC members to get together and advance specific technical objectives within the OGC baseline Facilitated by OGC staff More lightweight than the OGC Web Services initiatives Focussed on specific interoperability issues Effort is viewed as voluntary and supported by in-kind contributions by participating member organisations Duration normally around 6 months
• 13.
  Authentication IE Teststandard ways of authentication between OGC clients and OGC Web Services Intended that the following mechanisms would be tested: HTTP Authentication; HTTP Cookies; SSL/X509; SAML; Shibboleth; OpenID; WS-Security ESDIN concentrated on: Putting together a prototype Shibboleth Access Management Federation comprised mainly of NMCA’s Understanding how OWS clients could be modified to be capable of undergoing the Shibboleth interactions OGC Engineering Report: Doc 09-092r1
• 14.
  OGC Web ServicesShibboleth IE (OSI) Started Aug 2010 Previous work had shown it was possible to protect WMS with Shibb so that: No mods required to the OGC interfaces No mods required to Shibb download BUT mods required to OWS clients OSI provided the OGC software producing community with means and opportunity of modifying OWS clients to work with Shibb Emphasis on desktop OWS client software Provide participants with the opportunity to demonstrate their software in action.
• 15.
  OSI - HowUse the test ESDIN Federation to provide OSI participants with services to develop against Provide an open source reference implementation of a modified desktop client conformant with the SAML ECP Profile http:// esdin.fgi.fi/wiki/index.php/Esdin:AuthIE:Client Provide some technical support, eg, with OpenLayers clients conformant with the Web Browser SSO Profile Regular telcons OSI Technology Integration Experiment event
• 16.
  Technology Integration ExperimentWebinar Afternoon of Thurs 18 th November Approx 30 people turned up on the day EDINA, Snowflake, Cadcorp, Envitia, con terra, JRC all demonstrated: Different clients (desktop, browser, proxy) Different services (WMS and WFS) Different federations (ESDIN and BKG)
• 17.
  OSI - OutcomesUsing Shibboleth to protect OWS is practical Not particularly difficult on server side Not particularly difficult with browser based clients More subtle with desktop based clients but possible with some effort in short space of time This kind of “IE testbed” approach appreciated by participating OGC members Highly likely community support and tooling will be available if decision made to operationalise Draft Engineering Report (OGC 11-019r1)
• 18.
  Interoperable Geographic Informationfor Biosphere Study JISC funded IGIBS project from Apr 1 st to 31 st Oct 2011 Partnership between EDINA, Aberystwyth University and Welsh Assembly Government (WAG) Focussed on Research and Education related to the UNESCO Dyfi Biosphere Reserve Allow users to create WMS’s to view data in conjunction with reference data from WAG Access control so: Students can publish intermediary results, or commercial in confidence datasets, etc. WAG can make available a wider range of data Better integration between academic and public sector Opportunity to transfer knowledge and explore (a bit)
• 19.
  Workshop at INSPIREConference in June Title: Shibboleth Federations and Secure SDI: Outcome and Demonstrations from the OGC Web Service Shibboleth Interoperability Experiment Original intention is a re-run of the Nov 2010 “plugfest” More public, slicker More member state NMCA’s in ESDIN Federation Maybe get more system suppliers to modify their software Up the level of discussion
• 20.
  Consequences If theyoperationalise, it will be good for the academic sector: More Shibb enabled software/tooling will become available Our sector already had the technology in place and has understanding Well positioned to negotiate for access to data and services