authentication use cases

Authentication Use Cases

ESDIN Work Package 4 Workshop

IGN Belgium, Brussels,

19th May 2010

What is authentication?

…a mandatory part of access control concerned with establishing that claims made concerning a subject who is attempting to use a particular resource are authentic, ie, true

Two Use Cases:

1. Secure access by desktop client to medium and small scale ESDIN download service

2. Secure access by desktop client to large scale ESDIN download service

Actors

Key ESDIN Users of pan-European Geographical Data, eg, JRC, EEA, EuroStat.

But could be any user where there is a requirement to know who is taking the data

Description

For a wide variety of different reasons, individuals at organizations such as the EEA, JRC or EC need to be able to access secure ESDIN download services on top of pan-European coverage ExM data at medium and small scales. The downloaded data will be accessed via a desktop client and will be either EBM, ERM, EGM or user defined

Trigger

Various, user has need for harmonized pan-European data

Preconditions

1. Harmonised ExM data available at medium and small scales via a basic WFS serving up data with pan-European coverage

2. The users organisation and the ExM WFS service provider are part of the same access management federation

3. User has access to a desktop client capable of undergoing the Shibboleth/SAML interaction

Postconditions

1.User has been authenticated and authorized

2.Data has been delivered to the users WFS client application

Normal Flow

1. Users application issues a GetCapabilities request

2. User selects their Identity Provider from a list of IdPs

3. Authenticates4. GetCapabilities request followed by however

many DescribeFeatureType, GetFeature requests and responses as necessary to satisfy users requirements

Alternative Flows

1.Single Sign On. User has already authenticated at another federation service provider and is not required to authenticate again

Exceptions

1.User not authorised. Authorisation exception

2.Illegal request leading to a service exception

3.Security exception in case of attack

Priority

High, being able to securely exchange identity information to make authorisation decisions is a fundamental pre-requisite of a large number of SDI scenarios

Frequency of use

High

Assumptions

It is assumed that a trust federation comprising the ESDIN partners and cooperating organisations will have been established and is being maintained

Notes and issues

Cross-federation interoperability not assumed but likely to be desirable under several scenarios, eg, the EEA operates its own federation-like partnership, the European Environment Information and Observation Network (EEIONet).

AuthN Interoperability Experiment

• OGC mechanism looking at various alternatives• Implementing these use cases under WP11• Two federations created:

– ESDIN NMCAs– University members of the European Persistent

Geospatial Testbed for Research and Education

• Exploring cross-federation scenario where it is agreed universities get access to ExM data

Chris Higgins

chris.higgins@ed.ac.uk