Shibboleth Access Management Federations and Secure SDI: ESDIN Experience from the OGC Authentication Interoperability ExperimentC.I.Higgins, M.Koutroumpas, A.Seales, EDINA National Datacentre, Scotland

A.Matheus, University of the Bundeswehr, Germany

INSPIRE Conference 2010, Kraków,Friday, June 25

• An eContentplus Best Practice Network project• Started September 2008. Ends March 2011• Coordinated by EuroGeographics

• Key goal: help member states, candidate countries and EFTA States prepare their data for INSPIRE Annex 1 spatial data themes and improve access:

1. Administrative Boundaries2. Cadastral Parcels3. Hydrography4. Transport Networks5. Geographical Names

ESDIN project info (www.esdin.eu)

Interactive Instruments

Bundesamt für Kartographie

und Geodäsie

Lantmäteriet

National Technical University of Athens

IGN Belgium

Bundesamt für Eich- und

Vermessungswesen

Universität Münster

EDINA, University Edinburgh

National Agency for Cadastre and

Real Estate Publicity Romania

Helsinki University of Technology

IGN France

Kadaster

Kort & Matrikelstyrelsen

Geodan Software Development & Technology

1Spatial

The Finnish Geodetic Institute

National Land Survey of Finland

Institute of Geodesy,

Cartography and Remote

Sensing

Statens kartverk

EuroGeographics

EDINA • A National Data Centre for Tertiary Education since

1995– based at the University of Edinburgh, Scotland

• Our mission...

to enhance the productivity of research, learning and teaching in UK higher and further education

• Focus is on service but also undertake r&D– turn projects services

• In ESDIN one of our roles is to try to represent interests of the European academic sector – one of the identified target user groups

European Persistent Testbed for Research and Teaching (PTB) Objectives:

• To act as a research test-bed for collaborative European research in geospatial interoperability,

• To aid the assessment of the current standards for geospatial interoperability in terms of research compatibility, completeness, consistency and ease of use and extensibility

• To provide an environment for teaching standards and techniques for geospatial interoperability

• To provide a resource to AGILE/EuroSDR/OGC for the coordination of research requirements as well as definition, testing, validation and development of open standards

WP4: Data Access and Licensing Policy

Business model, pricing, licensing models

• Goal: maximise the use and re-use of reference geodata

• Define a data policy

• Define a policy for Geo Rights Management

• Also cover access issues such as: protection of IPR,

security, access management, privacy, subscriptions.

Why put effort into federated access control?

• Authentication is the process of verifying that claims made concerning a subject, eg, identity, who is attempting to access a resource are true, ie, authentic

• Frequently, SDI content and service providers need to know who is accessing their valuable, secure, protected, etc, data

• The ability for a group of organisations with common objectives, ie, a federation, to securely exchange authentication information is a powerful SDI enabler

• Even more so if removing some of the barriers to interoperability…

WP 11 Interoperability Services, Goals

1. Develop Best Practices for building

• INSPIRE-compliant content access services

- View & Download

• … focusing on functionalities for

- Content transformations: CRS, Schema, Edge-

matching, Generalisation

- Geo Rights Management

- Authentication

2. Build services to provide access, in INSPIRE-compliant form:

• Small scale / medium scale / large scale

Why put effort into federated access control round OGC Web Services?

• Requested by the commission to focus on testing practical existing solutions

• Opportunity to build on earlier work undertaken by same team as giving this ppt (JISC funded SEE-GEO project)– Demonstrated Shibboleth Access Control around

WMS• Key findings current work; the solution required:

– No changes to the OWS interface specifications– No changes to the core mainstream Shibboleth

Shibboleth• Internet2 consortium• Open source package for web Single Sign On across admin

boundaries based on standards:– Security Assertion Markup Language (SAML)

• Organisations can exchange user information and make security assertions by obeying privacy policies

• Small coordination centre, large federation of organisations (service and identity providers)

• Devolved authentication – maintain and leverage existing user management

• Enables finer grained authorisation through use of attributes • Many Shibboleth Access Management Federations across Globe

OGC Interoperability Experiments

• Intended as a relatively simple, low overhead, means for OGC members to get together and advance specific technical objectives within the OGC baseline

• Facilitated by OGC staff• More lightweight than the OGC Web Services initiatives • Focussed on specific interoperability issues • Effort is viewed as voluntary and supported by in-kind

contributions by participating member organisations • Duration normally around 6 months

Authentication IE• OpenGIS Project Document 09-092r1 • Test standard ways of authentication between OGC

clients and OGC Web Services • Intended that the following mechanisms would be tested:

– HTTP Authentication– HTTP Cookies– SSL/X509, SAML– Shibboleth– OpenID

– WS-Security • Main output an OGC Engineering Report

Status ESDIN Partners Participation • ESDIN test federation established• Cooperating NMCAs so far:

– KMS (Denmark)

– Kadaster (Netherlands)

– Lantmatariet (Sweden)

– Fomi (Hungary)

• 2 clients interoperable:– OpenLayers (browser)

– OpenJump SAML Enhanced Client or Proxy profile (desktop)

• Shibboleth being integrated into ESDIN client under development by GeoDan

Status PTB Participation• Access Management Phase 2 responses from:

– EDINA, University of Edinburgh– FIUGINET (Finnish Universities Geoinformatics Network) and

CSC — IT Center for Science Ltd– Technical University of Dresden– Centre for Geospatial Science, University of Nottingham

• Pre-conference PTB workshop in association with AGILE 2010 discussing outcomes of the phase 2 CfP

• Variety of OWS, including Web Processing Services

Some results• Can use a production strength, standards based, widely

used piece of open source software to share identity information and control access to OGC Web Services

• Shibboleth used out the box, but ECP not currently part of mainstream IdP Shibboleth

• Not much effort to install• Single Sign On• No changes required to OGC Web Services• But changes do need to be made to the desktop client

Whats the significance of all this?• Access Management Federations (AMF) provide a practical

organisational model for operational SDI • Shibboleth is production strength• Small centre, big network of organisations• A fundamental SDI requirement demonstrated• Additional SDI organisational requirements could be layered

on top of the AMF, eg, governance• Needs changes to the clients, but not the services or

Shibboleth • Potential INSPIRE compliant approach for establishing

operational strength access control to ensure data provided is only available to legitimate government agencies!

Next steps…• Show the kind of thing a SSO federation that allows

NMCAs to securely grant access to each others harmonised data enables

• Include a demonstration of PTB universities securely accessing ESDIN data

• Based on outputs, an ESDIN Best Practice document• Make the client software we have created openly available • Consider what SAML assertions necessary to make these

kinds of pan-European authorisation decisions• Consider cross-federation interoperability issues

Any questions?

chris.higgins@ed.ac.uk

http://www.esdin.eu