Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication methods: Shibboleth UKLII: Data Publishing Working Group, Welsh Assembly Government, Cardiff. 28 th March 2011

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Authentication methods: Shibboleth UKLII: Data Publishing Working Group, Welsh Assembly Government, Cardiff. 28 th March 2011"— Presentation transcript:

1 Authentication methods: Shibboleth UKLII: Data Publishing Working Group, Welsh Assembly Government, Cardiff. 28 th March 2011 chris.higgins@ed.ac.uk

2 Synopsis What is Shibboleth? How does it work? Shibb and OGC Web Services Work done to date What are the implications? –or why do we think this important Some things that could happen next…

3 Shibboleth Internet2 consortium Open source package for web Single Sign On across admin boundaries based on standards: –Security Assertion Markup Language (SAML)‏ Organisations can exchange user information and make security assertions by obeying privacy policies Devolved authentication – maintain and leverage existing user management Enables finer grained authorisation through use of attributes Small coordination centre, large federation of organisations (service and identity providers) Many Shibboleth Access Management Federations: –https://www.aai.dfn.de/links/https://www.aai.dfn.de/links/ –https://spaces.internet2.edu/display/SHIB/ShibbolethFederationshttps://spaces.internet2.edu/display/SHIB/ShibbolethFederations

4 UK Access Management Federation Managed by JISC Collections (previously JANET) and EDINA –Federation Operator: JISC Collections –Technical and Operational Support: EDINA 840 Member Organisations (IdPs and SPs) Approximately 8 million users Cost of running is not insignificant

5 SP IdP SP Coordinating Centre Federation Service Providers Identity Providers Users Organisations IdP SP Key Roles within an Access Management Federation

6 Basic SAML Concepts From the SAML Technical Overview ( http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.pdf ) http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.pdf

7 From the SAML Technical Overview (http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.pdf)http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.pdf Service Provider Initiated Single Sign On

8 From the SAML Technical Overview (http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.pdf)http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.pdf Identity Provider Initiated Single Sign On

9 Example Shibboleth Login Procedures http://www.switch.ch/aai/demo/medium.html

10 Why put effort into federated access control? Authentication is the process of verifying that claims made concerning a subject, eg, identity, who is attempting to access a resource are true, ie, authentic Frequently, SDI content and service providers need to know who is accessing their valuable, secure, protected, etc, data The ability for a group of organisations with common objectives, ie, a federation, to securely exchange authentication information is a powerful SDI enabler Article 19 of the INSPIRE Directive ”…Member States may limit public access…etc, etc”. Even more so if removing some of the barriers to interoperability…

11 Why put effort into federated access control round OWS? Open geospatial interoperability standards underpin SDI OGC Standards agnostic about security Grand challenge: lack of a genuinely interoperable security solution a major barrier to all sectors EU requested that ESDIN project focus on testing practical existing solutions Prior work by same team (JISC funded SEE-GEO project) –Demonstrated Shibb Access Control around WMS –No changes to the OWS interface specification –No changes to the core mainstream Shibboleth

12 Work to Date: ESDIN Project Resourced EDINA to build on in-house access control expertise An eContentplus Best Practice Network project Ran from Sept 2008 until end Feb 2011 Coordinated by EuroGeographics From AuthN perspective, the main ESDIN Use Case was Key Users, eg, EEA, EuroStat, JRC, accessing INSPIRE Annex 1 services from different member states Key goal: help member states prepare their data for INSPIRE Annex 1 themes

13 ESDIN – Mostly NMCA’s Interactive Instruments Bundesamt für Kartographie und Geodäsie Bundesamt für Kartographie und Geodäsie Lantmäteriet National Technical University of Athens National Technical University of Athens IGN Belgium Bundesamt für Eich- und Vermessungswesen Bundesamt für Eich- und Vermessungswesen Universität Münster EDINA, University Edinburgh National Agency for Cadastre and Real Estate Publicity Romania National Agency for Cadastre and Real Estate Publicity Romania Helsinki University of Technology IGN France Kadaster Kort & Matrikelstyrelsen Geodan Software Development & Technology Geodan Software Development & Technology 1Spatial The Finnish Geodetic Institute National Land Survey of Finland Institute of Geodesy, Cartography and Remote Sensing Institute of Geodesy, Cartography and Remote Sensing Statens kartverk EuroGeographics

14 OGC Interoperability Experiments (IE’s) Key vehicle for taking the work forward Simple, low overhead, means for OGC members to get together and advance specific technical objectives within the OGC baseline Facilitated by OGC staff More lightweight than the OGC Web Services initiatives Focussed on specific interoperability issues Effort is viewed as voluntary and supported by in-kind contributions by participating member organisations Duration normally around 6 months

15 Authentication IE Test standard ways of authentication between OGC clients and OGC Web Services Intended that the following mechanisms would be tested: HTTP Authentication; HTTP Cookies; SSL/X509; SAML; Shibboleth; OpenID; WS-Security ESDIN concentrated on: –Putting together a prototype Shibboleth Access Management Federation comprised mainly of NMCA’s –Understanding how OWS clients could be modified to be capable of undergoing the Shibboleth interactions OGC Engineering Report: Doc 09-092r1

16 OGC Web Services Shibboleth IE (OSI) Started Aug 2010 Previous work had shown it was possible to protect WMS with Shibb so that: –No mods required to OGC the interface –No mods required to Shibb download –BUT mods required to OWS clients OSI provided the OGC software producing community with means and opportunity of modifying OWS clients to work with Shibb Emphasis on desktop OWS client software Provide participants with the opportunity to demonstrate their software in action.

17 OSI - How Use the test ESDIN Federation to provide OSI participants with services to develop against Provide an open source reference implementation of a modified desktop client conformant with the SAML ECP Profile –http://esdin.fgi.fi/wiki/index.php/Esdin:AuthIE:Clienthttp://esdin.fgi.fi/wiki/index.php/Esdin:AuthIE:Client Provide some technical support, eg, with OpenLayers clients conformant with the Web Browser SSO Profile Regular telcons OSI Technology Integration Experiment event

18 OSI - Who 31 individuals registered Shibb OGC portal site EDINA, Snowflake, Cadcorp, Envitia, con terra/ESRI, Joint Research Centre all modified their OWS client software or open source Federal Agency for Cartography and Geodesy (BKG) contributed another test Shibb federation they have been using for similar purposes Recently started EU funded BRISEIDE project –http://www.briseide.eu/http://www.briseide.eu/

19 Technology Integration Experiment Webinar Afternoon of Thurs 18 th November Approx 30 people turned up on the day EDINA, Snowflake, Cadcorp, Envitia, con terra, JRC all demonstrated: –Different clients (desktop, browser, proxy) –Different services (WMS and WFS) –Different federations (ESDIN and BKG)

20 OSI - Outcomes Using Shibboleth to protect OWS is practical Not particularly difficult on server side Not particularly difficult with browser based clients More subtle with desktop based clients but possible with some effort in short space of time This kind of “IE testbed” approach appreciated by participating OGC members Highly likely community support and tooling will be available if decision made to operationalise Draft Engineering Report (OGC 11-019r1)

21 Related Outcomes – Germany Betriebsmodell GDI-DE" (Operating model for SDI Germany) Technical feasibility (authentication/authorisation) –Securing OWS using SAML via Shibb, XACML and geoXACML –AuthN using German Identity Card and connection to eID i/f Organisational requirements –Which SAML attributes for the Federation –Who is responsible for what –Costs Business Processes –Admitting/Excluding IdP/SP’s from the Federation –Roles and Processes in operation a WAYF Extending their Test Federation –Additional SP’s serving real restricted data, eg, cadastral parcels via OWS –Not just geospatial data –Additional IdP’s (including one that supports eID) –Establishing a WAYF Investigating additional Use Cases: Gov2Bus; Gov2Gov and Gov2Citz Results and Demo at InterGEO in Sept and at OGC TC later this year Why don’t we collaborate more? Inter-Federation?

22 Related Outcomes – Sweden Swedish NSDI Shibboleth project initiated Exact objectives still being formulated but likely to include: –Feasibility of replacing existing system with Shibboleth –Feasibility of devolving AuthN. Centralised at the moment –Issues relating to administering a Federation –Investigation of collaborative opportunities with other NMCA’s. Something like the “Nordic Initiative” in respect of GeoNetwork

23 Where Next?

24 An INSPIRE Federation? 1. One federation and every legally mandated organisation joins 2. Multiple federations: one in each country and one pan-European 3. One federation: one organisation in each country, the INSPIRE point of contact joins the single pan-European federation and acts as the gateway for all the other legally mandated organisations in the country that are standing up INSPIRE services

25 IdP OWS Providers Member State organisations, eg, INSPIRE Points of Contact IdP WMS Key organisations, eg. EEA, JRC WMS WFS An INSPIRE Federation? Coordinating Centre

26 Workshop at INSPIRE Conference in June Title: Shibboleth Federations and Secure SDI: Outcome and Demonstrations from the OGC Web Service Shibboleth Interoperability Experiment Original intention is a re-run of the Nov 2010 “plugfest” More public, slicker More member state NMCA’s in ESDIN Federation Maybe get more system suppliers to modify their software Up the level of discussion IOC Task Force Involvement?

27 Interoperable Geographic Information for Biosphere Study JISC funded IGIBS project from Apr 1 st to 31 st Oct 2011 Partnership between EDINA, Aberystwyth University and Welsh Assembly Government (WAG) Focussed on Research and Education related to the UNESCO Dyfi Biosphere Reserve Allow users to create WMS’s to view data in conjunction with reference data from WAG Access control so: –Students can publish intermediary results, or commercial in confidence datasets, etc. –WAG can make available a wider range of data Better integration between academic and public sector Opportunity to transfer knowledge and explore (a bit)

28 Lots of open questions How do e-commerce solutions bolt onto this architecture? Whats the best way of approaching inter-federation interoperability? Whats best practice in respect of interoperability with different member states identity management systems? Similarly, pan-European identity management systems? Whats best practice in terms of AuthZ infrastructures? How do the processes and roles involved in governing an access management federation map to those required for SDI governance? How may the more advanced service chaining patterns be realised where some or all of the services in the chain are protected?

29 B. Lawrence, http://www.osdm.gov.au/SBF201011_Lawrence.pdf?ID=1072

30 Dimensions of Interoperability From the European Interoperability Framework for Pan-European eGovernment Services (http://ec.europa.eu/idabc/servlets/Docb0db.pdf?id=31597)http://ec.europa.eu/idabc/servlets/Docb0db.pdf?id=31597

31

32 Comparison between OpenID and Shibb From EDINA “Review of OpenID”, 2007

Download ppt "Authentication methods: Shibboleth UKLII: Data Publishing Working Group, Welsh Assembly Government, Cardiff. 28 th March 2011"

Similar presentations

Introduction to the COBWEB project Fri 24th Nov, 2012, GEO-IX Plenary, Foz do Iguaçu, Brazil. Chris Higgins, Project Coordinator, EDINA National Data Centre,

Introduction to the COBWEB project Fri 24th Nov, 2012, GEO-IX Plenary, Foz do Iguaçu, Brazil. Chris Higgins, Project Coordinator, EDINA National Data Centre,
WORKSHOP: Shibboleth Federations and Secure SDI: Outcomes and Demonstrations from the OGC Web Service Shibboleth Interoperability Experiment Chris Higgins,

WORKSHOP: Shibboleth Federations and Secure SDI: Outcomes and Demonstrations from the OGC Web Service Shibboleth Interoperability Experiment Chris Higgins,
PERSEUS : Portal-enabled Resources via Shibbolized End-user Security 16 May 2005JISC Core Middleware Programme Meeting, Loughborough 1 PERSEUS Project.

PERSEUS : Portal-enabled Resources via Shibbolized End-user Security 16 May 2005JISC Core Middleware Programme Meeting, Loughborough 1 PERSEUS Project.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.

Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
Report on main ESDIN PTB related activities AGILE 2010 Pre-conference Workshop, European Persistent Geospatial Testbed for Research and Education (PTB),

Report on main ESDIN PTB related activities AGILE 2010 Pre-conference Workshop, European Persistent Geospatial Testbed for Research and Education (PTB),
Shibboleth Access Management Federations as an Organisational Model for SDI C.I.Higgins, M.Koutroumpas, A.Seales, EDINA National Datacentre, Scotland A.Matheus,

Shibboleth Access Management Federations as an Organisational Model for SDI C.I.Higgins, M.Koutroumpas, A.Seales, EDINA National Datacentre, Scotland A.Matheus,
Spatial Data e-Infrastructure UK e-Science ALL HANDS MEETING 2008 8-11 September, Edinburgh, UK Higgins, C., Koutroumpas, M., Sinnott, R.O., Watt, J.,

Spatial Data e-Infrastructure UK e-Science ALL HANDS MEETING September, Edinburgh, UK Higgins, C., Koutroumpas, M., Sinnott, R.O., Watt, J.,
Where next…. Stakeholder workshop, 29 Jan 2003. To the end of the project.

Where next…. Stakeholder workshop, 29 Jan To the end of the project.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
02-Oct-2008 European Forum for GeoStatistics 2008 in Bled Concept for an Integrated Web Solution / an Infrastructure for Geostatistics (Subproject 3)

02-Oct-2008 European Forum for GeoStatistics 2008 in Bled Concept for an Integrated Web Solution / an Infrastructure for Geostatistics (Subproject 3)
Spatial Data Infrastructure: Concepts and Components Geog 458: Map Sources and Errors March 6, 2006.

Spatial Data Infrastructure: Concepts and Components Geog 458: Map Sources and Errors March 6, 2006.
Secure access to spatial data for academia – the UK experience Workshop, Authentication, Authorization and Accounting for Data and Services in EU Public.

Secure access to spatial data for academia – the UK experience Workshop, Authentication, Authorization and Accounting for Data and Services in EU Public.
Geospatial Standards – Experiences for the UK Academic Community Workshop on Grid Middleware and Geospatial Standards for Earth System Science Data, National.

Geospatial Standards – Experiences for the UK Academic Community Workshop on Grid Middleware and Geospatial Standards for Earth System Science Data, National.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Copyright JNT Association 20051Optional www.ukfederation.org.uk Copyright JNT Association 2007 1 Joining the UK Access Management Federation 4th April.

Copyright JNT Association 20051Optional Copyright JNT Association Joining the UK Access Management Federation 4th April.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
OGC Interoperability Experiments & Authentication Association GI Laboratories Europe (AGILE) pre-conference work shop. Testbed research: Testing Geospatial.

OGC Interoperability Experiments & Authentication Association GI Laboratories Europe (AGILE) pre-conference work shop. Testbed research: Testing Geospatial.
® Practical Approaches to Web Services Authentication 72nd OGC Technical Committee Frascati, Italy Fiona Culloch March 9, 2010 Sponsored and hosted by.

® Practical Approaches to Web Services Authentication 72nd OGC Technical Committee Frascati, Italy Fiona Culloch March 9, 2010 Sponsored and hosted by.
Shibboleth Access Management Federations and Secure SDI: ESDIN Experience from the OGC Authentication Interoperability Experiment C.I.Higgins, M.Koutroumpas,

Shibboleth Access Management Federations and Secure SDI: ESDIN Experience from the OGC Authentication Interoperability Experiment C.I.Higgins, M.Koutroumpas,

Similar presentations

Ads by Google