HMA Identity Management Status HMA AWG Meeting, 30 September 2009 Y. Coene, SPACEBEL S. Gianfranceschi, Intecs P. Denis, SPACEBEL Slide 1

Overview Specification Conformance tests Implementations Deployments 2 Slide 2 2

Specification OGC 07-118 version 0.0.4, 30/06/2009 OGC 07-118 draft version 0.0.5 (28/09/09) being prepared: Adding ATS prepared in HMA-T (Intecs, Terradue) Adding authorisation with XACML Adding WSDL files with WS-policy More consistent terminology (independent from DAIL, HMA etc.) Fixing errors Resolving issue with non-standard <Assertion> tag. User attributes (minimal profile) as example in annex.

Specification Issues solved in current draft 0.0.5: Remaining issues: MRE-001, MRE-008, MRE-014, MRE-016, MRE-017. Remaining issues: See RIDs on HMA Forum by con terra and EUMETSAT with additional use cases not originally foreseen Examples: MRE-002: Scenario with multiple "Federating Entities" MRE-009: Clients known on beforehand and limited number. Consolidating use of geoXACML

Overview Specification Conformance tests Implementations Slide 5 5

Conformance Tests (1) Common ATS for OGC 07-118 version 0.0.3 delivered in July (Terradue, Intecs). Two different ETS delivered Harmonization started beginning of September ATS for version 0.0.4 war produced by Intecs and reviewed by Terradue Merge of libraries from Intecs and Terradue ETS (merge of the work done by Intecs and Terradue) Some issues related to non standard tags have been discussed. A new version of the spec is going to be delivered. The ATS does not have to be changed.

Conformance Tests CTL scripts being finalised for OGC 07-118 version 0.0.5 in HMA-T. Expected to be available on http://montgomery.esrin.esa.int by 09/10/2009.

Overview Specification Conformance tests Implementations Authentication Service Authorisation Service (Policy Enforcement Point) Slide 8 8

Authentication Service Open-source Available on http://wiki.services.eoportal.org/tiki- index.php?page=HMA+Authentication+Service

Authentication Service Static architecture: Java Naming package to authenticate the given user in the LDAP user registry and to retrieve his attributes, OpenSAML package to build the SAML token from user attributes, Apache XML Security package to sign and encrypt the SAML token, Java Security package to retrieve private and public keys from the keystore, used in signature and encryption steps.

Authentication Service Sequence diagram successful authentication

Authentication Service Configurable Which user attributes from LDAP to be included in SAML assertions using which name (configuration file) Independent of "minimal profile" Associated documents: Software Requirements Document Architectural Design Document Acceptance Test Plan Installation procedure (part of software package).

Authorization service (PEP) Open-source It will be available on the SSE Toolbox

Application Security Layer Toolbox Architecture WS-Policy WS-Security Layer SOAP layer Application layer XACML Policy Application Security Layer Service Gateway Operation Operation Asynchronous Operation Synchronous Operation Asynchronous Operation Synchronous Operation

Toolbox Security Architecture Axis2 as basic SOAP engine Axis2 module Rampart (Apache Software Foundation) for WS-Security layer: its behaviour has been extended to cover the HMAT security requirements (HMAT- SRD-1200-INT_1.1) ToolboxSecurityWrapper: Axis2 service with link to the Policy Enforcement Point (PEP, Application Security Layer) and Toolbox Application Layer Axis2 ToolboxPEP ToolboxSecurityWrapper (Axis2 service) SOAP XACML Policies Service Description RAMPART 4HMAT Toolbox Application Layer WS-Policy

Toolbox Security Architecture: Main Activities Allocation Security Layer 1 2 Check encrypted SAML existence, decrypt it. WS-Security signed-encrypted SOAP request 3 Enforce enterprise policies Toolbox Serve request (Application layer) 4 5 Fault Soap response verify SAML token Decrypted SAML, SOAP request/action 6 Get SAML assertion Identity Provider Client ToolboxPEP XACML Policies RAMPART 4HMAT WS-Policy Slide 16

Toolbox Security Wrapper: Service Description Axis2 Responsabilities: deploys ToolboxSecurityWrapper into Axis2, holds the list of the wrapped services to be secured, for each wrapped service, holds the WS-Security policy, Its artifact is the service.xml file of the Axis2 ToolboxSecurity deployment located at: ToolboxSecurityWrapper (Axis2 service) RAMPART 4HMAT Service Description Service Configuration WS-Policy <TOMCAT_ROOT>/webapps/Axis2/Web-INF/services/ToolboxSecurityWrapper/META-INF/services.xml

Toolbox Security Architecture: ToolboxPEP ToolboxPEP: invoked by the ToolboxSecurityWrapper when WS-Security check is successful; enforces XACML policies check XACML policies are stored in dedicated XML files Each policy owns information about the wrapped service and (optionally) SOAP action for which the policy applies Owns a list of policy rules; each rule can refer SAML token and/or SOAP (body) attributes values. ToolboxPEP XACML Policies

XACML example for EO EbRim profile (1/3) The target wrapped service for which this policy applies: wrs (Web Registry Service)

XACML example for EOLI (2/3) If an owned condition evaluates to true than the effect of the rule is “deny” The target of this rule: commercial client SAML attribute reference Condition about the collection

XACML example for EO EbRim profile (3/3) SOAP action for registry update

Next Steps Planning: Authentication Service software (as per 0.0.4): available already. 09/10/2009: OGC 07-118 version 0.0.5 09/10/2009: Authentication Service software 0.0.5 09/10/2009: CTL scripts version 0.0.5 25/10/2009: SSE Toolbox including Authorisation Service Software (Policy Enforcement Point)