® Practical Approaches to Web Services Authentication 72nd OGC Technical Committee Frascati, Italy Fiona Culloch March 9, 2010 Sponsored and hosted by.

Slides:

Advertisements

Similar presentations

Suchin Rengan Principal Technical Architect Salesforce.com

Advertisements

Lousy Introduction into SWITCHaai

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Identity Network Ideals – Heterogeneity & Co-existence

Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.

Office 365 Identity June 2013 Microsoft Office365 4/2/2017

EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.

Contrail and Federated Identity Management

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)

Ray Denenberg Ralph LeVan Workshop 20 March 25, 2006; Washington Metasearch - the NISO Initiative.

Secure access to spatial data for academia – the UK experience Workshop, Authentication, Authorization and Accounting for Data and Services in EU Public.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Shibboleth & IMPETUS 1.What are they? 2.Demo. Shibboleth - A system to support the sharing of Web resources among organisations IMPETUS - Infrastructure.

Infrastructure for Multi-Professional Education and Training Using Shibboleth.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SWITCHaai Team Federated Identity Management.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Web Service Standards, Security & Management Chris Peiris

SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010.

SWITCHaai Team Introduction to Shibboleth.

EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

® Hosted and Sponsored by Access Management Federation for Spatial Data and Services in Germany 80th OGC Technical Committee Austin, Texas (USA) Jan Grohmann.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Chad La Joie Shibboleth’s Future.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,

Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

Shibboleth at the U of M Christopher A. Bongaarts code-people June 2, 2011.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.

Workshop Presentation [1] Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.

Shibboleth: An Introduction

MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.

Technical Break-out group What are the biggest issues form past projects – need for education about standards and technologies to get everyone on the same.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

Web Services Tiered Internet Authorization (WSTIERIA) 21 June 2011 Fiona Culloch

Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011.

Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.

Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

SEcurE access to GEOspatial services OGC-OGF Collaboration workshop Open Grid Forum 21 (OGF21) October, 2007 Chris Higgins (EDINA, University of Edinburgh)

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

Secure Mobile Development with NetIQ Access Manager

Project Moonshot Daniel Kouřil EGI Technical Forum

Authentication and Authorisation for Research and Collaboration Marcus Hardt AARC AHM, Milan Current Status of Non Web (via LDAP.

Security Assertion Markup Language, v2.0 Chad La Joie Georgetown University / Internet2.

Access Policy - Federation March 23, 2016

Secure Single Sign-On Across Security Domains

Azure Active Directory - Business 2 Consumer

Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd

Federation made simple

Federation Systems, ADFS, & Shibboleth 2.0

HMA Identity Management Status

CAS and Web Single Sign-on at UConn

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

UK Federation 101 Ian A. Young EDINA, University of Edinburgh (and the UK Federation) Internet2 Fall Member Meeting, 7 Dec Shibboleth Development.

Met Ocean DWG Interoperability Experiment

Presentation transcript:

® Practical Approaches to Web Services Authentication 72nd OGC Technical Committee Frascati, Italy Fiona Culloch March 9, 2010 Sponsored and hosted by ESA/ESRIN

OGC ® Federated Authentication

OGC ® User Selects Identity Provider

OGC ® Enters Credentials at IdP

OGC ® Logged in to Service Provider

OGC ® Browser-Based Federation Mature Implementations –Open-source Shibboleth SimpleSAMLphp, … –Commercial OpenAthens Sun Novell, … Policy infrastructure –Many national federations

OGC ® But… Doesn’t work for non-browser clients!

OGC ® Why Not? The protocols (SAML) require: –HTTP redirection –Cookies –SSL/TLS –User input (usernames, passwords, etc.) –(X)HTML processing Web service clients may not support any of these! –(OGC Authentication IE client survey) Making IdP discovery/interaction impossible

OGC ® One Solution Identified By UK JISC-funded EDINA project SEE-GEO (2006–08) –Initiated and led by EDINA geospatial team –With input from AM Consult (Andreas Matheus) UK federation (JISC/EDINA SDSS project) Shibboleth Core Team (Chad La Joie)

OGC ® Concept Separate –Client flow (XML over HTTP) –From browser authentication flow (HTML, SAML over HTTP) In the client flow –URI must contain valid token –Token validated by browser authentication flow

OGC ® Authenticating Proxy (“Façade”) OWS Façade Client XML

OGC ® Façade Has Two Faces OWS Façade Client XML Browser SAML HTML SP

OGC ® Façade Separates Auth. from Application FaçadeOWS SAML, Fed., X.509, Auth. Policy, … OWS, WMS, WFS, … Sys. admin., Auth. policy (Someone else’s problem!) App. design, OGC standards,… (Your problem)

OGC ® SEE-GEO Work Being Taken Forward In the OGC (1H 2010) –Authentication Interoperability Experiment Interoperability testing Investigate best choice of SAML protocols, bindings At EDINA –JISC-funded project WSTIERIA (2010) Generalise from OWS to any WS Abstract from SAML protocols, bindings to Shibboleth concept of “protected service”

OGC ® Meanwhile, Elsewhere… Shibboleth Core Team / U. of Chicago have developed –Shibboleth extension for web services Based on SAML 2.0 Enhanced Client Proxy (ECP) Client libraries (for Java, …) Supports N-tier use cases!

OGC ® So Why Bother With Façade? No client library required SAML 2.x / Shibboleth 2.x not required –As of December 2009, only ~20% of UK federation IdPs SAML 2.0 Few / zero client modifications required WSTIERIA taking both approaches forward

OGC ® Call to Action Any volunteer clients? Contact us!