WORKSHOP: Shibboleth Federations and Secure SDI: Outcomes and Demonstrations from the OGC Web Service Shibboleth Interoperability Experiment Chris Higgins,

Slides:



Advertisements
Similar presentations
A NEW EUROPEAN YOUTH PORTAL FOR A NEW GENERATION.
Advertisements

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Lousy Introduction into SWITCHaai
Introduction to the COBWEB project Fri 24th Nov, 2012, GEO-IX Plenary, Foz do Iguaçu, Brazil. Chris Higgins, Project Coordinator, EDINA National Data Centre,
The NATURE–SDIplus project Best Practice Network for SDI in Nature Conservation Co-funded by the Community Programme eContentplus ECP-2007-GEO Co-funded.
PERSEUS : Portal-enabled Resources via Shibbolized End-user Security 16 May 2005JISC Core Middleware Programme Meeting, Loughborough 1 PERSEUS Project.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
Report on main ESDIN PTB related activities AGILE 2010 Pre-conference Workshop, European Persistent Geospatial Testbed for Research and Education (PTB),
Shibboleth Access Management Federations as an Organisational Model for SDI C.I.Higgins, M.Koutroumpas, A.Seales, EDINA National Datacentre, Scotland A.Matheus,
Spatial Data e-Infrastructure UK e-Science ALL HANDS MEETING September, Edinburgh, UK Higgins, C., Koutroumpas, M., Sinnott, R.O., Watt, J.,
Where next…. Stakeholder workshop, 29 Jan To the end of the project.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.
Serving society Stimulating innovation Supporting legislation Meeting on OGC Sensor Observation Service (SOS) for INSPIRE Michel Grothe,
Serving society Stimulating innovation Supporting legislation Inspiring other policy domains – towards the establishment of a European.
The AeroSME Project: Practical Assistance for Participation in the EU Research Projects Paola Chiarini AeroSME Project Manager Hungarian Aeronautical Research.
Copyright Information Here Junaid Arshad 1, Wei Jie 2, Andy Turner 1 University of Leeds 1, University of Manchester 2, UK Securing.
Secure access to spatial data for academia – the UK experience Workshop, Authentication, Authorization and Accounting for Data and Services in EU Public.
Geospatial Standards – Experiences for the UK Academic Community Workshop on Grid Middleware and Geospatial Standards for Earth System Science Data, National.
Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Authentication methods: Shibboleth UKLII: Data Publishing Working Group, Welsh Assembly Government, Cardiff. 28 th March 2011
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
OGC Interoperability Experiments & Authentication Association GI Laboratories Europe (AGILE) pre-conference work shop. Testbed research: Testing Geospatial.
® Practical Approaches to Web Services Authentication 72nd OGC Technical Committee Frascati, Italy Fiona Culloch March 9, 2010 Sponsored and hosted by.
Shibboleth Access Management Federations and Secure SDI: ESDIN Experience from the OGC Authentication Interoperability Experiment C.I.Higgins, M.Koutroumpas,
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
1 eAuthentication in Higher Education Tim Bornholtz Session #47.
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.
Joint Information Systems Committee Supporting Higher and Further Education Development of an Information Environment for UK Learning and Teaching NOF-Digitise.
Stork is an EU co-funded project INFSO-ICT-PSP STORK PRESENTATION STORK Presentation Lithuania March 2010.
ESA EO Federated Identity Management Initiatives A. Baldi ESA: M. Leonardi RHEA:
To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.
COBWEB, AIP-6 and Access Management Federations Chris Higgins, Project Coordinator, University of Edinburgh. Andreas Matheus, Technical.
Interoperability ERRA System.
AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
® Hosted and Sponsored by Access Management Federation for Spatial Data and Services in Germany 80th OGC Technical Committee Austin, Texas (USA) Jan Grohmann.
1 The INSPIRE Geoportal Ioannis Kanellopoulos Spatial Data Infrastructures Unit European Commission Joint Research Centre Institute for Environment and.
II Annual Conference of the CIS and Baltic Countries - Moscow Sept 2011 Quality Management of Spatial Data Infrastructure – a Necessity for Investments.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
Roberto Lucchi Esri INSPIRE Discovery, View and Download and OGC standards.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Workshop Presentation [1] Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.
Current list of common attributes of the EDIT federation Single Sign-On for the EDIT platform Lutz Suhrbier¹, Andreas Kohlbecker², Andreas Müller² 1 Freie.
Using Enterprise Logins in Portal for ArcGIS via SAML Greg Ponto & Tom Shippee.
Technical Break-out group What are the biggest issues form past projects – need for education about standards and technologies to get everyone on the same.
BEV The NMCA of Austria. 8 June 2006, ViennaBEV - NMCA of Austria EG/PCC G. Schennach Austria 8 Mio sqkm.
EuroRoadS A pan-European Road Data Solution Project within the eContent programme.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Testing - an essential aspect of establishing an SDI Clemens Portele, Anders Östman, Michael Koutroumpas, Xin He, Janne Kovanen, Markus Schneider, Andriani.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
1 Tallinn, 7 June 2010 – roundtable with the HEREs EU support to HIGHER EDUCATION REFORM EXPERTS.
Creating a European entity Management Architecture for eGovernment Id GUIDE Keiron Salt
National Geospatial Enterprise Architecture N S D I National Spatial Data Infrastructure An Architectural Process Overview Presented by Eliot Christian.
Connect communicate collaborate Trust & Identity EC meets GÉANT 19 June 2014 Brussels Valter Nordh, NORDUnet Federation as a Service Task Leader Trust.
19-20 October 2010 IT Directors’ Group meeting 1 Item 6 of the agenda ISA programme Pascal JACQUES Unit B2 - Methodology/Research Local Informatics Security.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Tutorial on Science Gateways, Roma, Riccardo Rotondo Introduction on Science Gateway Understanding access and functionalities.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Federation made simple
HMA Identity Management Status
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Presentation transcript:

WORKSHOP: Shibboleth Federations and Secure SDI: Outcomes and Demonstrations from the OGC Web Service Shibboleth Interoperability Experiment Chris Higgins, IE Manager, EDINA National Datacentre, University of Edinburgh, Scotland INSPIRE Conference 2011, Monday 27 th June

Workshop Agenda TimeTopic Introduction Member States investigating use of Shibb for their NSDIs Demonstration of software working with the test Federation Questions and concluding remarks

ESDIN Project Resourced EDINAs participation in OSI An eContentplus Best Practice Network project September 2008 to March 2011 Coordinated by EuroGeographics Key goal: help member states prepare their data for INSPIRE Annex 1 spatial data themes and improve access Been taking forward as the European Location Framework

ESDIN project info ( Interactive Instruments Bundesamt für Kartographie und Geodäsie Bundesamt für Kartographie und Geodäsie Lantmäteriet National Technical University of Athens National Technical University of Athens IGN Belgium Bundesamt für Eich- und Vermessungswesen Bundesamt für Eich- und Vermessungswesen Universität Münster EDINA, University Edinburgh National Agency for Cadastre and Real Estate Publicity Romania National Agency for Cadastre and Real Estate Publicity Romania Helsinki University of Technology IGN France Kadaster Kort & Matrikelstyrelsen Geodan Software Development & Technology Geodan Software Development & Technology 1Spatial The Finnish Geodetic Institute National Land Survey of Finland Institute of Geodesy, Cartography and Remote Sensing Institute of Geodesy, Cartography and Remote Sensing Statens kartverk EuroGeographics

EDINA A National Data Centre for Tertiary Education since 1995 to enhance the productivity of research, learning and teaching in UK higher and further education (mission statement) Focus is on services but also undertake r&D Shibboleth used primarily in academic sector – – EDINA provides technical support in the operation of the UK Access Management Federation –Approx 8 million users –837 Member Organisations (IdPs and SPs)

OGC Web Service Shibboleth Interoperability Experiment (OSI) OGC Interoperability Experiments are: –Simple, low overhead, means for OGC members to get together and advance specific technical objectives within the OGC baseline –Voluntary –Facilitated by OGC staff OSI Press release inviting participation 31 st Aug 2010 Technology Integration Experiment on 18 th Nov 2010 Draft version of the Engineering Report (OGC ) –ER to be completed before September 2011 OGC Technical Committee meeting

So whats the problem? Many of the most valuable SDI resources are protected These resources frequently in different admin domains –Example: Article 19 of the INSPIRE Directive …Member States may limit public access…etc, etc. No widely accept standard for securing these protected geospatial resources –Consequence: lots of point solutions Major interoperability barrier, eg, how can a X-Border application consume protected OWS while having to deal with multiple different access control mechanism? –Make everything open? or, –Access Management Federations (AMFs)? or, …?

What can AMFs do for us? Fundamental requirement: information on who is accessing your valuable resource = authentication An AMF allows secure sharing of authentication information across administrative domains Members of a federation form a circle of trust and agree to procedures to enable these cross domain interactions Allows Single Sign On My X-Border appl can now access a protected resource in country A, be challenged for credentials, I authenticate and get access if authorised. Now I can also access additional federation resources (if authorised) in country A, B, C, …, without needing to reauthenticate

One Way - Shibboleth Internet2 consortium Open source package for web Single Sign On across admin boundaries based on standards: –Security Assertion Markup Language (SAML) Organisations can exchange user information and make security assertions by obeying privacy policies Devolved authentication – maintain and leverage existing user management Enables finer grained authorisation through use of attributes

SP IdP SP Coordinating Centre Federation Service Providers Identity Providers Users Organisations IdP SP Authenticates here

Why put effort into federated access control round OGC Web Services? Open geospatial interoperability standards underpin SDI OGC standards agnostic about security Lack of a genuinely interoperable security solution a major barrier in all sectors INSPIRE-like, the EU requested that the ESDIN project focus on testing practical existing solutions –Integrates with existing identity management systems –Possibility of reusing existing member state federations or leveraging expertise

What we set out to do in OSI Previous work by the same team had shown it was possible to protect WMS with Shibb so that: –No mods required to OGC interfaces –No mods required to main Shibb download –BUT mods required to OWS clients Provide OGC software producing community with means and opportunity of modifying OWS client software to be able to work with Shibboleth AMFs Emphasis on desktop OWS client software Provide participants with the opportunity to demonstrate their software in action.

OSI - How Use the test ESDIN Federation to provide OSI participants with services to develop against Provide an open source reference implementation of a modified desktop client conformant with the SAML ECP Profile – Provide some technical support, eg, with OpenLayers clients conformant with the Web Browser SSO Profile Regular telcons OSI Technology Integration Experiment event

OSI - Who 36 individuals registered Shibb OGC portal site EDINA, Snowflake, Cadcorp, Envitia, con terra/ESRI, Joint Research Centre all modified their OWS client software or open source Federal Agency for Cartography and Geodesy (BKG) contributed another test Shibb federation they have been using for similar purposes

Who modified what Type of Client Organisation Name EDINA (open source) SnowflakeCadcorpcon terraJRC (open source) Envitia WMSXXXXX WFSXXXX DesktopXXXX BrowserXX ProxyXX

Technology Integration Experiment Webinar Afternoon of Thurs 18 th November, 2010 Approx 30 people turned up on the day EDINA, Snowflake, Cadcorp, Envitia, con terra, JRC, demonstrated: –Different clients (desktop, browser, proxy) –Different services (WMS and WFS) –Different federations (ESDIN and BKG)

OSI – Outcomes #1 Using Shibboleth to protect OWS is practical Not particularly difficult on server side Not particularly difficult with browser based clients More subtle with desktop based clients but possible with some effort in short space of time; weeks, not months This kind of IE testbed approach appreciated by participating OGC members Operationalise and community support and tooling will be available

OSI/ESDIN Outcomes #2 From the European Interoperability Framework for Pan-European eGovernment Services ( Hard

IdP INSPIRE Federation OWS Providers Member State organisations, eg, NMCAs IdP WMS Key organisations, eg. EEA, JRC WMS WFS Coordinating Centre

Some options for going forward: 1.One Federation and every every legally mandated organisation joins 2.Multiple federations: one in each country and one pan-European. 3.One federation: one organisation in each country, the INSPIRE point of contact joins the single pan- European federation and acts as the gateway for all the other legally mandated organisations in the country that are standing up INSPIRE services. 4.Multiple federations: one in each country and inter- federation interoperability ensures SSO

All material will be available from: Comments, questions, suggestions, etc, on blog very welcome Or

Workshop Agenda TimeTopic Introduction Member States investigating use of Shibb for their NSDIs Demonstration of software working with the test Federation Questions and concluding remarks