Shibboleth Access Management Federations as an Organisational Model for SDI C.I.Higgins, M.Koutroumpas, A.Seales, EDINA National Datacentre, Scotland A.Matheus,

Slides:

Advertisements

Similar presentations

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Advertisements

Lousy Introduction into SWITCHaai

Introduction to the COBWEB project Fri 24th Nov, 2012, GEO-IX Plenary, Foz do Iguaçu, Brazil. Chris Higgins, Project Coordinator, EDINA National Data Centre,

Seminar "Open Government in the Making" Brussels, 4 October 2012 Andrea Halmos European Commission, DG CONNECT Unit H3 Public Services.

WORKSHOP: Shibboleth Federations and Secure SDI: Outcomes and Demonstrations from the OGC Web Service Shibboleth Interoperability Experiment Chris Higgins,

Interoperability at the Pan-European Level John Borras Assistant Director Technology Policy.

PERSEUS : Portal-enabled Resources via Shibbolized End-user Security 16 May 2005JISC Core Middleware Programme Meeting, Loughborough 1 PERSEUS Project.

Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.

Report on main ESDIN PTB related activities AGILE 2010 Pre-conference Workshop, European Persistent Geospatial Testbed for Research and Education (PTB),

Spatial Data e-Infrastructure UK e-Science ALL HANDS MEETING September, Edinburgh, UK Higgins, C., Koutroumpas, M., Sinnott, R.O., Watt, J.,

Where next…. Stakeholder workshop, 29 Jan To the end of the project.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

Introduction to Shibboleth and the IAMSECT Project.

GSDI 6 conference, , Budapest 1 From data harmonisation to data interoperability Presented by

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Secure access to spatial data for academia – the UK experience Workshop, Authentication, Authorization and Accounting for Data and Services in EU Public.

Geospatial Standards – Experiences for the UK Academic Community Workshop on Grid Middleware and Geospatial Standards for Earth System Science Data, National.

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

Authentication methods: Shibboleth UKLII: Data Publishing Working Group, Welsh Assembly Government, Cardiff. 28 th March 2011

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

OGC Interoperability Experiments & Authentication Association GI Laboratories Europe (AGILE) pre-conference work shop. Testbed research: Testing Geospatial.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

® Practical Approaches to Web Services Authentication 72nd OGC Technical Committee Frascati, Italy Fiona Culloch March 9, 2010 Sponsored and hosted by.

Shibboleth Access Management Federations and Secure SDI: ESDIN Experience from the OGC Authentication Interoperability Experiment C.I.Higgins, M.Koutroumpas,

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

1 eAuthentication in Higher Education Tim Bornholtz Session #47.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.

Stork is an EU co-funded project INFSO-ICT-PSP STORK PRESENTATION STORK Presentation Lithuania March 2010.

FIM-ig Federated Identity Management Interest Group.

ESA EO Federated Identity Management Initiatives A. Baldi ESA: M. Leonardi RHEA:

To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.

COBWEB, AIP-6 and Access Management Federations Chris Higgins, Project Coordinator, University of Edinburgh. Andreas Matheus, Technical.

Inspire services from the EuroGeographics point of view Antti Jakobsson Programme manager.

Interoperability ERRA System.

ESDIN – Progress David Overton Cadastre and Land Registry Network 28 th May 2010.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

® Hosted and Sponsored by Access Management Federation for Spatial Data and Services in Germany 80th OGC Technical Committee Austin, Texas (USA) Jan Grohmann.

Regional Coordination in Geospatial Information: European Cooperation Jevon Snell Secretariat of UN-GGIM Europe Committee.

II Annual Conference of the CIS and Baltic Countries - Moscow Sept 2011 Quality Management of Spatial Data Infrastructure – a Necessity for Investments.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Geospatial World Forum 2013 INSPIRE Past-Present-Future Henk Scholten CEO Geodan.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

Current list of common attributes of the EDIT federation Single Sign-On for the EDIT platform Lutz Suhrbier¹, Andreas Kohlbecker², Andreas Müller² 1 Freie.

BEV The NMCA of Austria. 8 June 2006, ViennaBEV - NMCA of Austria EG/PCC G. Schennach Austria 8 Mio sqkm.

EuroRoadS A pan-European Road Data Solution Project within the eContent programme.

Shibboleth Update Eleventh Federal & Higher Education PKI Coordination Meeting (Fed/Ed Thursday, June 16, 2005.

EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Proposal for NL presidency Historic overview Historic overview Activities in our environment Activities in our environment Workingplan Workingplan Proposal.

Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.

Testing - an essential aspect of establishing an SDI Clemens Portele, Anders Östman, Michael Koutroumpas, Xin He, Janne Kovanen, Markus Schneider, Andriani.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Global Geospatial Information Management (GGIM) A UN-DESA Initiative in collaboration with Cartographic Section, DFS Stefan Schweinfest UNSD.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Creating a European entity Management Architecture for eGovernment Id GUIDE Keiron Salt

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

May 2010 GGIM, New York City The National System for Coordination of Territorial Information SNIT NSDI of Chile.

Connect communicate collaborate Trust & Identity EC meets GÉANT 19 June 2014 Brussels Valter Nordh, NORDUnet Federation as a Service Task Leader Trust.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.

Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.

HMA Identity Management Status

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

EuroGlobalMap – a chance to fulfil WFD and INSPIRE requirements

INSPIRE and EuroGeographics

Presentation transcript:

Shibboleth Access Management Federations as an Organisational Model for SDI C.I.Higgins, M.Koutroumpas, A.Seales, EDINA National Datacentre, Scotland A.Matheus, University of the Bundeswehr, Germany INSPIRE Conference 2011, Wednesday 29 th June

ESDIN Project An eContentplus Best Practice Network project Resourced EDINAs to investigate ESDI and Access Control –Principally using OGC Interoperability Experiments September 2008 to March 2011 Coordinated by EuroGeographics Key goal: help member states prepare their data for INSPIRE Annex 1 spatial data themes and improve access Been taking forward as the European Location Framework

ESDIN project info ( Interactive Instruments Bundesamt für Kartographie und Geodäsie Bundesamt für Kartographie und Geodäsie Lantmäteriet National Technical University of Athens National Technical University of Athens IGN Belgium Bundesamt für Eich- und Vermessungswesen Bundesamt für Eich- und Vermessungswesen Universität Münster EDINA, University Edinburgh National Agency for Cadastre and Real Estate Publicity Romania National Agency for Cadastre and Real Estate Publicity Romania Helsinki University of Technology IGN France Kadaster Kort & Matrikelstyrelsen Geodan Software Development & Technology Geodan Software Development & Technology 1Spatial The Finnish Geodetic Institute National Land Survey of Finland Institute of Geodesy, Cartography and Remote Sensing Institute of Geodesy, Cartography and Remote Sensing Statens kartverk EuroGeographics

EDINA A National Data Centre for Tertiary Education since 1995 to enhance the productivity of research, learning and teaching in UK higher and further education (mission statement) Focus is on services but also undertake r&D Shibboleth used primarily in academic sector – – EDINA provides technical support in the operation of the UK Access Management Federation –Approx 8 million users –837 Member Organisations (IdPs and SPs)

So whats the problem? Many of the most valuable SDI resources are protected These resources frequently in different admin domains –Example: Article 19 of the INSPIRE Directive …Member States may limit public access…etc, etc. No widely accept standard for securing these protected geospatial resources –Consequence: lots of point solutions Major interoperability barrier, eg, how can a X-Border application consume protected OWS while having to deal with multiple different access control mechanism? –Make everything open? or –Scale back ambitions? or –Access Management Federations (AMFs)? or, …?

What can AMFs do for us? Fundamental requirement: information on who is accessing your valuable resource = authentication An AMF allows secure sharing of authentication information across administrative domains The members of the federation form a circle of trust and agree to a set of policies and technologies Allows Single Sign On My X-Border appl can now access a protected resource in country A, be challenged for credentials, I authenticate and get access if authorised. Now I can also access additional federation resources (if authorised) in country A, B, C, …, without needing to reauthenticate

One Way - Shibboleth Internet2 consortium Open source package for web Single Sign On across admin boundaries based on standards: –Security Assertion Markup Language (SAML) Organisations can exchange user information and make security assertions by obeying privacy policies Devolved authentication – maintain and leverage existing user management Enables finer grained authorisation through use of attributes

SP IdP SP Coordinating Centre Federation Service Providers Identity Providers Users Organisations IdP SP Authenticates here

Twelve required attributes for a solution to securing SDI Paper submitted to the International Journal SDI Research to accompany this presentation Premise is that a concomitant security infrastructure is necessary to realise SDI objectives where protected resources are involved Table 1 posits:

1.Based on open security interoperability standards –Security Assertion Markup Language (SAML) from OASIS

2.Works across administrative domains –Fundamental reason for Access Management Federations

3.Single Sign On –Basic Use Case for SAML –Principals authenticate at one web site, access the resource of interest, and are then able to access additional protected resources at other web sites without having to re-authenticate

4. Does not require any changes to the OGC interfaces being protected –OGC Interoperability Experiments have demonstrated use with range of familiar industry implementations, eg, geoserver, mapserver, Snowflake –No need for SOAP bindings

5. Requires minimal changes to the OGC Web Service clients –Reference implementation available –6 organisations through OGC Interoperability Experiment have made changes –Some products now commercially available –Browser relatively easy, desktop harder –Took weeks, not months

6. Proven production strength –Already in daily use by millions –Possibly already in your country

7. Satisfies data privacy requirements –What set of SAML assertions are required for pan-European SDI authorisation decisions?

8. Flexible in order to accommodate a wide variety of different use cases –Different SAML workflows Portal flow Service Provider flow –SAML already used by GI community European Space Agency User Management Interfaces for Earth Observation Services Where are the interoperability points?

9. Should be an open source reference implementation –Shibboleth

10. Not geospatial specific and in widespread mainstream IT use –Leverage broad participation in technology development –Stay flexible as much as possible –Maximise potential for interoperability

11. Should, in so far as is possible, be built on information systems already in place –Huge amount of prior investment in identity management –Organisations know best how to manage their users –Many Shibb Federations in place already in academic sector across Europe A source of expertise, collaboration and potentially extremely valuable interoperability link across sectors

12. Should not be centralised –No huge databases with users credentials –Needs to be decentralised to scale

From the European Interoperability Framework for Pan-European eGovernment Services ( Hard

IdP INSPIRE Federation OWS Providers Member State organisations, eg, NMCAs IdP WMS Key organisations, eg. EEA, JRC WMS WFS Coordinating Centre

Some options for going forward: 1.One Federation and every every legally mandated organisation joins 2.Multiple federations: one in each country and one pan-European 3.One federation: one organisation in each country, the INSPIRE point of contact joins the single pan- European federation and acts as the gateway for all the other legally mandated organisations in the country that are standing up INSPIRE services 4.Multiple federations: one in each country and inter- federation interoperability ensures SSO

All material will be available from: Comments, questions, suggestions, etc, on blog very welcome Or