May 7, 2013 CEOS WGISS-35 Meeting 1 GEOSS Authentication and Single Sign-On Steven F. Browdy OMS Tech, Inc. IEEE
May 7, 2013 CEOS WGISS-35 Meeting 2 Background and History Initial research started during AIP-3 –Motivated by the DSWG Implementation Guidelines of the Data Sharing Principles. –Is not bring viewed as data access restriction. –Initially considered OpenID, OAuth, and Shibboleth Decided to drop OAuth –Not concerned at this point with authorization (access control), just authentication. –DSWG has many examples of data providers that just want to know “who is using my data.”
May 7, 2013 CEOS WGISS-35 Meeting 3 User Resources (Data and Services) Authorization Service Provider’s Site Authentication Service Answers “is this User XYZ?” by verifying the identity Answers “what can User XYZ do?” by checking identity against stored access constraint rules
May 7, 2013 CEOS WGISS-35 Meeting 4 Background and History Decided to drop Shibboleth –To hard an impact to require of data providers. –Examples of implementation case studies that concluded Shibboleth took a lot of effort to implement. No work on this for AIP-4 Picked up again in AIP-5 –Decided to include SAML 2.0 (Security Assertion Markup Language) to exchange user credentials via XML. Works with many user management security systems Lightweight implementation requirements –Developed use cases to implement in AIP-6.
May 7, 2013 CEOS WGISS-35 Meeting 5 Main Goals Federated solution that has minimal to no impact on the GCI. Lightweight implementation requirements for data providers. A solution that can evolve.
May 7, 2013 CEOS WGISS-35 Meeting 6 Current Use Cases Registration for Authentication via OpenID Organizational user registration for Authentication via SAML2 Registration as OpenID user for SAML2 Users OpenID-Protected Data Access via OpenID Authentication SAML2-Protected Data Access via OpenID Authentication OpenID-Protected Data Access via SAML2 Authentication SAML2-Protected Data Access via SAML2 Authentication Registering and Modifying a New Identity or Service Provider for SAML2 Trust Gateway Identification as "GEOSS User" During Registration
May 7, 2013 CEOS WGISS-35 Meeting 7 Unofficial Tentative Plan
May 7, 2013 CEOS WGISS-35 Meeting 8 AIP-6 Plans Implement the use cases to test the federated authentication and single sign-on solution. Will work with partners that have an interest in establishing the viability of the solution in terms of meeting the goals. –COBWEB project –NASA –CUAHSI Create demo for GEO Summit in January, 2014 Generate appropriate documentation
May 7, 2013 CEOS WGISS-35 Meeting 9 Some OpenID-Approved Identity Servers US Government –Google –Equifax –PayPal –VeriSign –Verizon EC – INSPIRE ???
May 7, 2013 CEOS WGISS-35 Meeting 10 Q & A