technical Break-out group What are the biggest issues form past projects – need for education about standards and technologies to get everyone on the same page Agreed to use SAML as base standard – also need to agree on specific profiles, e.g. ECP (enhanced client proxy, for desktop clients), web single sign-on (for browser applications), … – need to identify also the limitations of used profiles in the testbed Approach: – Start with developing internal testbed with a mini-federation with 3 partners – Several iterations – Explain testbed to other interested parties (e.g. IGN France) How can other parties can join? – Set up a testing copy of production services in order to experiment with testbed environment –
Testbed: authentication Recommendation to use same configuration as in COBWEB project and AIP-6 SSO Browser and ECP profiles HTTP Artifact binding (because POST binding cannot be used by OpenLayers e.g.) implications – additional port in firewall, typically 8443, or (use different certificates for signing and encryption) – additional IP in the same domain, or – all messages need to be signed if the HTTPS port (443) is used needs refresh of metadata if certificate expires Coordination centre – to check / validate an organisation’s (SP or IdP) metadata when they request to join the federation – to handle the federation metadata – setting up contracts between CC and SP/IdPs – OS Tools – e.g. Shibboleth for verifying metadata for compliance, re-signing etc. – Define rules that work for all products used in the federation Automation of metadata refreshment – done automatically by Shibboleth – manual in OpenAM add something on top to enable automatic refreshing
Testbed: authorisation Why do we need to agree on a standard? – to inform others about your policies Only candidate: (Geo)XACML (supported by partners in DE and by OpenAM) – to exchange attributes and values STORK: person’s names, age, … (good defintions) don’t reinvent the wheel eduGAIN Policy Framework Attribute Profile: 5 core attributes plus possible extensions PVP attribute profile: might be useful for application-specific roles Proposed extension to SAML attribute query profile by inter-federation working group BE/Flanders: SSO domains based on “target group” Organisations are important – need for a register for governmental organisations Values of controlled vocabularies need to be clearly defined (in all EU languages) Need to distinguish between natural persons (representing themselves) and natural persons representing a legal person – NOT necessarily for the actual authorisation (enforcing the policy) other means can be used for this (but also XACML) Architectural approaches: – separate module (Apache) to do enforcement in combination with standard OGC web service (recommended for simple policies) – integrate authorisation directly in the OGC web service (recommended for complex policies, which cannot be fulfilled by re-writing the query)