Presentation is loading. Please wait.

Presentation is loading. Please wait.

GEOSS Federated Single Sign-On

Published byMaud Craig Modified over 6 years ago

Similar presentations

Presentation on theme: "GEOSS Federated Single Sign-On"— Presentation transcript:

1 GEOSS Federated Single Sign-On
Dr. Steven F. Browdy OMS Tech, Inc. IEEE September 25, CEOS WGISS-44 Meeting

2 Short Review Initial GEOSS Architecture Implementation Pilot (AIP) research Motivated by the GEO Data Sharing Working Group (DSWG) Implementation Guidelines for the GEOSS Data Sharing Principles. Focus on OpenID only Not concerned at this point with authorization (access control), just authentication. Just want to know “who is using my data.” Believed that this would be the fastest way to realize a GEOSS federation for SSO. September 25, CEOS WGISS-44 Meeting

3 Short Review After initial research
Decided to include SAML 2.0 (Security Assertion Markup Language) to exchange user credentials via XML. SAML 2.0 is an open standard that provides a vendor-neutral means of exchanging the following: user identity Authentication information attribute information authorization information SAML 2.0 defines the structure and content for assertions and protocol messages used to transfer the above information between Identity Providers and Service Providers. Works with many user management security systems Has relatively lightweight requirements Still focused on authentication only September 25, CEOS WGISS-44 Meeting

4 GEOSS AIP Study Goals Pilot
Federated solution that has minimal to no impact on the GEOSS Common Infrastructure (GCI) Lightweight implementation requirements for data providers A solution that can evolve Pilot Implemented to determine federated SSO feasibility Focused on SAML 2.0 and OpenID Partnered with the COBWEB project September 25, CEOS WGISS-44 Meeting

5 Resources Authentication Service Authorization Service User
Provider’s Site Resources (Data and Services) Authentication Service Authorization Service User Answers “is this User XYZ?” by verifying the identity Answers “what can User XYZ do?” by checking identity against stored access constraint rules September 25, CEOS WGISS-44 Meeting

6 Feasibility Study Plan
September 25, CEOS WGISS-44 Meeting

7 Study Plan Primary Use Cases
1. Authenticate via OpenID to access resources at an OpenID site 2. Authenticate via OpenID to access resources at a SAML-2 site (requires gateway) Gateway accepts Google OpenID and Verisign OpenID 3. Authenticate via SAML-2 to access resources at a SAML-2 site 4. Authenticate via SAML-2 to access resources at an OpenID site (requires gateway) 5. Identification as "GEOSS User" During Registration September 25, CEOS WGISS-44 Meeting

8 OpenID Gateway Use Case (Verified)
The gateway verifies the OpenID, and creates SAML-2 credentials to be used and trusted in the federation. September 25, CEOS WGISS-44 Meeting

9 SAML-2 Gateway Use Case (Unverified)
SAML-2 GEOSS User The gateway verifies the SAML-2 credentials, and receives a valid OpenID from the SAML-2 Identity Provider to be used in the federation. September 25, CEOS WGISS-44 Meeting

10 Main Concerns from AIP Study
That data providers will have a difficult time setting things up properly Even though there are guidelines Even though there is help available That data users will not have the seamless experience they should in accessing unrelated GEOSS resources that require authentication Questions as to what is required to successfully implement the unverified use case What about additional federations and identity management systems September 25, CEOS WGISS-44 Meeting

11 Current Situation Some GCI components have tested and have/will rollout support for use of Google SSO Based on SAML 2.0 and OpenID Connect Doesn’t realize a full GEOSS-wide federation for SSO Still concerns Multiple separate federations will require trust gateways Require use of SAML 2.0 or allow other standards/solutions to be used Will there need to be a centralized authentication mediator that handles authentication flow to take burden off of data providers and data users Trust between federations ??? September 25, CEOS WGISS-44 Meeting

12 Work to be Done Address concerns previously mentioned
More interest in authorization OAuth2 plus others Study impact by/to legal interoperability Work will start in 2018 GEOSS API to research and perform pilot GEOSS SIF to consider standards and interoperability concerns H2020 project participation Outreach to GEO Flagships, GEO Initiatives, and Community Activities September 25, CEOS WGISS-44 Meeting

13 Q & A September 25, CEOS WGISS-44 Meeting

Download ppt "GEOSS Federated Single Sign-On"

Similar presentations

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
March 28-29, 2013 1 AIP-6 Data Sharing Working Group Breakout Steven F. Browdy OMS Tech, Inc. IEEE.

March 28-29, AIP-6 Data Sharing Working Group Breakout Steven F. Browdy OMS Tech, Inc. IEEE.
Identity Network Ideals – Heterogeneity & Co-existence

Identity Network Ideals – Heterogeneity & Co-existence
NRL Security Architecture: A Web Services-Based Solution

NRL Security Architecture: A Web Services-Based Solution
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
AIP Data Sharing investigations for GEOSS Summary of AIP-3 Data Sharing Guidelines Working Group George Percivall AIP Task Leader Open Geospatial Consortium.

AIP Data Sharing investigations for GEOSS Summary of AIP-3 Data Sharing Guidelines Working Group George Percivall AIP Task Leader Open Geospatial Consortium.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.

U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
1 eAuthentication in Higher Education Tim Bornholtz Session #47.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
WHY CENTRALIZED DATA BANKS WON’T WORK FOR HEALTH INFORMATION EXCHANGE (A Lightweight Approach to Implementing a Federated Model for HIE) Rex E. Gantenbein.

WHY CENTRALIZED DATA BANKS WON’T WORK FOR HEALTH INFORMATION EXCHANGE (A Lightweight Approach to Implementing a Federated Model for HIE) Rex E. Gantenbein.
A Survey of Risk: Federated ID Management in Cloud and Grid Computing Presentation by Andy Wood (P11250192)

A Survey of Risk: Federated ID Management in Cloud and Grid Computing Presentation by Andy Wood (P )
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Understanding the Value of Identity in Government Social Networking A Framework of Identity Trust in Government Social Networking September 4, 2015.

Understanding the Value of Identity in Government Social Networking A Framework of Identity Trust in Government Social Networking September 4, 2015.
Report from Breakout Session 1.2 Secure Consumerization: the Genuine Trustworthiness Revolution Chair: Craig Lee Rapporteur: Paolo Mazzetti.

Report from Breakout Session 1.2 Secure Consumerization: the Genuine Trustworthiness Revolution Chair: Craig Lee Rapporteur: Paolo Mazzetti.
Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education www.netprof.us.

Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education

Similar presentations

Ads by Google