1. Secure access to spatial data for academia – the UK experience Workshop, Authentication, Authorization and Accounting for Data and Services in EU Public Administrations, KU Leuven, 17 th March, 2014 Chris Higgins, chris.higgins@ed.ac.uk

2. EDINA Jisc-designated centre of expertise and online services since 1995 –based at the University of Edinburgh Jisc: champions the use of digital technologies in UK education and research EDINA’s mission... …develop and deliver shared services and infrastructure for research and education. focus is on service but also undertake r&D –turn projects  services substantial experience in handling geospatial data

3. UKAMF UK Access Management Federation (UKAMF) –Approx. 8 million users –Approx. 400 entities (Identity Providers (IdPs) and Service Providers (SPs)) –Operated by EDINA and Jisc –Largest academic federation in the world Mostly Shibboleth: an open source implementation of SAML but some non-Shibb SAML entities Agnostic about AuthZ, at discretion of SPs. A framework for exchanging access management information – see rules of membership –SP entirely responsible for management of access rights to its services

4. Related geospatial projects DateFunderProject Name 2006-2008JiscSEcurE access to GEOspatial services (SEE-GEO) 2008-2011EUEuropean Spatial Data Infrastructure Network (ESDIN) 2010-2011DSTLStudy on Access Control to Geographic Information (SACGI) 2011JiscInteroperable Geographic Information for Biosphere Study (IGIBS) 2012-2016EUCitizen Observatory Web (COBWEB)

5. ESDIN Resourced EDINA to build on in-house access control expertise An eContentplus Best Practice Network project Ran from Sept 2008 until end Feb 2011 Coordinated by EuroGeographics From AuthN perspective, the main ESDIN Use Case was Key Users, eg, EEA, EuroStat, JRC, accessing INSPIRE Annex 1 services from different member states Key goal: help member states prepare their data for INSPIRE Annex 1 themes

6. OGC Interoperability Experiments (IE’s) Key vehicle for taking the work forward Simple, low overhead, means for OGC members to get together and advance specific technical objectives within the OGC baseline Facilitated by OGC staff More lightweight than the OGC Web Services initiatives Focussed on specific interoperability issues Effort is viewed as voluntary and supported by in-kind contributions by participating member organisations Duration normally around 6 months

7. OGC Web Services Shibboleth IE (OSI) Started Aug 2010 Previous work had shown it was possible to protect WMS with Shibb so that: –No mods required to OGC interface –No mods required to Shibb download –BUT mods required to OWS clients OSI provided the OGC software producing community with means and opportunity of modifying OWS clients to work with Shibb Emphasis on desktop OWS client software Provide participants with the opportunity to demonstrate their software in action.

8. OSI - How Use the test ESDIN Federation to provide OSI participants with services to develop against Provide an open source reference implementation of a modified desktop client conformant with the SAML ECP Profile –http://esdin.fgi.fi/wiki/index.php/Esdin:AuthIE:Clienthttp://esdin.fgi.fi/wiki/index.php/Esdin:AuthIE:Client Provide some technical support, eg, with OpenLayers clients conformant with the Web Browser SSO Profile Regular telcons OSI Technology Integration Experiment event

9. OSI/ESDIN – Some outcomes Using Shibboleth to protect OWS is practical Not particularly difficult on server side or with browser based clients More subtle with desktop based clients but possible with some effort in short space of time This kind of “IE testbed” approach appreciated by participating OGC members Highly likely community support and tooling will be available if decision made to operationalise

10. Some references OGC Engineering Report (OGC 11-019r2) –https://portal.opengeospatial.org/files/?artifact_id=47852https://portal.opengeospatial.org/files/?artifact_id=47852 IJSDIR paper. Shibboleth Access Management Federations as an Organisational Model for SDI –http://ijsdir.jrc.ec.europa.eu/index.php/ijsdir/article/view/245/324http://ijsdir.jrc.ec.europa.eu/index.php/ijsdir/article/view/245/324 Workshop at INSPIRE 2011. Shibb Federations and Secure SDI: Outcome and Demonstrations from the OGC Web Service Shibboleth Interoperability Experiment –http://igibs.blogs.edina.ac.uk/inspire2011/http://igibs.blogs.edina.ac.uk/inspire2011/

11. Citizen Observatory Web 4 year FP7 funded research project Crowdsourced environmental data to aid decision making Introduce quality measures and reduce uncertainty Combine crowdsourced data with existing sources of data

12. A GEOSS Project Global Earth Observation System of Systems “Data collected should be made available through the GEOSS without any restrictions” But, we must address “questions of privacy…” Some kinds of protected data that may be encountered during the project: –Personal information, eg, name, email address –Location protected species –Reference data from European National Mapping and Cadastral Agencies –Conflated data

13. GEOSS Architecture Implementation Pilots (AIP) One of the means by which GEOSS addresses interoperability issues and GEOSS Common Infrastructure extension work Led by the OGC All contributions are in-kind Phased approach In AIP-6 we piloted the use of access management federations

14. Service Provider (SP) Identity Provider (IdP) Discovery Service (DS) “GEOSS user” Single- Sign-On Trust Gateway (TG) to OpenID Google OpenId COBWEB/GEOSS AIP-6 Federation NASA Ames Secure Dimensions CUAHSI* Catapult University of Edinburgh Kst. GDI.DE *: Consortium of Universities for the Advancement of Hydrologic Science EarthServer (FP7) project MEEO