1. Shibboleth Access Management Federations and Secure SDI: ESDIN Experience from the OGC Authentication Interoperability Experiment C.I.Higgins, M.Koutroumpas, A.Seales, EDINA National Datacentre, Scotland A.Matheus, University of the Bundeswehr, Germany INSPIRE Conference 2010, Kraków, Friday, June 25

2. An eContentplus Best Practice Network project Started September 2008. Ends March 2011 Coordinated by EuroGeographics Key goal: help member states, candidate countries and EFTA States prepare their data for INSPIRE Annex 1 spatial data themes and improve access: 1.Administrative Boundaries 2.Cadastral Parcels 3.Hydrography 4.Transport Networks 5.Geographical Names

3. ESDIN project info (www.esdin.eu) Interactive Instruments Bundesamt für Kartographie und Geodäsie Bundesamt für Kartographie und Geodäsie Lantmäteriet National Technical University of Athens National Technical University of Athens IGN Belgium Bundesamt für Eich- und Vermessungswesen Bundesamt für Eich- und Vermessungswesen Universität Münster EDINA, University Edinburgh National Agency for Cadastre and Real Estate Publicity Romania National Agency for Cadastre and Real Estate Publicity Romania Helsinki University of Technology IGN France Kadaster Kort & Matrikelstyrelsen Geodan Software Development & Technology Geodan Software Development & Technology 1Spatial The Finnish Geodetic Institute National Land Survey of Finland Institute of Geodesy, Cartography and Remote Sensing Institute of Geodesy, Cartography and Remote Sensing Statens kartverk EuroGeographics

4. EDINA A National Data Centre for Tertiary Education since 1995 –based at the University of Edinburgh, Scotland Our mission... to enhance the productivity of research, learning and teaching in UK higher and further education Focus is on service but also undertake r&D –turn projects  services In ESDIN one of our roles is to try to represent interests of the European academic sector – one of the identified target user groups

5. European Persistent Testbed for Research and Teaching (PTB) Objectives: To act as a research test-bed for collaborative European research in geospatial interoperability, To aid the assessment of the current standards for geospatial interoperability in terms of research compatibility, completeness, consistency and ease of use and extensibility To provide an environment for teaching standards and techniques for geospatial interoperability To provide a resource to AGILE/EuroSDR/OGC for the coordination of research requirements as well as definition, testing, validation and development of open standards

6. WP4: Data Access and Licensing Policy Business model, pricing, licensing models Goal: maximise the use and re-use of reference geodata Define a data policy Define a policy for Geo Rights Management Also cover access issues such as: protection of IPR, security, access management, privacy, subscriptions.

7. Why put effort into federated access control? Authentication is the process of verifying that claims made concerning a subject, eg, identity, who is attempting to access a resource are true, ie, authentic Frequently, SDI content and service providers need to know who is accessing their valuable, secure, protected, etc, data The ability for a group of organisations with common objectives, ie, a federation, to securely exchange authentication information is a powerful SDI enabler Even more so if removing some of the barriers to interoperability…

8. WP 11 Interoperability Services, Goals 1. Develop Best Practices for building INSPIRE-compliant content access services - View & Download … focusing on functionalities for - Content transformations: CRS, Schema, Edge- matching, Generalisation -Geo Rights Management -Authentication 2. Build services to provide access, in INSPIRE-compliant form: Small scale / medium scale / large scale

9. Why put effort into federated access control round OGC Web Services? Requested by the commission to focus on testing practical existing solutions Opportunity to build on earlier work undertaken by same team as giving this ppt (JISC funded SEE-GEO project) –Demonstrated Shibboleth Access Control around WMS Key findings current work; the solution required: –No changes to the OWS interface specifications –No changes to the core mainstream Shibboleth

10. Shibboleth Internet2 consortium Open source package for web Single Sign On across admin boundaries based on standards: –Security Assertion Markup Language (SAML)‏ Organisations can exchange user information and make security assertions by obeying privacy policies Small coordination centre, large federation of organisations (service and identity providers) Devolved authentication – maintain and leverage existing user management Enables finer grained authorisation through use of attributes Many Shibboleth Access Management Federations across Globe

11. OGC Interoperability Experiments Intended as a relatively simple, low overhead, means for OGC members to get together and advance specific technical objectives within the OGC baseline Facilitated by OGC staff More lightweight than the OGC Web Services initiatives Focussed on specific interoperability issues Effort is viewed as voluntary and supported by in-kind contributions by participating member organisations Duration normally around 6 months

12. Authentication IE OpenGIS Project Document 09-092r1 Test standard ways of authentication between OGC clients and OGC Web Services Intended that the following mechanisms would be tested: –HTTP Authentication –HTTP Cookies –SSL/X509, SAML –Shibboleth –OpenID –WS-Security Main output an OGC Engineering Report

13. Status ESDIN Partners Participation ESDIN test federation established Cooperating NMCAs so far: –KMS (Denmark) –Kadaster (Netherlands) –Lantmatariet (Sweden) –Fomi (Hungary) 2 clients interoperable: –OpenLayers (browser) –OpenJump SAML Enhanced Client or Proxy profile (desktop) Shibboleth being integrated into ESDIN client under development by GeoDan

14. Status PTB Participation Access Management Phase 2 responses from: –EDINA, University of Edinburgh –FIUGINET (Finnish Universities Geoinformatics Network) and CSC — IT Center for Science Ltd –Technical University of Dresden –Centre for Geospatial Science, University of Nottingham Pre-conference PTB workshop in association with AGILE 2010 discussing outcomes of the phase 2 CfP Variety of OWS, including Web Processing Services

15. Some results Can use a production strength, standards based, widely used piece of open source software to share identity information and control access to OGC Web Services Shibboleth used out the box, but ECP not currently part of mainstream IdP Shibboleth Not much effort to install Single Sign On No changes required to OGC Web Services But changes do need to be made to the desktop client

16. Whats the significance of all this? Access Management Federations (AMF) provide a practical organisational model for operational SDI Shibboleth is production strength Small centre, big network of organisations A fundamental SDI requirement demonstrated Additional SDI organisational requirements could be layered on top of the AMF, eg, governance Needs changes to the clients, but not the services or Shibboleth Potential INSPIRE compliant approach for establishing operational strength access control to ensure data provided is only available to legitimate government agencies!

17. Next steps… Show the kind of thing a SSO federation that allows NMCAs to securely grant access to each others harmonised data enables Include a demonstration of PTB universities securely accessing ESDIN data Based on outputs, an ESDIN Best Practice document Make the client software we have created openly available Consider what SAML assertions necessary to make these kinds of pan-European authorisation decisions Consider cross-federation interoperability issues

18. Any questions? chris.higgins@ed.ac.uk http://www.esdin.eu