This document summarizes a webinar about an interoperability experiment (IE) testing the integration of Shibboleth single sign-on and OGC web services. The IE involved several organizations demonstrating that their OGC client software could access protected WMS and WFS through a Shibboleth federation. The goal was to show clients from different organizations successfully authenticating and accessing map and feature services across administrative boundaries without changes to OGC specifications or Shibboleth. The webinar demonstrated examples of desktop and browser-based clients accessing services after single sign-on.
OGC Web Services Shibboleth Interoperability Experiment
1. OGC Web Services Shibboleth
Interoperability Experiment (OSI)
Chris Higgins, IE Manager,
EDINA National Datacentre, Scotland
Webinar,
Thursday, Nov 18, 2010
2. OGC Web Services Shibboleth Interoperability
Experiment
Some housekeeping
• Audio separate from webinar. Phone in on:
+1 512 225 3050 Participant Code: 55699#
• Please mute if not speaking and in conversation with
colleagues, or in a busy room, etc.
• Submit questions via the “chat” pod. Will collate these
and get through as many as possible at the end.
• Session is being recorded
3. Some introductions
• Team that has worked on integrating Shibboleth/OWS:
– Self, Andrew Seales, Michael Koutroumpas and Andreas
Matheus
• IE Initiating Organisations:
– EDINA, Snowflake and Cadcorp
• IE Participants
– EDINA, Snowflake, Cadcorp, Envitia, con terra, JRC
– BKG (German NMA) provided another federation
• OGC IE Facilitator:
– Luis Bermudez
4. EDINA
• A National Data Centre for Tertiary Education since
1995
– based at the University of Edinburgh, Scotland
• Our mission...
to enhance the productivity of research, learning and
teaching in UK higher and further education
• Focus is on service but also undertake r&D
– turn projects services
• In ESDIN one of our roles is to try to represent
interests of the European academic sector – one of
the identified target user groups
5. • An eContentplus Best Practice Network project
• Started September 2008. Ends March 2011
• Coordinated by EuroGeographics
• Key goal: help member states, candidate countries
and EFTA States prepare their data for INSPIRE
Annex 1 spatial data themes and improve access:
1. Administrative Boundaries
2. Cadastral Parcels
3. Hydrography
4. Transport Networks
5. Geographical Names
ESDIN Project
6. ESDIN project info (www.esdin.eu)
Interactive
Instruments
Bundesamt für
Kartographie
und Geodäsie
Lantmäteriet
National Technical
University
of Athens
IGN Belgium
Bundesamt für Eich-
und
Vermessungswesen
Universität Münster
EDINA, University
Edinburgh
National Agency for
Cadastre and
Real Estate Publicity
Romania
Helsinki University of
Technology
IGN France
Kadaster
Kort &
Matrikelstyrelsen
Geodan Software
Development &
Technology
1Spatial
The Finnish
Geodetic Institute
National Land
Survey of Finland
Institute of
Geodesy,
Cartography
and Remote
Sensing
Statens kartverk
EuroGeographics
7. Why put effort into federated access control?
• Authentication is the process of verifying that claims
made concerning a subject, eg, identity, who is
attempting to access a resource are true, ie, authentic
• Frequently, SDI content and service providers need to
know who is accessing their valuable, secure, protected,
data
• The ability for a group of organisations with common
objectives, ie, a federation, to securely exchange
authentication information is a powerful SDI enabler
• Even more so if removing some of the barriers to
interoperability…
8. Shibboleth
• Internet2 consortium
• Open source package for web Single Sign On across admin
boundaries based on standards:
– Security Assertion Markup Language (SAML)
• Organisations can exchange user information and make security
assertions by obeying privacy policies
• Small coordination centre, large federation of organisations (service
and identity providers)
• Devolved authentication – maintain and leverage existing user
management
• Enables finer grained authorisation through use of attributes
• Many Shibboleth Access Management Federations across Globe
10. Why put effort into federated access control round
OGC Web Services?
• Requested by the commission to focus on testing
practical existing solutions
• Opportunity to build on earlier work undertaken by same
team (JISC funded SEE-GEO project)
– Showed Shibboleth Access Control around WMS
• Key findings current work; the solution required:
– No changes to the OWS interface specifications
– No changes to the core mainstream Shibboleth
– BUT, does require changes to OWS desktop clients
12. What we set out to do in this IE
• Provide the OGC community with the opportunity to
demonstrate their desktop client software being capable
of consuming OWS within Shibboleth Access
Management Federations
– Protected ESDIN Federation OWS to develop against
– Reference implementation of desktop client
• Result: a variety of different clients capable of
undergoing the Shibboleth/SAML interactions
– Browser based clients, ie OpenLayers based
– Desktop based clients
• Result: a better understanding of the issues
13. OGC Interoperability Experiment
• IEs are part of the OGC Interoperability program, which
includes other activities, such as Pilots and Testbeds.
• The IE is focused on an interoperability issue related to the
OGC Technical Baseline.
• The IE completion timeframe is reasonable (4-6 months).
• The IE is “lightweight” – focuses on a single interoperability
issue.
• All materials, documents, lessons learned, and other
findings developed as a result of the IE will be shared with
the OGC membership.
• The expected results: Engineering Report, Best Practice
Report, and Change Requests.
14. What we intend to do today
• Show these clients in action
• But note. Aggressive timeline. The Kickoff telcon was
on Sept 30th
, ie, seven weeks ago.
• Different clients, some browser based, some desktop,
accessing various WMS and WFS
• Series of Single Sign On scenarios
The best-laid schemes o' mice an' men
Gang aft agley, (Robert Burns)
15. Example: Desktop Client, WMS
SSO,
Desktop Client,
WmS
EDINA
Cadcorp
Envitia
1 Attempt access protected service User not previously
authenticated
2 User picks IdP
3 Authenticates
4 Demonstrates access to data
5 Attempts access different protected
services within the Federation
Already authenticated
6 Demonstrates access to data
16. OGC Web Services Shibboleth
Interoperability Experiment
Some housekeeping
• Audio separate from webinar. Phone in on:
+1 512 225 3050 Participant Code: 55699#
• Please mute if not speaking and in conversation with
colleagues, or in a busy room, etc.
• Submit questions via the “chat” pod. Will collate these
and get through as many as possible at the end.
• Session is being recorded
Notes de l'éditeur
Not just SDI, many kinds of information infrastructure require access control
Typically, authentication is a pre-requisite. Some use cases where you don’t, eg, public
Barriers to interoperability include; cost, vendor lock-in, lack of a support community, not standards based, etc
Return later to those last points
Mostly in the academic sector
Identity protected
Millions of users
Talk a bit about the ESDIN Federation
Make this generic to show the components of a federation
Access Management Federations (AMF) provide a practical organisational model for operational SDI
Shibboleth is production strength
Small centre, big network of organisations
A fundamental SDI requirement demonstrated
Additional SDI organisational requirements could be layered on top of the AMF, eg, governance
Needs changes to the clients, but not the services or Shibboleth
Potential INSPIRE compliant approach for establishing operational strength access control to ensure data provided is only available to legitimate government agencies!