100 likes | 213 Views
GEOSS Authentication and Single Sign-On. Steven F. Browdy OMS Tech, Inc. IEEE. Background and History. Initial research started during AIP-3 Motivated by the DSWG Implementation Guidelines of the Data Sharing Principles. Is not bring viewed as data access restriction.
E N D
GEOSS Authentication and Single Sign-On Steven F. Browdy OMS Tech, Inc. IEEE May 7, 2013 CEOS WGISS-35 Meeting
Background and History • Initial research started during AIP-3 • Motivated by the DSWG Implementation Guidelines of the Data Sharing Principles. • Is not bring viewed as data access restriction. • Initially considered OpenID, OAuth, and Shibboleth • Decided to drop OAuth • Not concerned at this point with authorization (access control), just authentication. • DSWG has many examples of data providers that just want to know “who is using my data.” May 7, 2013 CEOS WGISS-35 Meeting
Provider’s Site Resources (Data and Services) Authentication Service Authorization Service User Answers “is this User XYZ?” by verifying the identity Answers “what can User XYZ do?” by checking identity against stored access constraint rules May 7, 2013 CEOS WGISS-35 Meeting
Background and History • Decided to drop Shibboleth • To hard an impact to require of data providers. • Examples of implementation case studies that concluded Shibboleth took a lot of effort to implement. • No work on this for AIP-4 • Picked up again in AIP-5 • Decided to include SAML 2.0 (Security Assertion Markup Language) to exchange user credentials via XML. • Works with many user management security systems • Lightweight implementation requirements • Developed use cases to implement in AIP-6. May 7, 2013 CEOS WGISS-35 Meeting
Main Goals • Federated solution that has minimal to no impact on the GCI. • Lightweight implementation requirements for data providers. • A solution that can evolve. May 7, 2013 CEOS WGISS-35 Meeting
Current Use Cases • Registration for Authentication via OpenID • Organizational user registration for Authentication via SAML2 • Registration as OpenID user for SAML2 Users • OpenID-Protected Data Access via OpenID Authentication • SAML2-Protected Data Access via OpenID Authentication • OpenID-Protected Data Access via SAML2 Authentication • SAML2-Protected Data Access via SAML2 Authentication • Registering and Modifying a New Identity or Service Provider for SAML2 Trust Gateway • Identification as "GEOSS User" During Registration May 7, 2013 CEOS WGISS-35 Meeting
Unofficial Tentative Plan May 7, 2013 CEOS WGISS-35 Meeting
AIP-6 Plans • Implement the use cases to test the federated authentication and single sign-on solution. • Will work with partners that have an interest in establishing the viability of the solution in terms of meeting the goals. • COBWEB project • NASA • CUAHSI • Create demo for GEO Summit in January, 2014 • Generate appropriate documentation May 7, 2013 CEOS WGISS-35 Meeting
Some OpenID-Approved Identity Servers • US Government • Google • Equifax • PayPal • VeriSign • Verizon • EC – INSPIRE ??? May 7, 2013 CEOS WGISS-35 Meeting
Q & A May 7, 2013 CEOS WGISS-35 Meeting