1 / 17

Practical Approaches to Web Services Authentication

Sponsored and hosted by ESA/ESRIN. Practical Approaches to Web Services Authentication. 72nd OGC Technical Committee Frascati, Italy Fiona Culloch March 9, 2010. Federated Authentication. User Selects Identity Provider. Enters Credentials at IdP. Logged in to Service Provider.

moe
Download Presentation

Practical Approaches to Web Services Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sponsored and hosted by ESA/ESRIN Practical Approaches toWeb Services Authentication 72nd OGC Technical Committee Frascati, Italy Fiona Culloch March 9, 2010

  2. Federated Authentication

  3. User Selects Identity Provider

  4. Enters Credentials at IdP

  5. Logged in to Service Provider

  6. Browser-Based Federation Mature • Implementations • Open-source • Shibboleth • SimpleSAMLphp, … • Commercial • OpenAthens • Sun • Novell, … • Policy infrastructure • Many national federations

  7. But… • Doesn’t work for non-browser clients!

  8. Why Not? • The protocols (SAML) require: • HTTP redirection • Cookies • SSL/TLS • User input (usernames, passwords, etc.) • (X)HTML processing • Web service clients may not support any of these! • (OGC Authentication IE client survey) • Making IdP discovery/interaction impossible

  9. One Solution Identified • By UK JISC-funded EDINA project SEE-GEO (2006–08) • Initiated and led by EDINA geospatial team • With input from • AM Consult (Andreas Matheus) • UK federation (JISC/EDINA SDSS project) • Shibboleth Core Team (Chad La Joie)

  10. Concept • Separate • Client flow (XML over HTTP) • From browser authentication flow (HTML, SAML over HTTP) • In the client flow • URI must contain valid token • Token validated by browser authentication flow

  11. Authenticating Proxy (“Façade”) Client XML http://proxy/...438657... Façade XML OWS

  12. Façade Has Two Faces Client XML http://url1/...438657... Façade SP Browser SAMLHTML XML OWS http://url2/...438657...

  13. Façade Separates Auth. from Application SAML, Fed., X.509, Auth. Policy, … OWS,WMS, WFS, … Façade OWS Sys. admin.,Auth. policy(Someone else’s problem!) App. design,OGC standards,…(Your problem)

  14. SEE-GEO Work Being Taken Forward • In the OGC (1H 2010) • Authentication Interoperability Experiment • Interoperability testing • Investigate best choice of SAML protocols, bindings • At EDINA • JISC-funded project WSTIERIA (2010) • Generalise from OWS to any WS • Abstract from SAML protocols, bindings to Shibboleth concept of “protected service”

  15. Meanwhile, Elsewhere… • Shibboleth Core Team / U. of Chicago have developed • Shibboleth extension for web services • Based on SAML 2.0 Enhanced Client Proxy (ECP) • Client libraries (for Java, …) • Supports N-tier use cases!

  16. So Why Bother With Façade? • No client library required • SAML 2.x / Shibboleth 2.x not required • As of December 2009, only ~20% of UK federation IdPs SAML 2.0 • Few / zero client modifications required • WSTIERIA taking both approaches forward

  17. Call to Action • Any volunteer clients? • Contact us! fiona.culloch@ed.ac.uk

More Related