170 likes | 338 Views
Sponsored and hosted by ESA/ESRIN. Practical Approaches to Web Services Authentication. 72nd OGC Technical Committee Frascati, Italy Fiona Culloch March 9, 2010. Federated Authentication. User Selects Identity Provider. Enters Credentials at IdP. Logged in to Service Provider.
E N D
Sponsored and hosted by ESA/ESRIN Practical Approaches toWeb Services Authentication 72nd OGC Technical Committee Frascati, Italy Fiona Culloch March 9, 2010
Browser-Based Federation Mature • Implementations • Open-source • Shibboleth • SimpleSAMLphp, … • Commercial • OpenAthens • Sun • Novell, … • Policy infrastructure • Many national federations
But… • Doesn’t work for non-browser clients!
Why Not? • The protocols (SAML) require: • HTTP redirection • Cookies • SSL/TLS • User input (usernames, passwords, etc.) • (X)HTML processing • Web service clients may not support any of these! • (OGC Authentication IE client survey) • Making IdP discovery/interaction impossible
One Solution Identified • By UK JISC-funded EDINA project SEE-GEO (2006–08) • Initiated and led by EDINA geospatial team • With input from • AM Consult (Andreas Matheus) • UK federation (JISC/EDINA SDSS project) • Shibboleth Core Team (Chad La Joie)
Concept • Separate • Client flow (XML over HTTP) • From browser authentication flow (HTML, SAML over HTTP) • In the client flow • URI must contain valid token • Token validated by browser authentication flow
Authenticating Proxy (“Façade”) Client XML http://proxy/...438657... Façade XML OWS
Façade Has Two Faces Client XML http://url1/...438657... Façade SP Browser SAMLHTML XML OWS http://url2/...438657...
Façade Separates Auth. from Application SAML, Fed., X.509, Auth. Policy, … OWS,WMS, WFS, … Façade OWS Sys. admin.,Auth. policy(Someone else’s problem!) App. design,OGC standards,…(Your problem)
SEE-GEO Work Being Taken Forward • In the OGC (1H 2010) • Authentication Interoperability Experiment • Interoperability testing • Investigate best choice of SAML protocols, bindings • At EDINA • JISC-funded project WSTIERIA (2010) • Generalise from OWS to any WS • Abstract from SAML protocols, bindings to Shibboleth concept of “protected service”
Meanwhile, Elsewhere… • Shibboleth Core Team / U. of Chicago have developed • Shibboleth extension for web services • Based on SAML 2.0 Enhanced Client Proxy (ECP) • Client libraries (for Java, …) • Supports N-tier use cases!
So Why Bother With Façade? • No client library required • SAML 2.x / Shibboleth 2.x not required • As of December 2009, only ~20% of UK federation IdPs SAML 2.0 • Few / zero client modifications required • WSTIERIA taking both approaches forward
Call to Action • Any volunteer clients? • Contact us! fiona.culloch@ed.ac.uk