Practical Approaches to Web Services Authentication

fizzlargeΑσφάλεια

3 Νοε 2013 (πριν από 3 χρόνια και 10 μήνες)

78 εμφανίσεις

®

Practical Approaches to

Web Services Authentication

72nd OGC Technical Committee

Frascati, Italy

Fiona Culloch

March 9, 2010

Sponsored and hosted by

ESA/ESRIN

OGC

®

Federated Authentication

OGC

®

User Selects Identity Provider

OGC

®

Enters Credentials at IdP

OGC

®

Logged in to Service Provider

OGC

®

Browser
-
Based Federation Mature


Implementations


Open
-
source


Shibboleth


SimpleSAMLphp, …


Commercial


OpenAthens


Sun


Novell, …


Policy infrastructure


Many national federations

OGC

®

But…


Doesn’t work for non
-
browser clients!

OGC

®

Why Not?


The protocols (SAML) require:


HTTP redirection


Cookies


SSL/TLS


User input (usernames, passwords, etc.)


(X)HTML processing



Web service clients may not support any of these!


(OGC Authentication IE client survey)



Making IdP discovery/interaction impossible

OGC

®

One Solution Identified


By UK JISC
-
funded EDINA project SEE
-
GEO (2006

08)


Initiated and led by EDINA geospatial team


With input from


AM Consult (Andreas Matheus)


UK federation (JISC/EDINA SDSS project)


Shibboleth Core Team (Chad La Joie)

OGC

®

Concept


Separate


Client flow (XML over HTTP)


From browser authentication flow (HTML, SAML over HTTP)



In the client flow


URI must contain valid token


Token validated by browser authentication flow

OGC

®

Authenticating Proxy (“Façade”)


OWS


Façade


Client


http://proxy/...
438657
...

XML

XML

OGC

®

Façade Has Two Faces


OWS


Façade


Client


http://url1/...
438657
...

XML

XML


Browser


SAML

HTML

SP

http://url2/...
438657
...

OGC

®

Façade Separates Auth. from Application

Façade

OWS

SAML, Fed., X.509,
Auth. Policy, …

OWS,

WMS, WFS, …

Sys. admin.,

Auth. policy

(Someone else’s problem!)

App. design,

OGC standards,…

(Your problem)

OGC

®

SEE
-
GEO Work Being Taken Forward


In the OGC (1H 2010)


Authentication Interoperability Experiment


Interoperability testing


Investigate best choice of SAML protocols, bindings



At EDINA


JISC
-
funded project WSTIERIA (2010)


Generalise from OWS to any WS


Abstract from SAML protocols, bindings to Shibboleth concept of
“protected service”

OGC

®

Meanwhile, Elsewhere…


Shibboleth Core Team / U. of Chicago have developed


Shibboleth extension for web services


Based on SAML 2.0 Enhanced Client Proxy (ECP)


Client libraries (for Java, …)


Supports N
-
tier use cases!

OGC

®

So Why Bother With Façade?


No client library required


SAML 2.x / Shibboleth 2.x not required


As of December 2009, only ~20% of UK federation IdPs SAML 2.0


Few / zero client modifications required


WSTIERIA taking both approaches forward

OGC

®

Call to Action


Any volunteer clients?




Contact us! fiona.culloch@ed.ac.uk