1 / 10

Web Services Tiered Internet Authorization (WSTIERIA)

Web Services Tiered Internet Authorization (WSTIERIA). 21 June 2011 Fiona Culloch fiona.culloch@ed.ac.uk. Output 1: Digimap changes. Modified production Digimap service To give non-browser GIS clients (ArcView etc.) Access to Digimap data via web services

len-vincent
Download Presentation

Web Services Tiered Internet Authorization (WSTIERIA)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Services Tiered Internet Authorization (WSTIERIA) 21 June 2011 Fiona Culloch fiona.culloch@ed.ac.uk

  2. Output 1: Digimap changes Modified production Digimap service To give non-browser GIS clients (ArcView etc.) Access to Digimap data via web services Using OGC standards (Web Map Service etc.) UK federation authentication of registered users, with SSO As alternative to large downloads of raw data

  3. Output 2: DIY instructions Short document (7 pages) on “how-to” Control access to existing web services From non-browser clients Without modifying the web service Implementable by average sysadmin Using only off-the-shelf software Apache web server (with mod_rewrite) A little scripting (perl, or anything else)

  4. Output 3: Try Shibboleth delegation Set up dev & test environment PM1: Eclipse + Maven2 VM1: IdP + delegation plugin VM2: example client (JSP) + Shib SP1 + JASIG delegation library PM2: example web service (WSP) + Shib SP2 “Hello, world”-level success! User goes to JSP/SP1, logs in at IdP JSP calls JASIG library to GET from WSP/SP2 Lib accesses SP2 using delegatable token from IdP; user does not need to log in to SP2

  5. Successes Production service (Digimap) using UK fed. for non-browser web services Route to interoperation of unmodified web services, unmodified non-browser clients with UK federation Demonstrated deployability of new Shibboleth delegation software by developer outside the Shibboleth team

  6. Lesson 1: Delegation limitations Delegation depends on IdP & all SPs Supporting SAML2, bits of Liberty SP implementation (Shibboleth 2.2+) IdP deployer must explicitly name: SP entities allowed to delegate SP entities they can delegate to, etc, etc. Probably rules out cross-organisational scenarios for now, leaving Intra-org applications (e.g. student portal)

  7. Lesson 2: uPortal not needed Original delegation use case was uPortal web app invoking portlets Wasn’t known if delegation library depended on this uPortal context Project showed how a non-uPortal web app (JSP) can use delegation library

  8. Lesson 3: Delegation & UK federation Potential issue identified UK federation (& others, e.g. InCommon) moving from CAs to self-signed trust-fabric certs Delegation library rejects these because not in std. Java CA trust list Reported to developer (Unicon), response awaited

  9. Failures No deployments outside EDINA No future external partner identified Attempt to apply the simple Apache + scripting technique to WebDAV Limited success (only easy cases worked) Protocol with server URLs in data & headers defeats simple technique Wrote up experience as tech note

  10. Future Shibboleth developers Migrate delegation library into SP code? IdP config optionally take delegation audiences (SP2,…,n) from SP1 metadata EDINA More interesting examples (INSPIRE?) Community Apply techniques!

More Related