Practical Approaches to Web Services Authentication - PowerPoint PPT Presentation

moe
practical approaches to web services authentication n.
Skip this Video
Loading SlideShow in 5 Seconds..
Practical Approaches to Web Services Authentication PowerPoint Presentation
Download Presentation
Practical Approaches to Web Services Authentication

play fullscreen
1 / 17
Download Presentation
Practical Approaches to Web Services Authentication
141 Views
Download Presentation

Practical Approaches to Web Services Authentication

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Sponsored and hosted by ESA/ESRIN Practical Approaches toWeb Services Authentication 72nd OGC Technical Committee Frascati, Italy Fiona Culloch March 9, 2010

  2. Federated Authentication

  3. User Selects Identity Provider

  4. Enters Credentials at IdP

  5. Logged in to Service Provider

  6. Browser-Based Federation Mature • Implementations • Open-source • Shibboleth • SimpleSAMLphp, … • Commercial • OpenAthens • Sun • Novell, … • Policy infrastructure • Many national federations

  7. But… • Doesn’t work for non-browser clients!

  8. Why Not? • The protocols (SAML) require: • HTTP redirection • Cookies • SSL/TLS • User input (usernames, passwords, etc.) • (X)HTML processing • Web service clients may not support any of these! • (OGC Authentication IE client survey) • Making IdP discovery/interaction impossible

  9. One Solution Identified • By UK JISC-funded EDINA project SEE-GEO (2006–08) • Initiated and led by EDINA geospatial team • With input from • AM Consult (Andreas Matheus) • UK federation (JISC/EDINA SDSS project) • Shibboleth Core Team (Chad La Joie)

  10. Concept • Separate • Client flow (XML over HTTP) • From browser authentication flow (HTML, SAML over HTTP) • In the client flow • URI must contain valid token • Token validated by browser authentication flow

  11. Authenticating Proxy (“Façade”) Client XML http://proxy/...438657... Façade XML OWS

  12. Façade Has Two Faces Client XML http://url1/...438657... Façade SP Browser SAMLHTML XML OWS http://url2/...438657...

  13. Façade Separates Auth. from Application SAML, Fed., X.509, Auth. Policy, … OWS,WMS, WFS, … Façade OWS Sys. admin.,Auth. policy(Someone else’s problem!) App. design,OGC standards,…(Your problem)

  14. SEE-GEO Work Being Taken Forward • In the OGC (1H 2010) • Authentication Interoperability Experiment • Interoperability testing • Investigate best choice of SAML protocols, bindings • At EDINA • JISC-funded project WSTIERIA (2010) • Generalise from OWS to any WS • Abstract from SAML protocols, bindings to Shibboleth concept of “protected service”

  15. Meanwhile, Elsewhere… • Shibboleth Core Team / U. of Chicago have developed • Shibboleth extension for web services • Based on SAML 2.0 Enhanced Client Proxy (ECP) • Client libraries (for Java, …) • Supports N-tier use cases!

  16. So Why Bother With Façade? • No client library required • SAML 2.x / Shibboleth 2.x not required • As of December 2009, only ~20% of UK federation IdPs SAML 2.0 • Few / zero client modifications required • WSTIERIA taking both approaches forward

  17. Call to Action • Any volunteer clients? • Contact us! fiona.culloch@ed.ac.uk