Practical Approaches to Web Services Authentication

Document Sample
Practical Approaches to Web Services Authentication Powered By Docstoc
					                                     ®




           Sponsored and hosted by
                 ESA/ESRIN




 Practical Approaches to
Web Services Authentication

    72nd OGC Technical Committee
           Frascati, Italy
           Fiona Culloch
           March 9, 2010
          Federated Authentication




      ®

OGC
          User Selects Identity Provider




      ®

OGC
          Enters Credentials at IdP




      ®

OGC
          Logged in to Service Provider




      ®

OGC
        Browser-Based Federation Mature

• Implementations
  – Open-source
     • Shibboleth
     • SimpleSAMLphp, …
  – Commercial
     • OpenAthens
     • Sun
     • Novell, …
• Policy infrastructure
  – Many national federations




        ®

OGC
                  But…




  • Doesn’t work for non-browser clients!




      ®

OGC
                            Why Not?

• The protocols (SAML) require:
  –   HTTP redirection
  –   Cookies
  –   SSL/TLS
  –   User input (usernames, passwords, etc.)
  –   (X)HTML processing

• Web service clients may not support any of these!
  – (OGC Authentication IE client survey)

• Making IdP discovery/interaction impossible


          ®

OGC
                 One Solution Identified



• By UK JISC-funded EDINA project SEE-GEO (2006–08)
  – Initiated and led by EDINA geospatial team
  – With input from
    • AM Consult (Andreas Matheus)
    • UK federation (JISC/EDINA SDSS project)
    • Shibboleth Core Team (Chad La Joie)




        ®

OGC
                            Concept

• Separate
  – Client flow (XML over HTTP)
  – From browser authentication flow (HTML, SAML over HTTP)

• In the client flow
  – URI must contain valid token
  – Token validated by browser authentication flow




        ®

OGC
          Authenticating Proxy (“Façade”)


              Client


            XML    http://proxy/...438657...

              Façade

            XML


               OWS


      ®

OGC
           Façade Has Two Faces


            Client


          XML    http://url1/...438657...

           Façade     SP
                            SAML Browser
          XML               HTML

                               http://url2/...438657...
            OWS


      ®

OGC
 Façade Separates Auth. from Application

     SAML, Fed., X.509,       OWS,
      Auth. Policy, …       WMS, WFS, …




          Façade               OWS




     Sys. admin.,              App. design,
      Auth. policy           OGC standards,…
(Someone else’s problem!)     (Your problem)
      ®

OGC
     SEE-GEO Work Being Taken Forward

• In the OGC (1H 2010)
  – Authentication Interoperability Experiment
     • Interoperability testing
     • Investigate best choice of SAML protocols, bindings


• At EDINA
  – JISC-funded project WSTIERIA (2010)
     • Generalise from OWS to any WS
     • Abstract from SAML protocols, bindings to Shibboleth concept of
       “protected service”




        ®

OGC
               Meanwhile, Elsewhere…

• Shibboleth Core Team / U. of Chicago have developed
  – Shibboleth extension for web services
    • Based on SAML 2.0 Enhanced Client Proxy (ECP)
    • Client libraries (for Java, …)
    • Supports N-tier use cases!




        ®

OGC
           So Why Bother With Façade?

• No client library required
• SAML 2.x / Shibboleth 2.x not required
  – As of December 2009, only ~20% of UK federation IdPs SAML 2.0
• Few / zero client modifications required
• WSTIERIA taking both approaches forward




       ®

OGC
                     Call to Action




• Any volunteer clients?


• Contact us!    fiona.culloch@ed.ac.uk




       ®

OGC