Shibboleth Access Management Federations as an Organisational Model for SDI

Christopher I Higgins, Michael Koutroumpas, Andreas Matheus, Andrew Seales

Abstract


Shibboleth is an open source implementation of the OASIS standard Security Assertion Markup Language (SAML). Shibboleth Access Management Federations (AMFs) are used daily around the globe by millions of users – mainly in the academic realm – in order to securely exchange the identity information necessary to make authorisation decisions concerning protected web resources. AMFs are typically comprised of a number of entities, eg, organisations working together to achieve a set of shared objectives while each member retains control over its own internal affairs. There are three main categories of entities: identity management is devolved to individual member organisations who act as Identity Providers, Service Providers are established by organisations wanting to make protected resources available, and finally, there is a small Coordinating Centre. Principally through the European Spatial Data Infrastructure Network (ESDIN) project and the OGC Web Service (OWS) Shibboleth Interoperability Experiment, it has been established that Shibboleth provides a production strength, standards based, open source, interoperable mainstream IT solution to the problem of how to implement AMFs around the OWS central to SDI’s. Furthermore, it has been demonstrated using a prototype federation of INSPIRE compliant services established under ESDIN that this can be done without modifications to either mainstream Shibboleth or OWS. However, non browser based clients require adaptation. Various options exist as to how the main actors within a European SDI/Federation may organise themselves in order to realise the objective of allowing authorised users from key organisations, eg, EU bodies concerned with environmental policy formation, seamless access to harmonised protected geospatial information through OWS. This paper proposes that a parallel security infrastructure is necessary to realise SDI where protected resources are involved and gives an account of work undertaken demonstrating how Shibboleth based AMF’s meet this need.

Keywords


security; access control; authentication; Shibboleth; SAML; Open Geospatial Consortium; interoperability experiments; web services; access management federations; WMS; WFS

Full Text: pdf