Secure access to spatial data for academia – the UK experience

Workshop, Authentication, Authorization and Accounting

for Data and Services in EU Public Administrations,

KU Leuven,17th March, 2014

Chris Higgins, chris.higgins@ed.ac.uk

EDINA

• Jisc-designated centre of expertise and online services since 1995– based at the University of Edinburgh

• Jisc: champions the use of digital technologies in UK education and research

• EDINA’s mission... …develop and deliver shared services and

infrastructure for research and education.

• focus is on service but also undertake r&D– turn projects services

• substantial experience in handling geospatial data

UKAMF

• UK Access Management Federation (UKAMF)– Approx. 8 million users– Approx. 400 entities (Identity Providers (IdPs) and

Service Providers (SPs))– Operated by EDINA and Jisc– Largest academic federation in the world

• Mostly Shibboleth: an open source implementation of SAML but some non-Shibb SAML entities

• Agnostic about AuthZ, at discretion of SPs. • A framework for exchanging access management

information – see rules of membership– SP entirely responsible for management of access rights

to its services

Related geospatial projects

Date Funder Project Name

2006-2008 Jisc SEcurE access to GEOspatial services (SEE-GEO)

2008-2011 EU European Spatial Data Infrastructure Network (ESDIN)

2010-2011 DSTL Study on Access Control to Geographic Information (SACGI)

2011 Jisc Interoperable Geographic Information for Biosphere Study (IGIBS)

2012-2016 EU Citizen Observatory Web (COBWEB)

ESDIN• Resourced EDINA to build on in-house access control

expertise • An eContentplus Best Practice Network project• Ran from Sept 2008 until end Feb 2011• Coordinated by EuroGeographics• From AuthN perspective, the main ESDIN Use Case

was Key Users, eg, EEA, EuroStat, JRC, accessing INSPIRE Annex 1 services from different member states

• Key goal: help member states prepare their data for INSPIRE Annex 1 themes

OGC Interoperability Experiments (IE’s)

• Key vehicle for taking the work forward• Simple, low overhead, means for OGC members

to get together and advance specific technical objectives within the OGC baseline

• Facilitated by OGC staff• More lightweight than the OGC Web Services

initiatives • Focussed on specific interoperability issues • Effort is viewed as voluntary and supported by

in-kind contributions by participating member organisations

• Duration normally around 6 months

OGC Web Services Shibboleth IE (OSI)

• Started Aug 2010• Previous work had shown it was possible to protect

WMS with Shibb so that:– No mods required to OGC interface– No mods required to Shibb download– BUT mods required to OWS clients

• OSI provided the OGC software producing community with means and opportunity of modifying OWS clients to work with Shibb

• Emphasis on desktop OWS client software• Provide participants with the opportunity to

demonstrate their software in action.

OSI - How

• Use the test ESDIN Federation to provide OSI participants with services to develop against

• Provide an open source reference implementation of a modified desktop client conformant with the SAML ECP Profile– http://esdin.fgi.fi/wiki/index.php/Esdin:AuthIE:Client

• Provide some technical support, eg, with OpenLayers clients conformant with the Web Browser SSO Profile

• Regular telcons• OSI Technology Integration Experiment event

OSI/ESDIN – Some outcomes

• Using Shibboleth to protect OWS is practical• Not particularly difficult on server side or with

browser based clients• More subtle with desktop based clients but

possible with some effort in short space of time• This kind of “IE testbed” approach appreciated by

participating OGC members• Highly likely community support and tooling will

be available if decision made to operationalise

Some references

• OGC Engineering Report (OGC 11-019r2)– https://portal.opengeospatial.org/files/?artifact_id=47852

• IJSDIR paper. Shibboleth Access Management Federations as an Organisational Model for SDI– http://ijsdir.jrc.ec.europa.eu/index.php/ijsdir/article/view/

245/324

• Workshop at INSPIRE 2011. Shibb Federations and Secure SDI: Outcome and Demonstrations from the OGC Web Service Shibboleth Interoperability Experiment– http://igibs.blogs.edina.ac.uk/inspire2011/

Citizen Observatory Web

• 4 year FP7 funded research project

• Crowdsourced environmental data to aid decision making

• Introduce quality measures and reduce uncertainty

• Combine crowdsourced data with existing sources of data

A GEOSS Project

• Global Earth Observation System of Systems• “Data collected should be made available

through the GEOSS without any restrictions”• But, we must address “questions of privacy…”• Some kinds of protected data that may be

encountered during the project:– Personal information, eg, name, email address– Location protected species– Reference data from European National Mapping and

Cadastral Agencies– Conflated data

GEOSS Architecture Implementation Pilots (AIP)

• One of the means by which GEOSS addresses interoperability issues and GEOSS Common Infrastructure extension work

• Led by the OGC• All contributions are in-kind• Phased approach• In AIP-6 we piloted the use of access

management federations

Service Provider (SP) Identity Provider (IdP)Discovery Service (DS)

“GEOSS user” Single-Sign-On

Trust Gateway (TG) to OpenID

Google OpenIdGoogle OpenId

COBWEB/GEOSS AIP-6 Federation

NASA AmesNASA Ames

Secure DimensionsSecure Dimensions

CUAHSI*CUAHSI*CatapultCatapult

University of EdinburghUniversity of Edinburgh

Kst. GDI.DEKst. GDI.DE

*: Consortium of Universities for the Advancement of Hydrologic Science

EarthServer (FP7) projectEarthServer (FP7) project

MEEOMEEO