Embed Size (px)
DESCRIPTION
Authentication Use Cases. ESDIN Work Package 4 Workshop IGN Belgium, Brussels, 19 th May 2010. What is authentication?. …a mandatory part of access control concerned with establishing that claims made concerning a subject who is attempting to use a particular resource are authentic, ie, true. - PowerPoint PPT Presentation
Citation preview
Authentication Use Cases
ESDIN Work Package 4 Workshop
IGN Belgium, Brussels,
19th May 2010
What is authentication?
…a mandatory part of access control concerned with establishing that claims made concerning a subject who is attempting to use a particular resource are authentic, ie, true
Two Use Cases:
1. Secure access by desktop client to medium and small scale ESDIN download service
2. Secure access by desktop client to large scale ESDIN download service
Actors
Key ESDIN Users of pan-European Geographical Data, eg, JRC, EEA, EuroStat.
But could be any user where there is a requirement to know who is taking the data
Description
For a wide variety of different reasons, individuals at organizations such as the EEA, JRC or EC need to be able to access secure ESDIN download services on top of pan-European coverage ExM data at medium and small scales. The downloaded data will be accessed via a desktop client and will be either EBM, ERM, EGM or user defined
Trigger
Various, user has need for harmonized pan-European data
Preconditions
1. Harmonised ExM data available at medium and small scales via a basic WFS serving up data with pan-European coverage
2. The users organisation and the ExM WFS service provider are part of the same access management federation
3. User has access to a desktop client capable of undergoing the Shibboleth/SAML interaction
Postconditions
1.User has been authenticated and authorized
2.Data has been delivered to the users WFS client application
Normal Flow
1. Users application issues a GetCapabilities request
2. User selects their Identity Provider from a list of IdPs
3. Authenticates4. GetCapabilities request followed by however
many DescribeFeatureType, GetFeature requests and responses as necessary to satisfy users requirements
Alternative Flows
1.Single Sign On. User has already authenticated at another federation service provider and is not required to authenticate again
Exceptions
1.User not authorised. Authorisation exception
2.Illegal request leading to a service exception
3.Security exception in case of attack
Priority
High, being able to securely exchange identity information to make authorisation decisions is a fundamental pre-requisite of a large number of SDI scenarios
Frequency of use
High
Assumptions
It is assumed that a trust federation comprising the ESDIN partners and cooperating organisations will have been established and is being maintained
Notes and issues
Cross-federation interoperability not assumed but likely to be desirable under several scenarios, eg, the EEA operates its own federation-like partnership, the European Environment Information and Observation Network (EEIONet).
AuthN Interoperability Experiment
• OGC mechanism looking at various alternatives• Implementing these use cases under WP11• Two federations created:
– ESDIN NMCAs– University members of the European Persistent
Geospatial Testbed for Research and Education
• Exploring cross-federation scenario where it is agreed universities get access to ExM data
