Upload
lamdang
View
225
Download
0
Embed Size (px)
Citation preview
...connecting worlds...connecting worlds M. ReiprechtWorkshop GOS/OGC23.-25. Nov. 2009. Toulouse, France
The EUMETSAT EO Portal User Management Concept
Second Workshop on the use of GIS/OGC standards in meteorology
Météo-FranceInternational Conference Center42 avenue Gaspard Coriolis, Toulouse, France23.-25. November 2009
Marko Reiprechtcon terra GmbH, Germany
24. November 2009
...connecting worlds...connecting worlds M. ReiprechtWorkshop GOS/OGC23.-25. Nov. 2009. Toulouse, France
Agenda
Introduction
Base Ideas
Components
Web application SSO
Web Service Integration
Summary
...connecting worlds...connecting worlds M. ReiprechtWorkshop GOS/OGC23.-25. Nov. 2009. Toulouse, France
Introduction
EO Portal provides a single point of online access to EUMETSAT data and dissemination services
� Past: several applications with self contained user management
� Users had to register with every application and to memorise different user ids and passwords
EO Portal encapsulates the legacy applications and offers a harmonised user interface to discover, search, order / subscribe to data and services
Clearinghouse:
� allows users to access data and services of partner agencies (e.g. CNES Altimetry products, NOAA, WMO, ESA)
� vice versa: allows partner agencies to discover, search, order and subscribe to EUMETSAT data and services via a set of programmatic, interoperable services
� Services are based on OGC/HMA and INSPIRE EU specifications
...connecting worlds...connecting worlds M. ReiprechtWorkshop GOS/OGC23.-25. Nov. 2009. Toulouse, France
Introduction
Some Services (e.g. ordering) require user details passed using security concepts
In order to implement this between different organizations:
� >> A harmonized, sophisticated, standards based security concept is required
...connecting worlds...connecting worlds M. ReiprechtWorkshop GOS/OGC23.-25. Nov. 2009. Toulouse, France
Base Ideas
Base Ideas
�Brokered Trust via one or more trusted central authentication partners (Identity Provider)
� Integrate business partners as Service Provider entities
� Build up on already available federated user management and security specifications (SAML 2 + WS-Security)
� Explicit differentiation of web application SSO and the secure access to web services
...connecting worlds...connecting worlds M. ReiprechtWorkshop GOS/OGC23.-25. Nov. 2009. Toulouse, France
Base Ideas
Terms
� Identity Provider (IdP)
• Brokers the trust
• Encapsulates user authentication
� Service Provider (SP)
• Provides web services and web applications
Both are Business Entities
� IdP and SPs work together to maximize their business volume
Circle of Trust
...connecting worlds...connecting worlds M. ReiprechtWorkshop GOS/OGC23.-25. Nov. 2009. Toulouse, France
Base Ideas
Complex Trust and Business Relationships
...connecting worlds...connecting worlds M. ReiprechtWorkshop GOS/OGC23.-25. Nov. 2009. Toulouse, France
Base Ideas
Complex Trust and Business Relationships
...connecting worlds...connecting worlds M. ReiprechtWorkshop GOS/OGC23.-25. Nov. 2009. Toulouse, France
FUM Components
cmp eum usermanagement
IdP entity
SAML2SecurityTokenServ ice
«saml 2»SingleSignOnServ ice
SP entity
IdP Web Serv ice
SP Web Serv ice
IdP User Registry
SP User Registry
«saml 2»AssertionConsumerServ ice
federation metadata (public keys, sso
endpoints, attribute mappings)
WSC (part of an IdP or a SP)
User w ith Browser
central login UI
sso accounts arel inked viapseudonyms
indirectindirect
shareshare
...connecting worlds...connecting worlds M. ReiprechtWorkshop GOS/OGC23.-25. Nov. 2009. Toulouse, France
FUM Components
cmp eum usermanagement
IdP entity
SAML2SecurityTokenServ ice
«saml 2»SingleSignOnServ ice
SP entity
IdP Web Serv ice
SP Web Serv ice
IdP User Registry
SP User Registry
«saml 2»AssertionConsumerServ ice
federation metadata (public keys, sso
endpoints, attribute mappings)
WSC (part of an IdP or a SP)
User w ith Browser
central login UI
sso accounts arel inked viapseudonyms
indirectindirect
shareshare
Web Application SSO
...connecting worlds...connecting worlds M. ReiprechtWorkshop GOS/OGC23.-25. Nov. 2009. Toulouse, France
FUM Components
cmp eum usermanagement
IdP entity
SAML2SecurityTokenServ ice
«saml 2»SingleSignOnServ ice
SP entity
IdP Web Serv ice
SP Web Serv ice
IdP User Registry
SP User Registry
«saml 2»AssertionConsumerServ ice
federation metadata (public keys, sso
endpoints, attribute mappings)
WSC (part of an IdP or a SP)
User w ith Browser
central login UI
sso accounts arel inked viapseudonyms
indirectindirect
shareshare
Web Service SSO
...connecting worlds...connecting worlds M. ReiprechtWorkshop GOS/OGC23.-25. Nov. 2009. Toulouse, France
cmp eum usermanagement
IdP entity
SAML2SecurityTokenServ ice
«saml 2»SingleSignOnServ ice
SP entity
IdP Web Serv ice
SP Web Serv ice
IdP User Registry
SP User Registry
«saml 2»AssertionConsumerServ ice
federation metadata (public keys, sso
endpoints, attribute mappings)
WSC (part of an IdP or a SP)
User w ith Browser
central login UI
sso accounts arel inked viapseudonyms
indirectindirect
shareshare
OpenSSO
FUM Components
...connecting worlds...connecting worlds M. ReiprechtWorkshop GOS/OGC23.-25. Nov. 2009. Toulouse, France
Web Application SSO
cmp eum usermanagement
IdP entity
SAML2SecurityTokenServ ice
«saml 2»SingleSignOnServ ice
SP entity
IdP Web Serv ice
SP Web Serv ice
IdP User Registry
SP User Registry
«saml 2»AssertionConsumerServ ice
federation metadata (public keys, sso
endpoints, attribute mappings)
WSC (part of an IdP or a SP)
User w ith Browser
central login UI
sso accounts arel inked viapseudonyms
indirectindirect
shareshare
Web Application SSO
...connecting worlds...connecting worlds M. ReiprechtWorkshop GOS/OGC23.-25. Nov. 2009. Toulouse, France
Sample starting from SPUser not logged in
Can perform anonymous tasks
Web Application SSO
...connecting worlds...connecting worlds M. ReiprechtWorkshop GOS/OGC23.-25. Nov. 2009. Toulouse, France
Sample starting from SP User clicks on “Login”
Redirect to SingleSignOnService at IdP
Central login UI
form-based redirect
� SAMLRequest = <saml2:AuthnRequest/>
� RelayState = <start-url>
Web Application SSO
...connecting worlds...connecting worlds M. ReiprechtWorkshop GOS/OGC23.-25. Nov. 2009. Toulouse, France
Sample starting from SP Redirect to the AssertionConsumerService of the SP
� Now the user is authenticated
form-based redirect
� SAMLResponse =…<saml:Assertion/>…
� RelayState = <start-url>
Web Application SSO
...connecting worlds...connecting worlds M. ReiprechtWorkshop GOS/OGC23.-25. Nov. 2009. Toulouse, France
Web application SSO
� SAML 2 Web Browser SSO Profile
• HTTP-Redirect mechanism (HTTP-Post and/or Artifact Binding)
• Central login at the EO-Portal
� A user has a personal account at least at one identity provider and optional accounts on service provider level, these accounts are linked via special ids (pseudonyms) per IdP/SP pair
� The user accounts can be linked dynamically, during a user initiated web application SSO process or via offline batch processing
Web Application SSO
...connecting worlds...connecting worlds M. ReiprechtWorkshop GOS/OGC23.-25. Nov. 2009. Toulouse, France
Web Service Integration
cmp eum usermanagement
IdP entity
SAML2SecurityTokenServ ice
«saml 2»SingleSignOnServ ice
SP entity
IdP Web Serv ice
SP Web Serv ice
IdP User Registry
SP User Registry
«saml 2»AssertionConsumerServ ice
federation metadata (public keys, sso
endpoints, attribute mappings)
WSC (part of an IdP or a SP)
User w ith Browser
central login UI
sso accounts arel inked viapseudonyms
indirectindirect
shareshare
Web Service SSO
...connecting worlds...connecting worlds M. ReiprechtWorkshop GOS/OGC23.-25. Nov. 2009. Toulouse, France
Result of Web Application SSO
� Authenticated User at a Web Service Client (WSC)
Problem:
� How to retrieve a valid security token for an user to authenticate the user at the target web service?
sd use web service
Web Service«IdP»
SAML2SecurityTokenService
WSC
consider part of IdP entity consider part of IdP or SP entity
par Obtain valid SecurityToken
par Secure communication with web service
consider part of IdP or SP entity
AuthnRequest
:security token
sendRequest(security token)
:response
Web Service Integration
...connecting worlds...connecting worlds M. ReiprechtWorkshop GOS/OGC23.-25. Nov. 2009. Toulouse, France
Web Service Integration
sd use web service
Web Service«IdP»
SAML2SecurityTokenService
WSC
consider part of IdP entity consider part of IdP or SP entity
par Obtain valid SecurityToken
par Secure communication with web service
consider part of IdP or SP entity
AuthnRequest
:security token
sendRequest(security token)
:response
GetTicket (User-ID, Requestor-Entity, Target entity)
Validate Ticket Signature
Validate Request Signature (Holder Of Key)
WS-Security SAML Token Profile
...connecting worlds...connecting worlds M. ReiprechtWorkshop GOS/OGC23.-25. Nov. 2009. Toulouse, France
REST Service Integration
� Proprietary Mechanism due to the lack of official specifications
� HTTP-Header “SAML2Token”
• base 64 encoded <saml2:Assertion/>
• doesn’t change any domain protocols
• not visible within URLs
� Additional Request Parameter “SAML2Token”
• base 64 encoded <saml2:Assertion/>
• only useable if Key-Value-Pair encoding is used
• visible in URLs
Web Service Integration
...connecting worlds...connecting worlds M. ReiprechtWorkshop GOS/OGC23.-25. Nov. 2009. Toulouse, France
HMA User Management Integration
EO-Portal Supports the Specification OGC 07-118r1 U ser Management Interfaces for Earth Observation Service s V0.0.4
� Extension of the OpenSSO Server to support the HMA-AuthenticationService interface
� Support for the HMA Security Token Format (SAML1)
� EO-Portal Services can be consumed by HMA-Clients
...connecting worlds...connecting worlds M. ReiprechtWorkshop GOS/OGC23.-25. Nov. 2009. Toulouse, France
Summary
Based on OASIS SAML 2 and WS-Security
Identity Federation Approach
Web Application SSO (SAML2 & Domain Cookie)
SOAP/REST Web Service Integration
HMA User Management Integration
Flexible and Extensible Security Model
...connecting worlds...connecting worlds M. ReiprechtWorkshop GOS/OGC23.-25. Nov. 2009. Toulouse, France
Finish
Thank you!
Questions?