2. Previous work by this team
• SEE-GEO
• The eContentPlus
ESDIN work
• OGC Web Services
Shibboleth
Interoperability
Experiment
• German Spatial Data
Infrastructure
2007 ... 2012 ... 2016 (Concept)
Secure Dimensions Previous work on Access Management Federations 2
3. SEE-GEO
• SEcurE access to GEOspatial services
• UK JISC funded process in 2007
• Cross border map (Germany / The Netherlands)
• Secure WFS with styled layer descriptor
– Depending on style and origin of rescue centre maps is
loaded or access is denied
Secure Dimensions Previous work on Access Management Federations 3
4. eContentPlus ESDIN
• eContentPlus project (http://www.esdin.eu/)
• Participants from all over Europe
• Establish a pan-European access management
federation with
NMCAsservices:
– OGC WMS
– OGC WFS
– ...
Secure Dimensions Previous work on Access Management Federations 4
5. Shibboleth IE
• OGC Interoperability Experiment
– 2011
– OGC® Engineering Report for the OWS Shibboleth
Interoperability Experiment
– https://portal.opengeospatial.org/files/?artifact_id=478
52
• Objectives
– Use of the access management federation with
OGC Web Services using SAML 2 authentication
– Implement SAML 2 Enhanced Client & Proxy Profile in
Desktop GIS product
Secure Dimensions Previous work on Access Management Federations 5
6. Shibboleth IE
• OGC Interoperability Experiment 2011
• Participants
– Cadcorp, Envitia, con terra, snowflake, JRC
• Objective
– Connect to protected OGC Web Services provided by
esdin and German SDI prototype federation
– Implement SAML 2 Enhanced Client Proxy Profile
• Result
– Desktop GIS: Cadcorp, Envitia, snowflake
– Browser based Client: JRC
– Client Proxy: con terra
Secure Dimensions Previous work on Access Management Federations 6
7. INSPIRE 2011 Workshop
• INSPIRE annual conference 2011 Edinburgh
• Objective was to introduce the use of Access
Management Federation with SAML2 to protect
OGC Web Services
– Access Management Federation prototype
• The result confirmedthat the introduced concept is
INSPIRE conformant
Secure Dimensions Previous work on Access Management Federations 7
8. Prototype Federation German SDI
• https://sp.gdi-de.org
Secure Dimensions Previous work on Access Management Federations 8
9. Prototype Federation German SDI
application WMS GetFeatureInfo
loaded from
IdP SP WMS GetMap
Secure Dimensions
(secure-dimensions.net) GDI.DE
(gdi-de.org)
login with SP
IHK Bavaria
(win.bihk.de)
DS
GDI.DE SP
(gdi-de.org) GDI.BY
(gdi-by.org)
Secure Dimensions Previous work on Access Management Federations 9
10. Conclusion from previous work
• Access Management Federation based on SAML is
a productive solution for sharing protected
resources in various countries around the world
– https://www.aai.dfn.de/links/ [German Federation]
• Strength
– Single-Sign-On support
– High level of assurance about real user identity
– Exchange of SAML user credentials support privacy and
anonymity of the user
– Managed list of trusted entities = federation
Secure Dimensions Previous work on Access Management Federations 10
11. Conclusion from previous work
• Protected services can be consumed via
– Web Browser (e.g. OpenLayers) applications
– Desktop GIS applications
• Web Browser with full support*1
– IE 10, Google Chrome, Firefox, Safari
• Desktop GIS must implement SAML2 ECP
– Cadcorp, Envitia got tested successfully during
Shibboleth IE
– QGIS (open source GIS) SAML2 extension provided by
Secure Dimensions
*1: This is the list of tested web browsers
Secure Dimensions Previous work on Access Management Federations 11
12. Thank You
It is important,
to do security right...
Secure Dimensions GmbH
Holistic Geosecurity
Dr. Andreas Matheus
Waxensteinstr. 28
D-81377 München, Germany
Phone +49 (0)89 38151813-0
Mobile +49 (0)160 1066366
Telefax +49 (0)89 38151813-9
Email am@secure-dimensions.com
Web www.secure-dimensions.com
Secure Dimensions Previous work on Access Management Federations Slide 12