Sep 202011
 

One of the goals of IGIBS is to allow users to generate protected WMS services using SAML-based access control. The technology behind this is based on  prior research done in the past few years by EDINA for the EU funded ESDIN project. The ideas produced by the project have been successfully tested within the OGC Shibboleth Interoperability Experiment – see also the INSPIRE2011 page on this blog.

In order to access a protected WMS generated by the IGIBS factory tool one needs either:

  1. A modified desktop client that supports the SAML ECP protocol.
  2. The browser-based IGIBS mapping client.

Anyone interested in using a desktop client to access IGIBS protected services is encouraged to download the EDINA-modified version of Openjump. Further information about how the Enhanced Client or Proxy (ECP) profile works is available at OASIS.

As far as browser-based clients are concerned, the main challenge in accessing a protected WMS from a browser is that AJAX applications use the XMLHttpRequest Object which does not support creating new cookies and HTTP redirects. These operations are however crucial for satisfying the requirements of the SAML2 Web-Browser SSO profile. This shortcoming also applies to OpenLayers which will not connect to a protected WMS without some extra configuration and JavaScript code changes. To that end, EDINA  has made available a patched version of Openlayers which allows XMLHttpRequest with cookies and redirection using a novel approach which is explained in detail here.

For the above reasons IGIBS browser-based client uses the EDINA version of OpenLayers as a base. Interested parties are very much encouraged to download it and provide feedback and/or criticism for further improvements.

 

 Posted by at 16:12 Mapping Application, Security, Techie, WMS Factory Tagged with: , , , , , , ,  Comments Off on WMS Access Control within IGIBS
Apr 162011
 

This is a big topic that is often neglected and often proves fatal for SDI initiatives meeting their ambitions.  The reality is that much valuable data is restricted; this is true for the UK National SDI (UK Location Programme), the UK academic SDI and INSPIRE.  A genuinely interoperable means of allowing OGC Web Service clients (like the one we are developing in IGIBS) to consume WMS (open and restricted) from multiple distributed organisations without having to provide multiple user credentials is difficult.  Building on much prior work, we are going to try to demonstrate in IGIBS how Shibboleth – the open source SAML implementation that powers the UK Access Management Federation – can be used to allow protected public sector WMS can be made securely available to the academic sector.  We will also demonstrate the converse, how users in the academic sector can securely publish their data and control who can see it if they need to.  We will use this page to solicit comment and hopefully gather recommendations for further work.

 Posted by at 15:33 Security Tagged with: , , , , , , ,  Comments Off on Security Category