Sep 202011

One of the goals of IGIBS is to allow users to generate protected WMS services using SAML-based access control. The technology behind this is based on  prior research done in the past few years by EDINA for the EU funded ESDIN project. The ideas produced by the project have been successfully tested within the OGC Shibboleth Interoperability Experiment – see also the INSPIRE2011 page on this blog.

In order to access a protected WMS generated by the IGIBS factory tool one needs either:

  1. A modified desktop client that supports the SAML ECP protocol.
  2. The browser-based IGIBS mapping client.

Anyone interested in using a desktop client to access IGIBS protected services is encouraged to download the EDINA-modified version of Openjump. Further information about how the Enhanced Client or Proxy (ECP) profile works is available at OASIS.

As far as browser-based clients are concerned, the main challenge in accessing a protected WMS from a browser is that AJAX applications use the XMLHttpRequest Object which does not support creating new cookies and HTTP redirects. These operations are however crucial for satisfying the requirements of the SAML2 Web-Browser SSO profile. This shortcoming also applies to OpenLayers which will not connect to a protected WMS without some extra configuration and JavaScript code changes. To that end, EDINA  has made available a patched version of Openlayers which allows XMLHttpRequest with cookies and redirection using a novel approach which is explained in detail here.

For the above reasons IGIBS browser-based client uses the EDINA version of OpenLayers as a base. Interested parties are very much encouraged to download it and provide feedback and/or criticism for further improvements.


 Posted by at 16:12 Mapping Application, Security, Techie, WMS Factory Tagged with: , , , , , , ,  Comments Off on WMS Access Control within IGIBS
Aug 032011

I guess that anyone reading this  will already know that Shibboleth is an open source federated user authentication infrastructure that allows control of user sign-on between or within an organisation/s.  I had a vague memory from childhood Sunday School classes that there was an older meaning to the word apart from the Times crossword type definition of a feature that belies your social or ethnic origins.

So just in case there is a person left who hasn’t Googled “Shibboleth” here are the conclusions from 5 mins of browsing.

The origin is from Hebrew in the  late Bronze age (1100BC). It was used as a test of racial origin to try and filter out a group called the  Ephraimites from the Gileadites. In a nut shell anyone attempting to cross the river Jordan after a particularly nasty battle was asked to pronounce the word Shibboleth (meaning stream or  ear of wheat) . If you were unlucky enough to pronounce it Sibboleth then you were for the chop as you were clearly an Ephraimite ( who didn’t have the “sh” sound in their language) or were just unlucky enough to have a speech problem. This is supposed to have lead to about 40,000 executions! So really it was an early form of biometric identification, which sounds more advanced than some of today’s security systems.  Now I assume that with  modern-day software development, failing to pass the Shibb authentication  only results in minor annoyance and no longer leads to capital punishment, but I will be a little more careful when entering my user-name and password from now on.

 Posted by at 10:48 asides Tagged with:  Comments Off on Shibboleth: report of early stage development using biometric id.
Jun 032011

The overall aim of the IGIBS project is to try and improve the relationship between the UK’s National Spatial Data Infrastructure (SDI) as manifested through the UK Location Programme (UKLP) and the UK’s academic SDI.

Our main objective is to focus on use cases emerging from research and education related to a particular area – the UNESCO designated Dyfi Biosphere Reserve.  Once articulated, these user requirements will drive the creation of two pieces of software of wider applicability and assist Aberystwyth University in developing resources for use by local students.

We are building on much prior art, especially in the area of Access Control.  EDINA runs the UK Access Management Federation (UKAMF) and, while it might not be fashionable, the reality is that many SDI resources, eg, data and web services, are going to stay protected.  This is true both of INSPIRE at the European scale and the UKLP nationally.  We aim to show how Shibboleth (the open source software that underpins the UKAMF) can be used to enable a wider range of use cases, so that UK students can get access to both open and protected resources, eg, from UK public authorities like Welsh Government.

We expect that the main four products resulting from this project will be:

  1. Working prototype of a “WMS factory” tool
  2. Simple mapping application
  3. Best Practice model for using UK academic SDI at the departmental level
  4. Demonstration of UK access management technology being used to secure public sector services in combination with academic sector services

SDI is underpinned by open geospatial standards like the OGC’s Web Map Service (WMS).  The “WMS factory” tool will allow users to upload their data and instantiate a WMS so that their data can then be viewed online, via a simple mapping application, in conjunction with reference data from Welsh Government.

Shibboleth is already used in academia, we extend its use here to demonstrate how public sector data can be made securely available to authenticated and authorised users within academia.

The Institute of Geography and Earth Sciences (IGES) has ambitions to improve the way it educates students in the use of open geospatial interoperability standards and intends using the Dyfi Biosphere Reserve area as an exemplar.  To this end we are conducting an inventory of data for the area and creating a repository for educational use.  The “Best Practice model for using UK academic SDI at the departmental level” will feed into this activity as well as provide guidance for the wider university sector.

Apr 182011

Information is now being collated on available data sets to incorporate in this project. We have identified a number of case study users from the Institute of Geography and Earth Sciences (IGES), Aberystwyth University and Forest Research in Wales, Forestry Commission who have previously and are currently working on projects based in the Dyfi Biosphere.

As part of the process for gathering this information users are being actively encouraged to create dataset metadata using GeoDoc tool – found within the GoGeo area on the EDINA web site. This utility is used to create standards compliant dataset metadata for upload into catalogues, eg, GoGeo! so that the data can be discovered, evaluated and possibly reused. Note that you need to have UK Access Management credentials to use GeoDoc.

Users that we have identified so far consist of academics, researchers and students within IGES in Aberystwyth University, and from the Centre for Catchment and Coastal Research (CCCR) which is a consortium of Aberystwyth University and Bangor University. Users will also include researchers from Forestry Research in Wales, Forestry Commission and staff from the Countryside Council for Wales (CCW). Within these bodies individuals have been identified and we will develop these as user case studies. We are currently collating their data sets and identifying their relevant uses and needs.

In the following weeks we will collate and input data sets some of which are complete whilst others are work in progress. These data sets will come from the individual user case studies. The user case studies will be something like the following:
• IGES Academic/Researcher
• IGES/CCCR Academic/Researcher
• IGES MSc Student
• IGES PhD Student
• IGES Digital Map Librarian
• Forestry Research Researcher
• CCW Senior Reserve Warden for Dyfi Biosphere Area

A ‘shopping list’ of data sets that are either not currently available to these users (and which they would like access to) or are difficult to find will also be identified and collated. Already we have had requests for biogeochemical data sets from IGES/CCCR, and for remote sensing data sets from Forest Research. It is hoped that Welsh Assembly Government may be able to help with some of these data and that, even if their use is restricted, we may be able to offer access to using web services secured using Shibboleth (the software underlying the UK Access Management Federation).

So far we have identified from the academic/researcher evidence that both academic staff and students would find the Web Map Service (WMS) “factory” application useful as a research and teaching tool. It has also been suggested by one of the academic users that an undergraduate module could be developed around the use of open geospatial standards. It was agreed that using the GeoDoc metadata input facility would generally improve data management practice for research projects.

Any comments from the user case study individuals or other potential users would be much appreciated to ensure the relevant uses and needs of all involved in this project are identified. The information will feed into the development of the mapping application and the identification of future requirements.

 Posted by at 15:05 User Reqs Tagged with: , , , , , , , , , , , , , , , , ,  Comments Off on Collation of data sets
Apr 162011

This is a big topic that is often neglected and often proves fatal for SDI initiatives meeting their ambitions.  The reality is that much valuable data is restricted; this is true for the UK National SDI (UK Location Programme), the UK academic SDI and INSPIRE.  A genuinely interoperable means of allowing OGC Web Service clients (like the one we are developing in IGIBS) to consume WMS (open and restricted) from multiple distributed organisations without having to provide multiple user credentials is difficult.  Building on much prior work, we are going to try to demonstrate in IGIBS how Shibboleth – the open source SAML implementation that powers the UK Access Management Federation – can be used to allow protected public sector WMS can be made securely available to the academic sector.  We will also demonstrate the converse, how users in the academic sector can securely publish their data and control who can see it if they need to.  We will use this page to solicit comment and hopefully gather recommendations for further work.

 Posted by at 15:33 Security Tagged with: , , , , , , ,  Comments Off on Security Category