1 / 19

AAA-architecture for INSPIRE Standards & technologies

This document outlines essential information on Authentication, Authorization, and Accounting (AAA) and Access Management Federation (AMF) in the context of INSPIRE standards. It covers the background and context of the INSPIRE directive, defining AAA and AMF, relevant standards and technologies, and practical insights into how AMF operates. Public access to spatial data resources and secure mechanisms for user authentication and authorization are also discussed, emphasizing the need for interoperability and minimal access barriers.

hector-bruce
Télécharger la présentation

AAA-architecture for INSPIRE Standards & technologies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for INSPIREStandards & technologies

  2. Outline • Background & context • Defining AAA and AMF • Overview of relevant standards • Overview of technologies • AMF: how it works ...

  3. Outline • Background & context • Defining AAA and AMF • Overview of relevant standards • Overview of technologies • AMF: how it works ...

  4. Background and context • INSPIRE Directive entered into force 15 May 2007 • Cross-border and cross-sector sharing of interoperable spatial data resources • SOA based architecture • 18.113 data sets • > 1316 providers • 7.088 services • > 1546 providers

  5. Background & context • Public access to the spatial data through services • The goal is to have as few access barriers as possible (direct access, free, ...) • Public access can be limited for particular reasons • Discovery service • “such access would adversely affect international relations, public security or national defence” • Viewing, download, ... services and e-commerce • Because of IPR, privacy, protection of particular habitats, ... • E.g. Downloading data can be set-up through a controlled access mechanism and payment scheme • Need for secure access ...

  6. Outline • Background & context • Defining AAA and AMF • Overview of relevant standards • Overview of technologies • AMF: how it works ...

  7. AAA and AMF • Defining AAA • Authentication • Verification that a potential partner in a conversation is capable of representing a person or organisation • Authorisation • Determination whether a subject is allowed to have the specified type of access to a particular resource • Accounting or rights management • Tracking and controlling the use of content, rights, licences and associated information

  8. AAA and AMF • Defining Access Management Federation • Federated authentication and local authorization Identity providers Service providers Coordination Center

  9. AAA and AMF • AMF is a dynamic concept • An organization can join the federation • by applying to the coordination centre as a service provider, an identity provider or both • It becomes a trusted party • the CC checks technical compliance according to the policies and procedures of the federation • The CC will add the organization’s credentials to the federation metadata • is an XML file hosted online by the CC that defines the circle of trust of the federation • Single Sign-On • ensures that the user gets a session established with all service providers of the federation

  10. Outline • Background & context • Defining AAA and AMF • Overview of relevant standards • Overview of technologies • AMF: how it works ...

  11. Standards • There are many (related) standards • General ICT with few exceptions • Communication • Authentication • Authorization

  12. Standards • Secure communication • HTTP protocol (IETF RFC 2616) with an encription protocol such as TLS (Transport Security Layer – IEF RFC 6176) • HTTPS (IETF RFC 2818) • Authentication • Redirection to IdP, login, forward attributes to SP • Security Assertion Markup Language (SAML) • Protocol for communicating user authentication, entitlement and attribute information • Metadata – trusted SP & IdP, SAML endpoints, public keys, ... • OpenID exist as alternative protocol

  13. Standards Higgins et al., 2014; Chadwick, 2008

  14. Standards • Authorization • Managed at the SP side based on access rights to a resource • Based on attributes – e.g. User ID, role, ... • eXtensible Access Control Markup Language (XACML) • GeoXACML allows geographical functions • OAuth as an alternative but ...

  15. Outline • Background & context • Defining AAA and AMF • Overview of relevant standards • Overview of technologies • AMF: how it works ...

  16. Technologies • Authentication information can be stored and managed in different ways • E.g. LDAP, Kerberos, PKI, ... • For implementing SAML many tools exist (OSS and proprietary) • Extensive list with supported protocols and roles in report • Shibboleth (Internet2) • Supports IdP, SP, discovery • Supports additional encryption capacity • Attributes described in Java or from databases • Additional attributes can be defined

  17. Outline • Background & context • Defining AAA and AMF • Overview of relevant standards • Overview of technologies • AMF: how it works ...

  18. AMF: how it works ... 8 4 3 7 1 11 6 2 5 9 10

  19. Thank you ! Questions ?

More Related