IDgis has investigated and tested technology for Authentication, Authorization and Accounting* (AAA). With this technology, users may use multiple (secured) map services from multiple organizations by logging in only once per session. Basic thought is to minimize the burden for system managers and of course for users. A testbed has been developed to demonstrate the proposed technology.
Motive
Motivation of the assignment is the desire to be able to connect all INSPIRE related services from all member state, inclusive publicly not accessible secured services. Within the framework of INSPIRE, IDgis forms together with GeoSparc (Belgium), The Catholic University of Leuven (Belgium) and Secure Dimensions (Germany) a team, to find the best AAA standards and techniques for map services. Unique is the combination of GIS and AAA. The team got its assignment from the ARe3NA workgroup of the European Commissions Joint Research Centre (JRC). Concrete recommendations will be expected before September 2014.
Testbed
The team has made a jump start and already developed a testbed based on SAML (Security Assertion Markup Language), and Identity Providers (IdP), for the login procedure to access service providers. Each service provider is free to choose the type of Identity Provider (for instance OpenAM or Shibboleth). All systems, which are part of the group of connected secured systems (referred to as federation), are connected via one discovery service (DS), which delivers the actual login page for users. This DS has to be installed on one of the systems of the federation and has access to a list of available services/applications within the federation. A user logs in at the DS. The DS communicates with the right IdPs and offers access to all systems and services, for which the user has been authorized by each IdP. The communication between DS and IdPs makes use of the TLS (Transport Layer Security) protocol.
The testbed can be easily extended with accounting, which makes it possible to keep track of the usage of the services by means of logging. A federation may agree on which information (the attributes such as name, roles etcetera) of users should be available from the IdP's.
Advantages
Thanks to AAA technology users can make use of multiple secured systems from their own or other organizations, by logging in only once per session. Management of authorization and authentication is done by each system provider only for its own users. This avoids redundancy and errors and so decreases the burden for system managers. Logging in is secure because of the usage of HTTPS and the usage of certificates and keys for communication between systems. Finally, the advantage of this technology is that all participants are free in the choice of Authentication and Authorization tools/technology. For this reason, an organization can make use of existing user data, which makes implementation of the technique quite easy.
