Federated User Management in a ... - Welcome to INSPIRE · Providing centralIT components for Saxon administrations and authorities ... I to promote the exchange and sharing of spatial

Federated User Management in a Federated Government –

SAML 2 for the SDI of the Free State of Saxony (Germany)

INSPIRE Conference 2012, Istanbul

I Spatial Data Infrastructure of the Free State of Saxony

I E-Government Base Components for Spatial Information

(GeoBAK 2.0)

I Use case – exchange of protected spatial information in the

Saxon SDI

I Technical implementation based on SAML 2

I Demo

2

Contents

| INSPIRE Conference 2012, Istanbul | Andreas Hergert (GeoSN) and Rüdiger Gartmann (con terra)

GeoSN,H

ergert

con terra,

Gartmann

3

SDI of the Free State of Saxony

Saxon SDI as part of the German and European SDI

| INSPIRE Conference 2012, Istanbul | Andreas Hergert (GeoSN) and Rüdiger Gartmann (con terra)

4

SDI of the Free State of Saxony

Saxony - overview

| INSPIRE Conference 2012, Istanbul | Andreas Hergert (GeoSN) and Rüdiger Gartmann (con terra)

→ area: 18 400 sq km

→ population: 4.2 million

→ capital: Dresden

→ 13 administrative districts

→ 455 municipalities

→ ca. 60 Federal State Authorities

→ 216 000 employees in public

service

5 | INSPIRE Conference 2012, Istanbul | Andreas Hergert (GeoSN) and Rüdiger Gartmann (con terra)

SDI of the Free State of Saxony

Driving Forces

E-Government

• Saxon E-Gov. Strategy

INSPIRE

• INSPIRE Directive

• Saxon SDI Law (SächsGDIG)

6 | INSPIRE Conference 2012, Istanbul | Andreas Hergert (GeoSN) and Rüdiger Gartmann (con terra)

SDI of the Free State of Saxony

Overview on published spatial information

Metadata of spatial information resources

I ca. 4400 metadata sets in the Saxon metadata catalogue

I incl. 4 harvested catalogues of other organisations

Spatial data (according to INSPIRE Monitoring 2011)

I 340 data sets

I 90 services

I 75 view services (OGC WMS standard)

I 15 download services (OGC WFS standard)

No protected services

available on the Internet

, yet !!

7 | INSPIRE Conference 2012, Istanbul | Andreas Hergert (GeoSN) and Rüdiger Gartmann (con terra)

SDI of the Free State of Saxony

Main stakeholders

SDI Coordination Centre

spatial data holding

bodiesusers

• Saxon State Spatial Data and Land

Survey Corporation (GeoSN)

• federal state authorities

• local and municipal authorities

• scientific organisations

• corporations with public tasks

• authorities

• business organisations

• citizens

8 | INSPIRE Conference 2012, Istanbul | Andreas Hergert (GeoSN) and Rüdiger Gartmann (con terra)

SDI of the Free State of Saxony

GeoSN - overview

Staatsbetrieb Geobasisinformation und Vermessung Sachsen (GeoSN) =>

“Saxon State Spatial Data and Land Survey Corporation“

I federal state authority for land surveying and cartography in Saxony

I In the area of responsibility of the Saxon Ministry of the Interior

I located in the city of Dresden

I ca. 260 employees

Land surveying and

cartography

role of a

spatial data holding body

data producer

orthophotos, topographic maps,

cadastral parcels …

9

Spatial data

infrastructure

role of the

SDI Coordination Centre

IT service provider

geoportal, spatial data server,

metadata catalogue …

SDI of the Free State of Saxony

GeoSN – tasks and duties

GeoBAK 2.0

| INSPIRE Conference 2012, Istanbul | Andreas Hergert (GeoSN) and Rüdiger Gartmann (con terra)

Providing central IT components for Saxon administrations and authorities

...

I to promote the exchange and sharing of spatial information in the Saxon

SDI

I to support Saxon spatial data providers to fulfil their obligations regarding

INSPIRE and E-Government

I to reduce redundant setup of components (to achieve economic efficiency)

10

Base Components for Spatial Information (GeoBAK 2.0)

Objectives

| INSPIRE Conference 2012, Istanbul | Andreas Hergert (GeoSN) and Rüdiger Gartmann (con terra)

| INSPIRE Conference 2012, Istanbul | Andreas Hergert (GeoSN) and Rüdiger Gartmann (con terra) 11

Base Components for Spatial Information (GeoBAK 2.0)

Subcomponents / Applications

Geoportal

Metadata

CatalogueMap Viewer

Service Monitor

Spatial Data Security

Spatial Data Server

Spatial Data Processing

Spatial Data Store

12

Base Components for Spatial Information (GeoBAK 2.0)

Spatial Data Security component

| INSPIRE Conference 2012, Istanbul | Andreas Hergert (GeoSN) and Rüdiger Gartmann (con terra)

Objectives and functionalities

I to protect spatial data services (to control access)

I to enable cross-component authentication (within the Geoportal and

other GeoBAK user clients)

I to integrate existing user directories of Saxon SDI stakeholders (esp. of

the Saxon state and local authorities )

I to enable single sign on (cross-domain authentication) within the Saxon

and German SDI based on the SAML 2 standard

I Software

I securityManager, Active Directory (incl. ADFS) ...

13 | INSPIRE Conference 2012, Istanbul | Andreas Hergert (GeoSN) and Rüdiger Gartmann (con terra)

Access management federation principle

Organisation A

(GeoSN)Organisation B

(Administrative District of

Central Saxony)

IdP

IdP

SP

SP

IdP = Identity Provider

SP = Service Provider

trust

Authenticate

at Identity Provider

Access

protected Service

Use Case – exchange of protected information in the Saxon SDI

local administration(district administration and municipalities)

14 | INSPIRE Conference 2012, Istanbul | Andreas Hergert (GeoSN) and Rüdiger Gartmann (con terra)

Exchange of protected information in the Saxon SDI

Initial situation

Administrative District

of Bautzen

state administration(state agencies and public enterprises)

GeoSN (SCC)

Administrative District

of Central Saxony

...

other local

admin.

...

other State

Agencies

Environmental

Agency

IdPIdP IdP

IdP

SP

SPSPSP

SP

Federation

local administration(district administration and municipalities)

15

Exchange of protected information in the Saxon SDI

Use Cases

Administrative District

of Bautzen

state administration(state agencies and public enterprises)

GeoSN (SCC)

Administrative District

of Central Saxony

...

other State

Agencies

Environmental

Agency

IdPIdP IdP

IdP

SP

SPSPSP

SP

...

other local

admin.

| INSPIRE Conference 2012, Istanbul | Andreas Hergert (GeoSN) and Rüdiger Gartmann (con terra)

Federation

GeoSN (SCC)

IdP

SP

INSPIRE

ServicesINSPIRE

ServicesINSPIRE

Services

Technical Basis

ADS

❙ SAML 2.0 supports cross-domain identity federation

❙ Distributed Identity Provider (IdP)

❙ Distributed Service Provider (SP)

❙ Federation is organised by SAML metadata

❙ Describe all entities within the federation

❙ Define a trust relationship

❙ Result: Each user is authenticated for each resource

The Power of SAML 2.0

18 | INSPIRE Conference 2012, Istanbul | Andreas Hergert (GeoSN) and Rüdiger Gartmann (con terra)

Organisation A

(GeoSN)Organisation B

(Administrative District of

Central Saxony)

IdP

IdP

SP

SP

IdP = Identity Provider

SP = Service Provider

How does it work?

Request

Authenticated?

IdP SelectionLogin Token

Request

Result

| 24.11.2011 | Andreas Hergert19

| 24.11.2011 | Andreas Hergert20

| 24.11.2011 | Andreas Hergert21

| 24.11.2011 | Andreas Hergert22

| 24.11.2011 | Andreas Hergert23

I Andreas Hergert

I Staatsbetrieb Geobasisinformation und Vermessung Sachsen (GeoSN)

I E-Mail: andreas.hergert@geosn.sachsen.de

I Rüdiger Gartmann

I con terra - Gesellschaft für Angewandte Informationstechnologie mbH

I E-Mail: r.gartmann@conterra.de

24

Contact information

| INSPIRE Conference 2012, Istanbul | Andreas Hergert (GeoSN) and Rüdiger Gartmann (con terra)