Authentication for OpenGIS^® Web Services

In order to support access protection in a Services Oriented Architecture, as it can be established by OpenGIS^® Web Services, it can be important to provide a Single-Sign-On (SSO) mechanism or use federated identities. These possibilities are supported by the Security Assertion Markup Language (SAML), a standard from OASIS.

In an architecture, where the management of access rights is not limited to the own security domain, it is important to use a common language to exchange rights. This becomes particular important in a Spatial Data Infrastructure, where the combined use of geographic information of different providers shall be used in a combined way. Based on a SSO mechanism or based on federated identities, a user’s rights can be managed in order to ensure the appropriate rights at a provider, so that these data sources can be combined, as they are required for a particular job description.

The realization of a SSO mechanism requires a trusted party that provides proof of identities for all participating providers. Such an Identity-Provider can provide a login and logoff and in addition provide assertions based on the user’s identity. In case that all providers rely on those assertions, a logoff is recognized immediately and can be handled accordingly. The supporting standard for exchanging identity information in a standardized way is provided by SAML.

In addition, SAML supports different bindings, which is important for OpenGIS^® Web Services, because they provide HTTP-GET, Post and SOAP bindings. In order to deal with HTTP-Get and Post bindings, the SAML Browser SSO Profile can be leveraged. It is based on artefacts that function as references to assertions, provided by the Identity Provider. This enables the exchange of identity information from a OpenGIS Client to a Service by using a Vendor-Specific-Parameter. So a request can simply be extended by the KVP SAMLart=… .

More information and a demonstration is available at www.GeoXACML.org.