That’s All She Wrote

Somewhat delayed by my involvement in the transition of UK federation operations on 1st August 2011, the WSTIERIA project web page has now been updated to include the project’s deliverables, including the final report.

The main direction of the project since previous posts progressed from the “facade” approach to investigating the delegation features in Shibboleth. These allow a web application to invoke web services on behalf of a logged in user without the user having to authenticate directly with those web services.

With a little hand-holding from the project’s consultant (Chad La Joie from the Shibboleth team), we managed to deploy and configure a complete minimal system, a kind of “hello, world!” delegation example: a Shibboleth identity provider with the delegation plug-in, a Shibboleth service provider controlling access to a test web application, and another Shibboleth SP protecting a test web service. We were able to demonstrate a user logging in to the web application and viewing output from the protected web service, without the user having to log in separately to the web service. (In fact, we demonstrated this “live” to the project’s JISC programme manager on a site visit).

The test system, and our experience of setting it up, is described in the WSTIERIA project’s final report. The software is functional, altough at this stage still somewhat challenging to configure correctly. Because of the dependence on SAML2 support at all the entities involved, and also because all users’ identity providers must be specially configured with the entity IDs of both the web application that will perform delegation, and the entity IDs of the web services that the web application will log in to on the user’s behalf, there is a question mark over whether the technology can yet be practically deployed in applications where users from many different institutions are expected. Where the user base is more constrained, and in particular for intra-institutional applications such as the original student portal use case for which the software was developed, it should be more immediately deployable in the field.

The Shibboleth team is looking at ways of simplifying delegation configuration in several ways that could make cross-organisational scenarios much more tractable (for example, by allowing the identity provider to trust a given web application to delegate without requiring knowledge of the entity IDs of all the target web services).

Application of those future possibilities is likely to fall to others though, as after several years of working on access management at EDINA, I will be moving on in September. This will therefore probably be my last blog post here.

Posted in Uncategorized

OGC Interoperability Webinar

The WSTIERIA project recently participated in a webinar which showcased a number of different approaches to federating access to geospatial (OGC) web services. An OGC press release describes the event and its potential significance for future access to (inter) national geospatial data in Europe.

We presented the facade approach developed previously, demonstrating single sign-on from an unmodified desktop GIS client application (QGIS), to two separate OGC Web Map Services (WMS), with authentication taking place separately in a standard browser. These were unmodified services, with access controlled by IP address in one case and a developer API key in the other. Two facades were put up for the event, additionally enabling federated access to these services.

It was interesting to see the range of other approaches that were presented. A number of commercial vendors demonstrated prototype versions of their desktop GIS client offerings, modified to forward authentication requests from web services (via the ECP protocol or otherwise) to an identity provider selected from those listed in a given federation’s metadata by using a built-in graphical user interface. In several cases, the authentication forwarding was based on template open-source Java software developed by Andrew Seales and others in the EDINA geospatial team. One participant demonstrated access to federated web services from unmodified desktop clients by means of a facade application locally installed on the client system, which proxies federated services to plain HTTP localhost-only ports (a flexible approach we also considered earlier in WSTIERIA).

Many thanks to Chris Higgins of the EDINA geospatial team for inviting WSTIERIA to take part in this event. He is involved both in WSTIERIA and in the OGC Interoperability Experiment and EDSIN projects described in the press release.

Posted in Uncategorized

WebDAV as a Web Service for Non-Specialists

One question that has been raised about the WSTIERIA project has been how to make the facade technique more accessible and intelligible to potential users who are not geospatial specialists, given that the source of the work, and therefore the original examples, were from that particular domain.

During discussions with the SDSS team at EDINA, one possibility that came up was to think about trying to use the facade technique to make federated authentication work with WebDAV. For those not familiar with it, WebDAV allows a web server (such as Apache) to make a directory tree on the server’s host system accessible to remote clients via an XML-based web protocol. One of the attractive properties of WebDAV is that clients for the protocol come built in to common desktop operating systems, including Linux and Windows. In both systems, the client presents a web directory using the same user interface as if it was a directory in the local file system. Also, WebDAV servers are available as plug-in components for both Apache and Windows IIS. The combination of standard servers and clients would allow anyone interested to experiment with adding federated access.

Additionally, such a facility might be of practical use. Consider a directory of shared files that are too large to e-mail conveniently but should not be made public. It might be possible using WebDAV plus federated authentication to make these available to selected users via their existing federated access credentials. A specific approach to this problem has been discussed on the JISC-SHIBBOLETH list in the past but we wanted to see if our general technique could tackle it.

We duly set off down the road of attempting to add a federated authorisation facade in front of a WebDAV server and have now published WSTIERIA Technical Note 2 describing our experiences.

The result was something of a mixed bag. On one hand, we did browbeat both Linux and Windows clients into accessing an Apache WebDAV server via a very simple federated authentication facade within the UK Federation. On the other hand, only partial client functionality was supported: opening, viewing, creating and deleting files in the web directory. Some peculiarities of the WebDAV protocol prevented the use of the general facade technique from technical note 1 unmodified for creating directories and some other operations involving renaming. A different implementation specific to the WebDAV protocol (such as the one linked to above) should be able to handle those issues but we did not take that additional step as our main interest is in authorisation for web services in general.

Posted in Uncategorized

An Implementation of the Facade

During January and February 2010, initially as familiarisation with previous work, I began experimenting with implementation approaches to the facade software strand of the project. Eventually these converged on a method of persuading an Apache web server to act as the authorising proxy (facade). This has now been written up as WSTIERIA Technical Note 1, available on the project web site.

If you’re interested in this approach to supporting federated web services, there should be enough in the document to allow you to have a go yourself using nothing more than a stock installation of Apache and a little scripting (the examples in the document use perl).

I am hoping that by releasing working documents as we go along like this, it may be possible to generate engagement with others in the community with an interest in this area well before the final report appears and the project ends.

The focus is now shifting towards applying the method to real use cases. After presenting an overview of the project to an internal EDINA audience last week, a meeting with representatives from the different application groups within the organisation has been arranged for next week.

In terms of the project work packages, the release of this technical note constitutes completion of task 11 (milestone M1), prototype facade implementation based on standard Shibboleth SP software. Given that the implementation is much simpler (and therefore likely more robust) than orginially envisaged, consisting mostly of configuration rather than code, and has now been written up for a general audience, it will probably also be treated as being at least the first version of task 13, released facade implementation.

Posted in Uncategorized

Give it a REST

One point that came up during questions at both recent WSTIERIA talks (at the AIM Programme start-up meeting and the OGC TC meeting) was whether the “authorisation facade” method adopted from the previous SEE-GEO project could properly be said to be applicable to RESTian web services.

In fact, we have been using “REST-style” simply as shorthand for “non-SOAP-based” web services. Although the authorisation facade can easily be seen as a connector component enforcing security policies within a RESTian layered system, its requirement for the presence of an explicit session id in URLs embeds state into those URLs. A particular session id may be valid at a given time but will soon expire, leaving the client with a broken link that cannot be used to access the resource in the longer term.

This isn’t a complete show-stopper of course, because many simple web services are accessed by plain HTTP (without SOAP) but don’t require the full panoply of REST architectural features. Nevertheless, we should endeavour to be more accurate in the terminology used in future.

Incidentally, this is one reason for being interested in OAuth WRAP (the current specification,, is available in the files area of its Google groups site). WRAP has some conceptual similarities to the SEE-GEO/WSTIERIA method but uses the HTTP Authorization: header to carry a token, exploiting the extensibility built into that part of the HTTP standard, rather than using the URL. Others have used cookies. In either case, the session id or token is taken out of the URL. WRAP additionally provides a mechanism for the client to renew expired tokens. The drawbacks are that, although it has been submitted to IETF for standardisation, WRAP is not yet widely deployed (but implementations are starting to appear, notably from Facebook and Microsoft). The client must also support the protocol. Working with completely unmodified clients, which do not support WRAP (or even cookies) therefore remains one of the strengths of the SEE-GEO/WSTIERIA approach, justifying placement of the session id in the URL.

Posted in Uncategorized

Presentations Added To Project Web Site

Two recent presentations are now up on the WSTIERIA web site, which also now links back to this blog. The first is a short overview of the project (PDF, PPT) presented in a ten-minute talk at the AIM Programme start-up meeting, the second is a slightly more in-depth look (PDF, PPT), with a block diagram showing how a facade can handle web service authorisation. This was an invited talk at last week’s Open Geospatial Consortium (OGC) Technical Committee meeting at Frascati in Italy.

Posted in Uncategorized

OGC Technical Committee Meeting, Frascati

Having now made it back to Edinburgh (after a six-hour delay leaving Rome Ciampino airport on Friday due to a General Strike in Italy) I thought I should set down my impressions of the OGC meeting itself.

My presentation (PDF, PPT) about WSTIERIA to the Security working group got a fair number of questions, which is usually a good sign, and the chairman reckoned it had hit the right level for the audience (though after he had asked for an earlier draft to be made less detailed, with fewer slides!)

This was the first OGC meeting I have attended, so other than giving the talk I had two days to meet and greet new people, ably introduced by my colleague Chris Higgins, and become attuned to the feel of the event and the interests of those attending.

The OGC seems to be trying to enhance as much as possible of the web with geospatial information and queries, covering as many services and protocols as possible. This is of course a very large task, touching on most areas of current interest in web development, up to and including the Semantic Web, and so the scope is extremely wide. It is a formal standards organisation with well defined processes, strongly influenced by the ISO example. My colleagues Sandy Shaw and Ed Dee, who have both served on big standards committees, would be right at home here. Formal motions are put. I witnessed one proposal being politely but brutally ambushed and shot down but most others got “assumed unanimous consent”, which appears to be an accepted idea. This is interestingly combined with free-flowing, detailed technical discussion of proposals. It’s been years since I’ve been even tangentially involved with standards work (last time I think was an occam language binding for MPI, really…) but it all came flooding back. There was the cut and thrust of good ideas presented by clever people. My favourite here was a proposal for a one-dimensional co-ordinate system to be available in addition to the 2 and 3-D co-ordinates usually used for geographic location, to accommodate “2 miles past Junction 12 on the M6” and so on (the railway anorak in me wanted to ask about offsets in miles and chains, but I resisted).

Of course, there is also the grinding of corporate and personal axes, the impossibly annoying hair-splitting and the “wow, I didn’t think of that!” My favourite in this last category was a question from the floor to a presenter looking to define a geospatial query extension to the OpenSearch interface to search engines, as used by the built-in search boxes in modern browsers. The presenter’s main ambition was to keep it simple and enable mass-market adoption. The question: why does your proposed interface assume that the location is on the Earth? Apparently, the existing specialised interfaces for searching OGC service catalogues already allow for places on the Moon, Mars and Beyond!

Posted in Uncategorized

Interlude: London and Italy

It didn’t make much sense to travel back from London to Edinburgh on Thursday evening only to fly out on Tuesday to Italy to give a talk at the Open Geospatial Consortium (OGC) Technical Committee meeting in Frascati. Instead, I decided to meet up with friends in London on Thursday evening, do tourist things in London on Friday and fly out to Rome on Saturday morning.

I stayed on for an extra day at the Devonport House hotel in a personal capacity, and since I was starting at Greenwich went for a wander through Greenwich Market and into the Royal Park. One of the culinary highlights of the trip was an excellent Ethiopian veggie carry-out lunch in a plastic box from one of the market stalls: chick peas, potatoes, carrots that I could see, with chilli, lime pickle and other less identifiable spices. I ate that walking through the park going up the hill to the Royal Observatory.

After that I went hunting locally for a travel keyboard and mouse. My venerable HP TC1100 convertible tablet was always destined to have keyboard trouble given the complicated converting hinge mechanism, but it and its predecessor almost-identical Compaq model had in fact survived quite happily since 2003 until recently. On this trip the keyboard died completely. Unfortunately nothing was available locally, so I ended up going to the huge shopping centre that lies beneath Canary Wharf to try and find something suitable. Since I was in tourist mode anyway, this was combined with lots of rubber-necking up at One Canada Place and the other bombastic 80s towers about there, which was all quite fun since it was a beautiful sunny day. It took forever to find Curry’s Digital, since the maps show the three stacked shopping levels as if they were adjacent streets in the same plane rather than on top of each other. The nearest thing they had was a smallish Logitech desktop keyboard that fits in my backpack and has done the job. (Handwriting recognition is fine for short phrases but tedious on long text).

Off then to Gatwick airport. I had asked Julie, who does EDINA’s travel organising, for an airport hotel, and she had booked me into the Yotel, which turns out to be physically inside the South Terminal (down in the lift beside the Costa coffee shop), which is great. The compromise is that they offer “cabins� rather than rooms, with just enough space for a single bunk bed, a drop-down table, a folding camp stool hung on the door, a shower and basin, with eerie low-level purple lighting, and booked by the hour! The effect being aimed at is a luxurious, super-first class, flat-bed aircraft seat plus shower (A380-style) or a ship’s cabin, rather than a hotel room, and it works quite well. Breakfast is bookable from the “galley�.

The upshot was just a short walk to my 0650 flight and away. Easyjet go to Rome Fiumicino so in to Termini station on the Leonardo Express (about 30 minutes) then change for Frascati, avoiding the various pickpockets, con artists and other dodgy characters who hang around Termini waiting to pounce on tourists. It’s only another 30 minutes on the train to Frascati and a taxi to the hotel. Because this part of the trip was non-work I splashed out for a very nice converted palazzo out of town, built by a Cardinal in the 1580s, where you can sit around reading a magazine in the great hall looking at the original frescos. Occasionally a guided tour party wanders past! Dinner there on Sunday was matchingly excellent, then off down-market on Monday to a cheaper, motel-style place I had chosen for the OGC conference! My colleague Chris Higgins arrived on Monday evening so we had a beer in the hotel bar before turning in.

Posted in Uncategorized

AIM Start-Up Meeting

Thursday 4 March was an all-day start-up meeting for the JISC Access and Identity Management (AIM) Programme at Devonport House in Greenwich.  Chris Brown ran us through how projects are expected to interact with the programme as a whole, project reporting and so on.  Later in the day, Andy McGregor from JISC introduced the new JISCPM project management forum, complete with its own #jiscpm twitter hashtag.

The rest of the day was mainly a short presentation from each project in the programme. These ran in alphabetical order, so WSTIERIA was up last (didn’t think of that one when choosing the acronym, maybe A1 Web Service Plumbers would have been better…)

The GRAND project at Newcastle also has an N-tier element, but based on Kerberos so targeted at back-end tiers within a single administrative domain.  The example use cases mentioned were federated login to something like a student portal, with the portal getting a Kerberos ticket allowing it to invoke back-end services such as an enterprise e-mail system (to show the student that they have pending mail), or a file system.

The most unexpected potential commonality was with the Student-Managed Access to online Resources (SMART) project, also at Newcastle. Maciej Machulak described the work they are doing as contributors to the new User-Managed Access (UMA) standard within the Kantara initiative.  I mentioned I had taken a look at OAuth WRAP because of its conceptual similarities to the web service access-control façade idea from the previous JISC/EDINA SEE-GEO project on which WSTIERIA is based.  Maciej says that UMA has some similar features.  Both he and Aad van Morsel from SMART suggested a visit to Newcastle, which sounds well worth while.

Posted in Uncategorized

AIMing Together

I got a taxi from the meeting with MIMAS to Piccadilly Station. I cut it a bit fine though. The 13.55 to London Euston pulled out just a couple of minutes after I got sat down. The train was quite quiet and we had a mostly unimpeded run down the West Coast main line in about two hours. The plan was to take the Northern Line to London Bridge and change there to get to Greenwich main line station for the JISC AIM Programme’s get-together dinner that evening in Greenwich. Luckily I saw the whiteboard with the notice about a line-side fire at London Bridge that was causing major disruption, so switched horses and took the Docklands Light Railway from Bank out to Cutty Sark via Canary Wharf instead. I got the benefit of a front seat, the driverless DLR being one of the few trains where you can see out the front as if you were the driver, adding to the tourist experience.

We all met up at the Admiral’s Bar in the Devonport House hotel to walk to the nearby restaurant (everything in Maritime Greenwich has a nautical flavour). It was a good choice of place and there were few enough of us (about a dozen) for people to be able to talk to each other. I was sat next to a trio from the University of Kent: Bonnie Ferguson, George Inman and Matthew Slowe. Bonnie corresponded with me previously when I was doing SDSS technical support for the UK federation but we had never met; George had corresponded with me when we were both working on the JISC Review of OpenID but we had only previously met once (at the AIM Programme Briefing Day in Birmingham in September 2009); Matthew and I were meeting for the first time. Chris Brown, the JISC Programme Manager, was also sitting next to us.

Other than just getting to know each other a bit better, I got to find out a bit more about the AIM project that Kent is working on, Logins for Life. This is a joint attempt by Kent’s information services directorate and David Chadwick’s information systems security research group in the school of computing to look properly at how individuals could access university services using whatever existing personal account(s) they might already have (e.g., an OpenID). The accounts used might also change over time. This is instead of the present approach of having to use a university-issued account to access university services. This was one of the possibilities we looked at in the OpenID review, which was a joint effort between Kent and EDINA. It always seemed quite appealing to me (I remember floating it in a blue-sky discussion with Nate Klingenstein) but we got a dose of cold water from the (few) actual IT support people we spoke to (“how would that benefit the institution?�) So it’s good to see Kent having a go.

Posted in Uncategorized