WMS Access Control within IGIBS

One of the goals of IGIBS is to allow users to generate protected WMS services using SAML-based access control. The technology behind this is based on  prior research done in the past few years by EDINA for the EU funded ESDIN project. The ideas produced by the project have been successfully tested within the OGC Shibboleth Interoperability Experiment – see also the INSPIRE2011 page on this blog.

In order to access a protected WMS generated by the IGIBS factory tool one needs either:

  1. A modified desktop client that supports the SAML ECP protocol.
  2. The browser-based IGIBS mapping client.

Anyone interested in using a desktop client to access IGIBS protected services is encouraged to download the EDINA-modified version of Openjump. Further information about how the Enhanced Client or Proxy (ECP) profile works is available at OASIS.

As far as browser-based clients are concerned, the main challenge in accessing a protected WMS from a browser is that AJAX applications use the XMLHttpRequest Object which does not support creating new cookies and HTTP redirects. These operations are however crucial for satisfying the requirements of the SAML2 Web-Browser SSO profile. This shortcoming also applies to OpenLayers which will not connect to a protected WMS without some extra configuration and JavaScript code changes. To that end, EDINA  has made available a patched version of Openlayers which allows XMLHttpRequest with cookies and redirection using a novel approach which is explained in detail here.

For the above reasons IGIBS browser-based client uses the EDINA version of OpenLayers as a base. Interested parties are very much encouraged to download it and provide feedback and/or criticism for further improvements.