This talk will present a case study of how Astun implemented a single sign on (SSO) system for a large commercial client. The client stored their spatial data in a PostGIS database and provided both direct access to the database via QGis and from QGis via WMS using GeoServer to carry out the styling and rendering of the data. Staff are divided into 4 teams and then are subdivided by end client in to small groups. Some of the data in the system is restricted to just the group working on a specific problem for a specific client, other data is shared with the whole team, and some is available to the whole company. The client brief was to move their on site system to "the cloud", and to allow staff to connect to the data from anywhere in the world with only one user account and password for access to PostGIS and GeoServer data. Initially, the project planned to leverage the existing corporate Azure Active Directory system to provide the necessary authentication and authorizations. However, early experiments showed that the time between requesting a new group and it appearing on the server was (sometimes) longer than the lifetime of the new group. Astun provided an open source solution, using Keycloak to handle the user and administrator facing frontends, with user data being stored in an OpenLDAP server. It was then possible to make use of the LDAP service to perform authentication and authorization of users to both PostGIS and GeoServer, making sure that data restrictions applying in one were duplicated in the other. The talk will cover details of the process and look at some of the issues that were encountered during the project. |