Merken

Enterprise Single Sign-On in GeoServer: where do we stand?

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
OK welcome to the 2nd session today were have a presentation by Francesco Bertoli on enterprise single sign-on induce service so that fell yeah I think about thank you good morning in there and I'd
like to thank you model of the previous presented to point out that the security it's far today I want to speak about a little bit of perspective on how to implement Security Ingersoll so we have some I'm from undue beyond that we are as besides the company in images as mutagens special solution and identity and access management system we are passed on all bombers special as a solution provider for the OpenGeo Suite and we have found that the uh reveals that he's an Italian professional open sewers network we different companies that color different kind of stuff like to Boston business intelligence the data and so on the so I will try to do a very very faster on the forest and uh on the 1st part of the story because of our own as a rating it is at that a lot of features of the ideas of security model so you that the it is these upon springs and are allowed to Due access management we felt institutions and authorization that is that you mean features in our protecting areas arsewipe institutional injures seveties basic on field service providers and chain while at decision is based on groups roles and can be a separated into 2 so data management and service management real and uh it is composite by for the identity management by internal provided an external provider the so let's 7 OK that's GeoServer out institutions so basically we have field the field there can be a deletion to the servlet container can be and rules can be to like remember me for the intuition of from these requests can be formed bases can be based upon syste the gates are we can proxy http either from an external system and we can have induced over a basic and I just of institutions and also we can have from our leaders as well cadential directly providers can be as I say the internal like as a molecule before our we can have a user information from that busy the based user groups series of weak credentials and the username basically username and password that and as well we can have the them now use information from and held up several where the user can move by and for task username and password and as well we that JDBC database trying to connect to the user that so again we have changed to that challenge or better field there's a against out
integration schemes the that's right we can name provider during an atom and institutions so uh and there you will use that that chain and a little bit requests as as soon as at least 1 scheme succeeds In the part in the pipeline so let's let's evolution can into field the against providers chain provided before the old integer actually yield institutions while the selected this specific Ultimate Edition scheme dropped by for every cluster so basically for example if an atom tradition is actually required or not and also feed that can be separated by Billy quiz-style we need a matching of rules are as users can be and described by uh the me to the HTTP Media a part of and a regular expressions for the cuisine by the but is
a shot so we have that as a
seat roles rules entities we and mean finance and a set of key-value previous associated to the privileged and the permitted the resistors for a user and can be assigned you to users and groups of them our rules supports inheritance and we having just several different service every system rule like our rule of state world group at mean parole of indicator and roll and onions while forest can for example you that specified just bullet indicated to users rule can be several the by a different kind of old persistence can be an XML file from their old salaries are so just so file a role . xml in there just over that the directly can be extracted the from a JDBC that of these can be defined at the inside the deployment discrete to all the to year-old services and can be and can be sent from and that data server inducive where we can get rules we can
get so far from the user's group services so actually retrieving the active role directly so they confuse the rule set of is that we need some limitation like we cannot that have group membership and casseroles and by using an HTTP beta activity so in such cases rules I receive it through I know about proxy authentication so I can for it's for instance I can then define my guest or Edo might rules we different roles so there are many of you will scan a having just over of weekend seperates and distinguish them up by uh the management of data so that's only year label and the data management of this service so that the different type in wsml services like domestic public 1st and WCS 1 so that the management of that provides security if you of that although you can combine with spacer layer of permission and rule and also you can use the catalog while at level you can defines the specific use of by separating would you see services and what they also you can never be addressed in a series of specific rules as well so these users are for example the syntax of the early years inducive uh and the right and as you can see here that we can have permission for read-modify-write more and at the moment and there are other examples of forests on define it real and while disease this seems that's an example for basic security servers while these these these slides that explain how we can define uh we've the seen over REST services as well as the rule that explain uh and said uh this security as a service level of for the rest API all we
can also have the proteins so geofence on and CASE for single sign-on and basically uh the main difference between a G. geofence and this time the security the so that the idea France he served utility of the these efficiencies system that allows you will see uh that overcome the limitation for becoming a shot of said recently is key but so I I would like to and up to but the point of this talk but I I am
wondering and I have some doubts so that the 1st question easily unable to satisfy the technical security requirements for enterprise single-sign-on In just said we just over and collateral stuff that I can using my infrastructure well the the the the answers were more or less easily yes but so I have an additional question can achieve a simple security model we'd arabists including go what I use every user a geospatial and giant for managing geographical information system while ctd but will from as a specific software for managing identity and access management system so basically I would like to point out to sound simple business security requirements so the 1st thing is keep security as simple as possible the that have at the end and the M Lady Katie infrastructure it's and medium Adler and software for implementing identity and access management the and also probably and their their the main rule is and the mean requirement is to to control the governments all over the requirements and the columns in the colleges users to adapting your system to the proliferation of digital identities for instance I mean identities passage of the week and Internet of Things which means in terms of geospatial concept MSE value over all geographical information to be executed and also are and other um you reason to go to as them out identity and access management software easily to adopting a centralized rule drive and security policy more those that as the number of rules as little work as possible so let's have a look at how can our many and how it can be the the the main concepts in identity and access management the user management and its life cycle for the provisioning of identity has to be central in the enterprise so the security has to be a procedures topics you have to respect the challenge with different kind of security mechanisms like uh of indication figuration social vindication more by security of integration are possible blessed end users to manage the axis also you you have to respect to to challenges we need the management all over of the provisioning of identities that is a different task of from authentication and cultivation but so for this separation of of the up indication phase from the optimization and applied and the consists consequently up by that all these different policies from of integration and up at the musician achieved by different strategies for your calls green at the and finding it always is seen a model plan and design neural so before that that their number will become ungovernable so let's have a
look at and so I want to introduce to you the force the platform that is composed by 2 4 components of open AM it's only in 1 axis management solution you have authentication single-sign-on optimization fit edition and web services security are you ever since the lights were flow and provisioning for their identity all users devices and things we open idea and you have a there and uh we know that a coup feature because that every the every every service is justified in open the j this is so the features of this standard of architecture of for general so you can have a uh uh you can have a little at and you can see I will out there the main the main concept is that there this but for ease of some the schools as a model about 4 so you can composer uh by choosing your what what you requests in terms of identity and access management and the components of the 4 jokes sweet that you need need so open a and E so uh a components specific of for the axes management that you ever out integration single only you can manage we different uh social sign on and also shows on providers Facebook completed loaded taboo and many others you have you can have a strong institutions need to so you can and will defect or authentication adaptive additional for cross-domain user manager access itself that these management and building that is probably yes I I think you did the question that before someone at about the looking what the user that is actually accessed services is used that can be theories of diseases yeah uh the the the focus on the main components of the open and I am and then I will
open AEM can feed we GeoServer well we have the in open a M 2 a component Web bodies Argentina that is mainly as a web service component that can be useful in the in your web server and the you can have the possibility to use the Java Enterprise Edition bodies yogin to be uh rightly indirectly uh school in your in your application no uh server so basically I have a web policy and can be combined and the we they http either a proxy of the indication in just 7 for open condition and rules can be sent to and HTTP either at
stable while the job Boise gents given the couple at the we did it take to EU rules Severus injured 7 so you have different the possibility to integrate the opening and we just so what
I will do you can start we experiment so this integration I have created the adoptive container you can pull on a implicitly Yemen forced to prepare for prototyping and I will love give you these name is has been choosen uh yeah moon it's a Japanese name that means they were at the end of the game and the water is
what is the net of by these dog so thank you very much for attending fj the different as those who questions the hi of assuming you
have a server how would you do for instance some or all of authentication you events yeah opening and support also similar so you can ever you can define your of integration into of the in open a hammer and in yet assembled indication integers several weeks and HTTP either any more questions from there on if you told us about opening and they also have expertise with other than single sign-on things like a sociable e which it's 1 of the similar to the standard implementations I guess are not so much idea of the the oracle implementation that is note submitted by you can think that but that he had no more or less so I have already axes management software Morris of this same models to manage out integration and optimization so probably what that they're the approach that I describe you could be applied as well to she bullets here I don't know if she but there as an adjunct to be a stolen into the application server or the web server In this approach yet yeah you are mentioned by having separate teams you know security aspects that may be quite important but when it comes to the authorization of different layers you know the the advantage of just 7 having offenses that you're of transparency in this sort of I guess some of which measures securing how how do you go about it basically yeah was select coordinating between the the that the model used for the authors of authorization and coordinating with what led you need fringes 7 I used to mean to use the geofence no and in the end and users as well as most of my life uh identity and access management system or you a skit about which is generally how did you how did you come up with the rules that the business rules that you know will love well managed that which lies can be required if you're not using of authorization some offices authorization tools you can use the easing of basically you have delayed during the URL and you can manage every voter decisions you'll from that because the ever In such a tool you have at your disposal at the front at this ability to define your expression tools that match a single frequency so that's Philly you can define I mean any expression to catch your specific the if just wondering about the like not just going there but do you know you use it you could use a geofence for a security to limit the data that gets passed but how about if the the user had she has partial like only part of the data inside the dew friends this on his case for that part of the that include a could be a possible if you are from store your geofence beaten into and out 7 and then connects the external but identity and access management tool for the L 2 musicians used to that of the server it's a it's a possibility that's all the timing of the given task and thank you thank you imagine within
Web Services
Besprechung/Interview
Single Sign-On
Extrempunkt
Kombinatorische Gruppentheorie
Quelle <Physik>
Retrievalsprache
Offene Menge
Bit
Gruppenkeim
Regulärer Graph
Information
Unternehmensmodell
Service provider
Computeranimation
Web Services
Datenmanagement
Gruppentheorie
Autorisierung
Computersicherheit
Stützpunkt <Mathematik>
Kanal <Bildverarbeitung>
Kette <Mathematik>
Web Services
Umwandlungsenthalpie
Suite <Programmpaket>
Datennetz
Computersicherheit
Datenhaltung
Reihe
Nummerung
Vorzeichen <Mathematik>
Digitalfilter
Instantiierung
Bitrate
Matching
Entscheidungstheorie
Quelle <Physik>
Verkettung <Informatik>
Verknüpfungsglied
Datenfeld
Ganze Zahl
Evolute
Information
Proxy Server
Server
Subtraktion
Regulärer Ausdruck
Implementierung
Identitätsverwaltung
Nummerung
E-Mail
Datenhaltung
Task
Unternehmensarchitektur
Service provider
Verzeichnisdienst
Unternehmensmodell
Authentifikation
Perspektive
Reelle Zahl
Passwort
Strom <Mathematik>
Bildgebendes Verfahren
Autorisierung
Wald <Graphentheorie>
Schlussregel
Physikalisches System
Schlussregel
Integral
Einfache Genauigkeit
Zeichenkette
Regulärer Ausdruck
Bildschirmmaske
Schnelltaste
Flächeninhalt
Offene Menge
Softwareschwachstelle
Parametersystem
Identitätsverwaltung
Mereologie
Hypermedia
Digitales Zertifikat
Server
Subtraktion
Gruppenkeim
Computeranimation
Datenhaltung
Physikalisches System
Verzeichnisdienst
Web Services
Gruppentheorie
Authentifikation
Autorisierung
Vererbungshierarchie
Indexberechnung
Gleitendes Mittel
Operations Research
Tabelle <Informatik>
Wald <Graphentheorie>
Datentyp
Untergruppe
Vererbungshierarchie
Default
Element <Gruppentheorie>
Schlussregel
Physikalisches System
Elektronische Publikation
Arithmetisches Mittel
Netzwerktopologie
Dienst <Informatik>
Gruppenkeim
Server
Aggregatzustand
Punkt
Momentenproblem
Gruppenkeim
Aggregatzustand
Element <Mathematik>
Computeranimation
Übergang
Web Services
Datenmanagement
Algorithmus
Online-Katalog
Typentheorie
Autorisierung
Protokoll <Datenverarbeitungssystem>
Computersicherheit
Web Services
Umwandlungsenthalpie
Schreiben <Datenverarbeitung>
Schreib-Lese-Kopf
Computersicherheit
REST <Informatik>
Reihe
Mixed Reality
Vorzeichen <Mathematik>
Dynamisches RAM
Mechanismus-Design-Theorie
Rechenschieber
Mustersprache
Dienst <Informatik>
Gruppenkeim
ATM
Elektronischer Fingerabdruck
Server
Ablöseblase
Lesen <Datenverarbeitung>
Instantiierung
Schnittstelle
Proxy Server
Server
Subtraktion
Systemverwaltung
Online-Katalog
Identitätsverwaltung
Dienst <Informatik>
E-Mail
Datenhaltung
Unternehmensarchitektur
Unternehmensmodell
Authentifikation
Proxy Server
Datentyp
Inverser Limes
Gruppoid
Transaktionsverwaltung
Wald <Graphentheorie>
Betafunktion
Anwendungsspezifischer Prozessor
Konfigurationsraum
Default
Softwarewerkzeug
Schlussregel
Physikalisches System
Einfache Genauigkeit
Schlussregel
REST <Informatik>
Identitätsverwaltung
Authentifikation
Single Sign-On
Attributierte Grammatik
Zentralisator
Minimierung
Single Sign-On
PASS <Programm>
Kartesische Koordinaten
Twitter <Softwareplattform>
Unternehmensmodell
Service provider
Computeranimation
Anpassung <Mathematik>
Komponente <Software>
Digitalsignal
Web Services
Autorisierung
Computersicherheit
Figurierte Zahl
Phasenumwandlung
Web Services
Software Development Kit
Umwandlungsenthalpie
Kraftfahrzeugmechatroniker
Addition
Benutzerfreundlichkeit
Computersicherheit
Gebäude <Mathematik>
Vorzeichen <Mathematik>
Instantiierung
Algorithmische Programmiersprache
Arithmetisches Mittel
Software
Dienst <Informatik>
Forcing
Digitalisierer
Anpassung <Mathematik>
Elektronischer Fingerabdruck
Phasenumwandlung
Strategisches Spiel
Eindeutigkeit
Instantiierung
Standardabweichung
Fitnessfunktion
Server
Subtraktion
Facebook
Multiplikation
Kontrollstruktur
Ablöseblase
Automatische Handlungsplanung
Zahlenbereich
Identitätsverwaltung
Term
Systemplattform
Physikalische Theorie
Unternehmensarchitektur
Überschall
Task
Verzeichnisdienst
Unternehmensmodell
Authentifikation
Software
Mobiles Internet
Zusammenhängender Graph
Indexberechnung
Hardware
Videospiel
Green-Funktion
Systemplattform
Schlussregel
Internet der Dinge
Physikalisches System
Datenfluss
Fokalpunkt
Schlussregel
Einfache Genauigkeit
Integral
Offene Menge
Dreiecksfreier Graph
Identitätsverwaltung
Authentifikation
Unternehmensarchitektur
Proxy Server
Server
Desintegration <Mathematik>
Applet
HIP <Kommunikationsprotokoll>
Kartesische Koordinaten
Dienst <Informatik>
E-Mail
Computeranimation
Komponente <Software>
Open Source
Benutzerbeteiligung
Web Services
Prozess <Informatik>
Authentifikation
Autorisierung
Proxy Server
Zusammenhängender Graph
Indexberechnung
Applet
Schlussregel
Vorzeichen <Mathematik>
Einfache Genauigkeit
Offene Menge
Konditionszahl
Server
Attributierte Grammatik
Unternehmensarchitektur
Sichtbarkeitsverfahren
Spieltheorie
Dokumentenserver
Desintegration <Mathematik>
Wasserdampftafel
Konfigurationsraum
Klon <Mathematik>
Virtuelle Maschine
Computeranimation
Integral
Subtraktion
Abstimmung <Frequenz>
Minimierung
Autorensystem
Besprechung/Interview
Implementierung
Kartesische Koordinaten
Unternehmensmodell
Computeranimation
Benutzerbeteiligung
Arithmetischer Ausdruck
Software
Indexberechnung
Speicher <Informatik>
Taupunkt
Autorisierung
Videospiel
Benutzerfreundlichkeit
Computersicherheit
Schlussregel
Physikalisches System
Frequenz
Quick-Sort
Ereignishorizont
Office-Paket
Integral
Entscheidungstheorie
Offene Menge
Mereologie
Identitätsverwaltung
Server
Ablöseblase
Single Sign-On
Authentifikation
URL
Instantiierung
Orakel <Informatik>

Metadaten

Formale Metadaten

Titel Enterprise Single Sign-On in GeoServer: where do we stand?
Serientitel FOSS4G Bonn 2016
Teil 110
Anzahl der Teile 193
Autor Bartoli, Francesco
Lizenz CC-Namensnennung 3.0 Deutschland:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/20423
Herausgeber FOSS4G
Open Source Geospatial Foundation (OSGeo)
Erscheinungsjahr 2016
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract Security is a major concern in the enterprise and treats all aspects of identity and access management. Moreover the proliferation of devices and digital assets connected to the Internet of Things is a massive source of growing geographic information. GeoServer has buit-in a lot of features to manage authentication and authorization but often this kind of problem can be better dealt with a dedicated tool (i.e. Forgerock IAM suite) which allows to provide identities and access policies likewise to several clients. What are the best practices to integrate GeoServer into an existent single sign-on and identity lifecycle? Althought tools like CAS and GeoFence allow to enable such features it's more likely that GeoServer needs a leaner and cleaner path towards the externalization of authentication and authorization for the OGC services and its REST API.
Schlagwörter Geobeyond Srl

Zugehöriges Material

Ähnliche Filme

Loading...