Enterprise Single Sign-On in GeoServer: where do we stand?

93 views

Formal Metadata

Title
Enterprise Single Sign-On in GeoServer: where do we stand?
Title of Series
Part Number
110
Number of Parts
193
Author
Bartoli, Francesco
License
CC Attribution 3.0 Germany:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
FOSS4G, Open Source Geospatial Foundation (OSGeo)
Release Date
2016
Language
English

Content Metadata

Subject Area
Abstract
Security is a major concern in the enterprise and treats all aspects of identity and access management. Moreover the proliferation of devices and digital assets connected to the Internet of Things is a massive source of growing geographic information. GeoServer has buit-in a lot of features to manage authentication and authorization but often this kind of problem can be better dealt with a dedicated tool (i.e. Forgerock IAM suite) which allows to provide identities and access policies likewise to several clients. What are the best practices to integrate GeoServer into an existent single sign-on and identity lifecycle? Althought tools like CAS and GeoFence allow to enable such features it's more likely that GeoServer needs a leaner and cleaner path towards the externalization of authentication and authorization for the OGC services and its REST API.
Keywords
Geobeyond Srl
Loading...
Meeting/Interview
Computer animation
Computer animation
Computer animation
Computer animation
Computer animation
Computer animation
Computer animation Meeting/Interview
OK welcome to the 2nd session today were have a presentation by Francesco Bertoli on enterprise single sign-on induce service so that fell yeah I think about thank you good morning in there and I'd
like to thank you model of the previous presented to point out that the security it's far today I want to speak about a little bit of perspective on how to implement Security Ingersoll so we have some I'm from undue beyond that we are as besides the company in images as mutagens special solution and identity and access management system we are passed on all bombers special as a solution provider for the OpenGeo Suite and we have found that the uh reveals that he's an Italian professional open sewers network we different companies that color different kind of stuff like to Boston business intelligence the data and so on the so I will try to do a very very faster on the forest and uh on the 1st part of the story because of our own as a rating it is at that a lot of features of the ideas of security model so you that the it is these upon springs and are allowed to Due access management we felt institutions and authorization that is that you mean features in our protecting areas arsewipe institutional injures seveties basic on field service providers and chain while at decision is based on groups roles and can be a separated into 2 so data management and service management real and uh it is composite by for the identity management by internal provided an external provider the so let's 7 OK that's GeoServer out institutions so basically we have field the field there can be a deletion to the servlet container can be and rules can be to like remember me for the intuition of from these requests can be formed bases can be based upon syste the gates are we can proxy http either from an external system and we can have induced over a basic and I just of institutions and also we can have from our leaders as well cadential directly providers can be as I say the internal like as a molecule before our we can have a user information from that busy the based user groups series of weak credentials and the username basically username and password that and as well we can have the them now use information from and held up several where the user can move by and for task username and password and as well we that JDBC database trying to connect to the user that so again we have changed to that challenge or better field there's a against out
integration schemes the that's right we can name provider during an atom and institutions so uh and there you will use that that chain and a little bit requests as as soon as at least 1 scheme succeeds In the part in the pipeline so let's let's evolution can into field the against providers chain provided before the old integer actually yield institutions while the selected this specific Ultimate Edition scheme dropped by for every cluster so basically for example if an atom tradition is actually required or not and also feed that can be separated by Billy quiz-style we need a matching of rules are as users can be and described by uh the me to the HTTP Media a part of and a regular expressions for the cuisine by the but is
a shot so we have that as a
seat roles rules entities we and mean finance and a set of key-value previous associated to the privileged and the permitted the resistors for a user and can be assigned you to users and groups of them our rules supports inheritance and we having just several different service every system rule like our rule of state world group at mean parole of indicator and roll and onions while forest can for example you that specified just bullet indicated to users rule can be several the by a different kind of old persistence can be an XML file from their old salaries are so just so file a role . xml in there just over that the directly can be extracted the from a JDBC that of these can be defined at the inside the deployment discrete to all the to year-old services and can be and can be sent from and that data server inducive where we can get rules we can
get so far from the user's group services so actually retrieving the active role directly so they confuse the rule set of is that we need some limitation like we cannot that have group membership and casseroles and by using an HTTP beta activity so in such cases rules I receive it through I know about proxy authentication so I can for it's for instance I can then define my guest or Edo might rules we different roles so there are many of you will scan a having just over of weekend seperates and distinguish them up by uh the management of data so that's only year label and the data management of this service so that the different type in wsml services like domestic public 1st and WCS 1 so that the management of that provides security if you of that although you can combine with spacer layer of permission and rule and also you can use the catalog while at level you can defines the specific use of by separating would you see services and what they also you can never be addressed in a series of specific rules as well so these users are for example the syntax of the early years inducive uh and the right and as you can see here that we can have permission for read-modify-write more and at the moment and there are other examples of forests on define it real and while disease this seems that's an example for basic security servers while these these these slides that explain how we can define uh we've the seen over REST services as well as the rule that explain uh and said uh this security as a service level of for the rest API all we
can also have the proteins so geofence on and CASE for single sign-on and basically uh the main difference between a G. geofence and this time the security the so that the idea France he served utility of the these efficiencies system that allows you will see uh that overcome the limitation for becoming a shot of said recently is key but so I I would like to and up to but the point of this talk but I I am
wondering and I have some doubts so that the 1st question easily unable to satisfy the technical security requirements for enterprise single-sign-on In just said we just over and collateral stuff that I can using my infrastructure well the the the the answers were more or less easily yes but so I have an additional question can achieve a simple security model we'd arabists including go what I use every user a geospatial and giant for managing geographical information system while ctd but will from as a specific software for managing identity and access management system so basically I would like to point out to sound simple business security requirements so the 1st thing is keep security as simple as possible the that have at the end and the M Lady Katie infrastructure it's and medium Adler and software for implementing identity and access management the and also probably and their their the main rule is and the mean requirement is to to control the governments all over the requirements and the columns in the colleges users to adapting your system to the proliferation of digital identities for instance I mean identities passage of the week and Internet of Things which means in terms of geospatial concept MSE value over all geographical information to be executed and also are and other um you reason to go to as them out identity and access management software easily to adopting a centralized rule drive and security policy more those that as the number of rules as little work as possible so let's have a look at how can our many and how it can be the the the main concepts in identity and access management the user management and its life cycle for the provisioning of identity has to be central in the enterprise so the security has to be a procedures topics you have to respect the challenge with different kind of security mechanisms like uh of indication figuration social vindication more by security of integration are possible blessed end users to manage the axis also you you have to respect to to challenges we need the management all over of the provisioning of identities that is a different task of from authentication and cultivation but so for this separation of of the up indication phase from the optimization and applied and the consists consequently up by that all these different policies from of integration and up at the musician achieved by different strategies for your calls green at the and finding it always is seen a model plan and design neural so before that that their number will become ungovernable so let's have a
look at and so I want to introduce to you the force the platform that is composed by 2 4 components of open AM it's only in 1 axis management solution you have authentication single-sign-on optimization fit edition and web services security are you ever since the lights were flow and provisioning for their identity all users devices and things we open idea and you have a there and uh we know that a coup feature because that every the every every service is justified in open the j this is so the features of this standard of architecture of for general so you can have a uh uh you can have a little at and you can see I will out there the main the main concept is that there this but for ease of some the schools as a model about 4 so you can composer uh by choosing your what what you requests in terms of identity and access management and the components of the 4 jokes sweet that you need need so open a and E so uh a components specific of for the axes management that you ever out integration single only you can manage we different uh social sign on and also shows on providers Facebook completed loaded taboo and many others you have you can have a strong institutions need to so you can and will defect or authentication adaptive additional for cross-domain user manager access itself that these management and building that is probably yes I I think you did the question that before someone at about the looking what the user that is actually accessed services is used that can be theories of diseases yeah uh the the the focus on the main components of the open and I am and then I will
open AEM can feed we GeoServer well we have the in open a M 2 a component Web bodies Argentina that is mainly as a web service component that can be useful in the in your web server and the you can have the possibility to use the Java Enterprise Edition bodies yogin to be uh rightly indirectly uh school in your in your application no uh server so basically I have a web policy and can be combined and the we they http either a proxy of the indication in just 7 for open condition and rules can be sent to and HTTP either at
stable while the job Boise gents given the couple at the we did it take to EU rules Severus injured 7 so you have different the possibility to integrate the opening and we just so what
I will do you can start we experiment so this integration I have created the adoptive container you can pull on a implicitly Yemen forced to prepare for prototyping and I will love give you these name is has been choosen uh yeah moon it's a Japanese name that means they were at the end of the game and the water is
what is the net of by these dog so thank you very much for attending fj the different as those who questions the hi of assuming you
have a server how would you do for instance some or all of authentication you events yeah opening and support also similar so you can ever you can define your of integration into of the in open a hammer and in yet assembled indication integers several weeks and HTTP either any more questions from there on if you told us about opening and they also have expertise with other than single sign-on things like a sociable e which it's 1 of the similar to the standard implementations I guess are not so much idea of the the oracle implementation that is note submitted by you can think that but that he had no more or less so I have already axes management software Morris of this same models to manage out integration and optimization so probably what that they're the approach that I describe you could be applied as well to she bullets here I don't know if she but there as an adjunct to be a stolen into the application server or the web server In this approach yet yeah you are mentioned by having separate teams you know security aspects that may be quite important but when it comes to the authorization of different layers you know the the advantage of just 7 having offenses that you're of transparency in this sort of I guess some of which measures securing how how do you go about it basically yeah was select coordinating between the the that the model used for the authors of authorization and coordinating with what led you need fringes 7 I used to mean to use the geofence no and in the end and users as well as most of my life uh identity and access management system or you a skit about which is generally how did you how did you come up with the rules that the business rules that you know will love well managed that which lies can be required if you're not using of authorization some offices authorization tools you can use the easing of basically you have delayed during the URL and you can manage every voter decisions you'll from that because the ever In such a tool you have at your disposal at the front at this ability to define your expression tools that match a single frequency so that's Philly you can define I mean any expression to catch your specific the if just wondering about the like not just going there but do you know you use it you could use a geofence for a security to limit the data that gets passed but how about if the the user had she has partial like only part of the data inside the dew friends this on his case for that part of the that include a could be a possible if you are from store your geofence beaten into and out 7 and then connects the external but identity and access management tool for the L 2 musicians used to that of the server it's a it's a possibility that's all the timing of the given task and thank you thank you imagine within
Loading...
Feedback

Timings

  668 ms - page object

Version

AV-Portal 3.10.1 (444c3c2f7be8b8a4b766f225e37189cd309f0d7f)
hidden