Skip to content

WSTIERIA

Title

Web Services Tiered Internet Authorisation

Acronym

WSTIERIA

Duration

January 2010 to December 2010 (extended to March 2011)

Blog

http://wstieria.blogspot.com/

Summary

State of the art in authentication for plain HTTP (non-SOAP) web services is still IP-address checking; federated access management using commonly deployed browser-based mechanisms is problematic due to dependence on a user at a web browser and reliance on features (HTTP redirects, cookies, X/HTML rendering, SSL) that many web service client applications do not fully support. This project investigated interoperation of web services with the UK federation using two current developments:

  • Internet2's extension of Shibboleth to handle an n-tier/portal use case
  • EDINA's development of the concept of web service proxy (facade) software usable by any HTTP client in possession of a token obtained from separate browser-based authentication

Project Deliverables

  1. Facade software that web service developers can deploy in front of their own services to handle federated user authorisation. Technical note 1 explains how to combine a standard web server (Apache) with some scripting and a firewall to support federated access management for web services offered by your organisation.
  2. A demonstration web service, accessible via the standard UK federation authentication mechanisms: the production EDINA Digimap service was enhanced to offer all registered users access to map data from standard GIS software packages via OGC web services as an alternative to downloading large data sets. This enhancement was based on previous work by the EDINA geospatial team that used an approach similar to deliverable 1 above, but integrated into Digimap rather than isolated into a separate facade component.
  3. Experimental (pre-demonstrator stage) modifications were made to a test web service to investigate emerging n-tier Shibboleth features (delegation). This involved setting up a Shibboleth identity provider with the new delegation plug-in, a Shibboleth service provider protecting a test web application, and another Shibboleth service provider protecting a test web service. All of these were configured so that when a user logs in to the web application, the application can invoke the test web service on the user's behalf, without the user needing to log in to the web service. Deliverable 4 describes the setup, and its potential suitability for larger scale deployment within the UK federation.
  4. A final report documenting the other deliverables and the project's experiences.

Presentations

  • A short overview (PDF, PPT) of the project's aims and context, presented at the JISC AIM Programme start-up meeting on 4 March 2010 at Devonport House in Greenwich, London. You can read the WSTIERIA impression of the meeting and the programme manager's.
  • A slightly more in-depth look (PDF, PPT) with block diagrams of the facade software and a description of linkages to parallel work being done in the context of the Open Geospatial Consortium (OGC), a standards organisation. This was an invited talk, presented on 9 March 2010 at the Technical and Planning Committee meeting of the OGC at Frascati in Italy, to the security working group.
  • An invited presentation at the JISC Federated Access Management conference (FAM10) at Cardiff on 6 October 2010 (PDF, PPT) described the facade work to date, its implementation requiring only Apache configuration and some scripting, and introduced the Shibboleth n-tier software setup to be investigated.
  • A presentation (PPT) outlining the successes and failures of the project was given at the end of programme meeting for the Access and Identity Management (AIM) programme at the Aston Business School in Birmingham on 21 June 2011.

Project Documents

Working documents

Formal documents:

EDINA Contacts

Fiona Culloch

Funders

JISC