ESA > Join & Share > HMA-T > HMA-T Contribution Intecs

HMA-T Contribution Intecs

Web Service Security support in the SSE Toolbox

Activity Objectives and Challenges

The aim of this project is to support the user management interfaces for Earth Observation services specified in the OGC 07-118 IPR. This document do not define new interfaces but it describes how existing specifications from W3C and OASIS can be used in combination to pass identity information to Web services.

One of the main requirement of the HMA project was the ability of components being part of a Ground Segment to identify who issued the request and react accordingly. The approach proposed in OGC 07-118 is based on the following:

  • An authentication Web service (accepting a user name and password) returns a SAML token which authenticates the user to the client (i.e. Web service consumer). This authentication web service may federate the identity within the circle of trust but for the interface context this is irrelevant as the federated identity request would be identical to the initial request.
  • Each subsequent service request by the client (Web service consumer) is to include the SAML token in the SOAP header.
  • Each service provider accepts service requests only via a "policy enforcement point". The "policy enforcement point" decides based on the content of the message body, the contents of the message header (including authentication token) and the context (i.e. applicable policies) whether to accept or to refuse the service request or reroute it.

According to OGC 07-118 IPR only SOAP messaging (via HTTP/POST or HTTPS/POST) with document/literal style have to be supported, the messages has to be conform to SOAP 1.2 and the message payload has to be in the body of the SOAP envelope (all these requirements are already supported by the SSE Toolbox that will be upgraded in this project).

The two basics use cases described in OGC 07-118 IPR will be supported:

  • Authentication: An authentication request is first made to the identity provider (IdP).
  • Authorization: A service request sent to the service provider (SP). This service request is a call of any of the operations defined in the catalogue (OGC 06-131), ordering (OGC 06-141) or programming (OGC 07-018) specifications but is not limited to these. The service requests can also be synchronous as well as asynchronous via ws-addressing.

A mission ground segment may be either an identity provider (IdP), a service provider (SP) or both IdP and SP.
OGC 07-118 IPR covers identity federation whereby the receiving IdP, if not the IdP for the request, resolves the IdP and passes the authentication request to the correct IdP.

The security model adopted in OGC 07-118 is based on WS-Security SAML token profile. Two scenarios for authentication are supported:

  • Name and password sent in clear over encrypted channel i.e. HTTPS. SAML token returned in clear over HTTPS.
  • Encrypted password sent over HTTP using WS-Security. Encrypted and signed response using WSSecurity.

Expected Output

The SSE Toolbox will be updated in this project in order to provide functionalities to create, store and manage policies to define Policy enforcement Points.
Both gateway and stand alone configurations will be deployed and tested in the HMA prototype. The Toolbox will be configured in order to support one or more HMA interfaces and it will be integrated in the prototype configuring the enforcement and policy rules in the SSE Toolbox security module.

Work Plan

MilestonePlanned DateDescription
KO T02-3 July 2008Kick Off
AR-2 T0+9M30 March 2009Acceptance Review
FPT0+11M1 June 2009Final Presentation of revised documents

Related HMA Specifications

  • OGC 07-118: User Management

Contributors to this page: .

Page last modified on Thursday 07 of August 2008 13:54:04 CEST by .

Category: HMA-T