Cop

11.4.1 Register User with OpenID

The User must first register and create a profile with the local OpenID provider as shown in Figure 12 below. Figure 12, OpenID Server User Profile EntryUpdate This User Profile information also includes a Notification URI and associated protocol, which the user has chosen to receive communication and requests from the OpenID server. The Notification URI and protocol will be used to issue authorization requests to be shown later.

11.4.2 Establish Trust

In order to allow access to and for tasking resources in another domain, the user in the First Responder Dispatch Office domain initiates a request to add an identity and role to the NASA domain as shown in Figure 13 below. This capability to establish trust was accomplished in this testbed using experimental extensions added to the OpenID server libraries to be described in the following paragraphs. yright © 2009 Open Geospatial Consortium, Inc. 39 40 Cop Figure 13, Establish Cross-Domain Trust To provide a means to establish trust across security domains in this testbed, several experimental extensions were added to the OpenID server capabilities as described in the following paragraphs. 1. The OpenID server was modified to maintain a list of trusted domains. Domains can be added on the fly to allow temporary trust. 2. The current trusted domain list can be accessed via any one of the following: GET https:op.geobliki.comtrusted_domains for HTML output format GET https:op.geobliki.comtrusted_domains.xml for XML output format GET https:op.geobliki.comtrusted_domains.json for JSON format The JSON output result appears as follows: [{domains:geobpms.geobliki.com,id:1}, {domains:op.geobliki.com,id:2}, {domains:redcross.org,id:3}, {domains:servir.geobliki.com,id:4}] 3. The server database was extended. A new Ruby controller class and database tables were added or modified to provide persistent store for trusted identities as follows: yright © 2009 Open Geospatial Consortium, Inc. Copyright © 2009 Open Geospatial Consortium, Inc. 41 Trusted Domain Controller Class in Ruby: class TrustedDomainsController ApplicationController layout op_layout before_filter :login_required active_scaffold :trusted_domain do |config| config.label = OP Trusted Domains config.list.columns = [ :domains] list.sorting = {:domains = ASC} end end Trusted Domain database table: CREATE TABLE `trusted_domains` `id` int11 NOT NULL auto_increment, `domains` text NOT NULL, PRIMARY KEY `id` ENGINE=MyISAM AUTO_INCREMENT=5 DEFAULT CHARSET=latin1; In addition, the OpenID user database table was extended to include the following fields: • Company Name • User Title • Permissions • User Location Latitude • User Location Longitude 4. The OpenID server database was extended to include a database table to register web applications. Registered applications such as ‘xyz’ would have an OpenID of the form shown in the following example. Example: https:op.geobliki.comwebappxyz A new webapps table was added to the OpenID server database. The purpose of this database table was to store registration information for web applications provided by a registered user. The ‘cert’ attribute contains the application public key to be fetched by the data provider and used to verify the digital signature of the message. CREATE TABLE `webapps` `id` int11 NOT NULL auto_increment, `user_id` int11 default NULL, `name` varchar32 default NULL, `url` varchar256 default NULL, `description` text, `cert` text, `created_at` datetime default NULL, PRIMARY KEY `id` ENGINE=MyISAM AUTO_INCREMENT=14 DEFAULT CHARSET=latin1; 42 Copyright © 2009 Open Geospatial Consortium, Inc. The data provider can access the web application information profile by using the OpenID of the web application and the following AX schema references: http:axschema.orgxwebappname http:axschema.orgxwebappurl http:axschema.orgxwebappdescription http:axschema.orgxwebappcert

11.4.3 Registering Application with OpenID