SANY D2.3.4 Specification of the Sensor Service Architecture V3 Doc.V3.1 Copyright © 2007-2009 SANY Consortium Page 144 of 233

8.3. Access Control Services

8.3.1 Overview

Service and Interface Type Name Overview Description Reference Profile Management Service Creates and maintains user profiles and their associations to identities. section 8.3.2 Identity Management- and Authentication Service Creates and maintains identities. Supports the management of groups of identities as a special kind of identity. Proves the genuineness of identities using a set of given credentials and issues session information IdP. section 8.3.3 Policy Management- and Authorisation Service Acts as an external policy decision point PDP and policy administration point PAP. The service provides a decision on whether some identity e.g. a user or a service is authorised to access a certain resource. Allows the management create, update, delete of XACML policies. section 8.3.4 Policy Enforcement Service A dedicated policy enforcement point PEP that handles authentication and sends authorisation requests to the PDP for non-security enabled web services. section 8.3.5 Table 8-6: Access Control Services Note: The abstract access control pattern specified in section 6.8.2 introduces the concept of a Policy Enforcement Point as the entity that enforces an access control policy. The SensorSA introduces a “Policy Enforcement Service” to handle policy enforcement as mainly a coordination of the authentication and authorisation request tasks. A Service Proxy Service Side Façade in conjunction with a Policy Enforcement Service should be used if the Policy Enforcement task should be performed in a non intrusive manner. This implementation pattern is described in section 10.5.1.1.

8.3.2 Profile Management Service

Name Profile Management Service Standard Specifications The following RFC has been used as a template to define profile attributes in the SANY implementation of the Profile Management Service: IETF RFC 2251-RFC2256 Lightweight Directory Access Protocol LDAP v3 IETF RFC 2256 - A Summary of the X.50096 User Schema for use with LDAPv3 Description The Profile Management Service is used to create and maintain profiles. In general, profiles of users, services, etc. represent entities that need to be authenticated. They are not authenticated themselves but rather represent a point of contact and management feature for authentication and authorisation SANY D2.3.4 Specification of the Sensor Service Architecture V3 Doc.V3.1 Copyright © 2007-2009 SANY Consortium Page 145 of 233 purposes. A profile is decoupled from authentication. This decoupling is done by separating identities from profiles. An identity of a profile is defined in an Identity Management Interface instance. Management of profiles includes the association to identities as well as storage of profile attributes. Profile attributes can be arbitrary key value-list pairs and are currently defined by an LDAP schema The Profile Management Service provides its functionality through the following interfaces: ServiceCapabilities ProfileManagement . Interface ServiceCapabilities getCapabilities Informs the client about both common and specific capabilities of a Profile Management Service instance, e.g. the supported LDAP schemas. Interface ProfileManagementInterface createProfile Creates a profile. deleteProfile Deletes a profile including the deletion of all associations to identities and profile attributes. updateProfile Updates a profile. Can be used to change profile related information, e.g. profile attributes. addIdentityTo Profile Associates an existing identity to an existing profile. removeIdentity FromProfile Removes a previously assigned identity from a profile. getProfiles Enumerates all profiles of the current service instance. Accepts a query parameter to narrow the list of returned profiles. Example usage The Profile Management Service provides the functionality to register and update user profiles. The result of a successful registration is a profile entry in the Profile Management information base. Moreover, the Profile Management Service‟s information base contains information about the profile‟s identities whereas authentication of associated identities and the provision of session information is provided by an Authentication Interface instance. Comments The Profile Management Service replaces the former User Management Service described in the RM-OA 2007. Table 8-7: Description of the Profile Management Service 8.3.3 Identity Management and Authentication Service Name Identity Management and Authentication Service Standard Specifications The Authentication Interface uses the following standard for the encoding of session information: OASIS Security Assertion Markup Language SAML v2 Description Identities and their attributes are managed created, deleted, etc. using an Identity Management Interface instance. The Identity Management Interface SANY D2.3.4 Specification of the Sensor Service Architecture V3 Doc.V3.1 Copyright © 2007-2009 SANY Consortium Page 146 of 233 acts as an identity provider IdP. The manner in which identity information is managed is up to the particular identity provider as different authentication mechanisms e.g. asymmetric public keysecret infrastructure or loginpassword require different identity related information. In this way Identity Management can be independent of authentication methods. Please note that the association between profiles and identities is performed using an instance of the Profile Management Service. In this way authentication remains independent of Profile Management tasks related to identities. The Authentication Interface verifies genuineness of identities using a given set of credentials. The authentication mechanism, which means the way authentication is performed, is up to the service implementation. The kind of credentials an Authentication Interface needs as well as the way they are passed is specific to the authentication mechanism used. The present specification of the Identity Management and Authentication Service supports a username password authentication mechanism. A SAML ticket session information returned after a successful authentication can be used to invoke services demanding authenticated identities. The Identity Management and Authentication Service provides its functionality through the following interfaces: ServiceCapabilities Authentication . IdentityManagement Interface ServiceCapabilities getCapabilities Informs the client about both common and specific capabilities of an Identity Management and Authentication Service instance. Interface Authentication login Performs a login using the credentials and identity e.g. username password supported by this Authentication Interface instance. Returns a SAML ticket that contains the authenticated identity and related attributes and possibly a set of authenticated group identities that is associated to the authenticated identity. Note: a SAML ticket serves as a asserted and temporarily valid record of a subject‟s identity including identity properties e.g. age that can serve as a basis for an authorisation decision. verifySession Information Verifies the SAML ticket session information previously issued by the same Authentication Interface instance. Returns a status value indicating the validity of the SAML assertion stated in the SAML ticket. Interface IdentityManagement addIdentity Creates an identity. The identity‟s representation is specific to the supported authentication mechanism. The present specification of the Identity Management and Authentication Service supports UserNamePassword Identities apart from the obligatory GroupIdentities. delete Identity Deletes an existing identity. Deletion of identities implies the need to update the corresponding Profile Management Service instance as well as any policy SANY D2.3.4 Specification of the Sensor Service Architecture V3 Doc.V3.1 Copyright © 2007-2009 SANY Consortium Page 147 of 233 referring to it. update Identity Updates an existing identity. The identity to be updated as well as information to be changed, e.g. a new username, additional or modified attributes, shall be provided as input. add Credentials Adds credentials to a certain identity. Credentials are specific to the authentication mechanism used. For a usernamepassword authentication the credential is a password. update Credentials Updates credentials e.g. password for a certain identity e.g. username. deactivate Identity Deactivates an identity without removing it. The identity, e.g. username to be deactivated and additional information, e.g. a time period for deactivation, shall be provided as input. activate Identity Activates an existing, formerly deactivated identity. The identity, e.g. username to be activated and additional information, e.g. a point of time for activation, shall be provided as input. getIdentities Executes a query and returns Identities that match the query conditions. The query language depends on the different implementations of the service instance. addItentityTo Group Associates an existing group with an existing idnetity. The identity must reside in the same Identity Management Interface instance. removeIdentity FromGroup Removes the association between a given identity and a given group. The removed identity is not deleted. Example usage Multiple instances of Identity Management and Authentication Services may coexist in a network and each organisation may maintain their own instance of the Identity Management and Authentication Service. This favours cross- organisational sign-on or single-sign-on SSO since identities represent only the identity of a user profile and one profile may refer to multiple identities, each registered at different instances. Comments The Identity Management and Authentication Service replaces the former Authentication Service described in the RM-OA 2007. Table 8-8: Description of the Identity Management and Authentication Service 8.3.4 Policy Management and Authorisation Service Name Policy Management and Authorisation Service Standard Specifications The following standards are used for the definition of policies and authorisation request and responses: OASIS Security Assertion Markup Language SAML v2.0 OASIS eXtensible Access Control Markup Language XACML TC v2.0 OASIS SAML 2.0 profile of XACML v2.0 SANY D2.3.4 Specification of the Sensor Service Architecture V3 Doc.V3.1 Copyright © 2007-2009 SANY Consortium Page 148 of 233 Description The Authorisation Interface evaluates an authorisation request of a policy enforcement point PEP and returns the authorisation decision. The authorisation decision is based on an XACML authorisation request passed from the PEP or a security-enabled service. The authorisation request comprises the authenticated identities of the service requestor including all identity attributes relevant for an authorisation decision as well as specific environment attributes, for example individual state variables of the service. The Policy Management Interface is responsible for the management of access policies and thus plays the role of a policy information point PIP and policy administration point PAP. Access policies can be expressed in the XACML access control policy language. The Policy Management and Authorisation Service provides its functionality through the following interfaces: ServiceCapabilities Authorisation PolicyManagement Interface ServiceCapabilities getCapabilities Informs the client about common and specific capabilities of a Policy Management and Authorisation Service instance. Interface Authorisation authorise This operation uses the SAML 2.0 profile of XACML 2.0 to request an authorisation decision. The authorisation decision is currently provided as a compliance value indicating how to treat the request e.g. permit or deny. Interface Policy Management createPolicy Creates a new policy. deletePolicy Deletes an existing policy. getPolicy Retrieves a policy identified by a unique ID. getPolicies Retrieves a sequence of policies maintained by the Policy Management Interface instance.. updatePolicy Updates an existing policy. Example usage Access policies can be expressed in the XACML access control policy language. XACML allows the definition of very flexible policies that can be evaluated against any kind of environment attributes. Such environment attributes may be derived from boundary conditions of a service request as well as from the underlying data source. By defining an appropriate policy for e.g. a WMS and a SOS the Policy Management and Authorisation Service may restrict access to a certain layer or offering. Comments The Policy Management and Authorisation Service replaces the former Authorisation Service described in the RM-OA 2007. Table 8-9: Description of the Policy Management and Authorisation Service SANY D2.3.4 Specification of the Sensor Service Architecture V3 Doc.V3.1 Copyright © 2007-2009 SANY Consortium Page 149 of 233

8.3.5 Policy Enforcement Service