[Web Comm] Single Sign On SSO

Arnulf Christl arnulf.christl at ccgis.de
Sun Apr 2 12:11:38 EDT 2006

Frank Warmerdam wrote:
> Arnulf Christl wrote:
>>> SSO using OGC interfaces?  Sometimes I'm not sure when you are serious!
>> Sure am. Where is the problem?
> Arnulf,
> First, I don't know anything about specific security work at OGC.

there have been some discussion papers (latest regarding GeoACXML but I 
am afraid I currently only find a German lang presentation) but yes, we 
are all still missing concrete solutions. Therefore...

> When I was last involved in such efforts we just punted, and made
> all the security the responsibility of the normal web architecture.

...this currently probably is the best/only solution.

>>>  > In the long run we will want to have SSO including the Wiki, the
>>>> OSGeo domain *and* the OSGeo SDI stack. That would be cool. Maybe 
>>>> add some GeoACXML certification to the process, reduces the overhead 
>>>> of logging into LDAPs and reading Cookies across domain limits.
>>> Well, I'm feeling "in over my head".
>> What is "in over my head"? My translator [1] gives me:
>> to be in over your head with debt
>> to be head over heels in love
>> That's over my head
>> He's head over heels in love
>> She's head over heels in love
>> I suspect that you are in love with me. You know we non-English native 
>> speakers sometimes do have a hard time.
> Well, we won't speak of my love here.

OK, sorry to be impertinent (dict.leo suggested this to be the best term 
to apologize)

> In this context "in over my head" relates to swimming in deep
> water where I might easy drown.  It is meant to imply that you
> are using a bunch of terms I don't know and that I am not really
> qualified to discuss security at a deep level.

Me neither. Thats why this security gap keeps gaping at us with ever 
more bulging eyes. If even you politely step back for not feeling 
qualified all hope drains out of me.

>> Cool. Where do we discuss? I could sure get them off list but it would 
>> make sense to move the discussion to one of the many new mailing lists 
>> if only to be able to say  afterwards that it was all discussed in 
>> public. Need another smiley to believe that I am sure serious? Here we 
>> go :-)
> A good question. I'll cc: Norman Vine.  Norman, I think a mailing list
> (on mail.osgeo.org or perhaps even webcommittee.osgeo.org if we consider
> the telescience work affiliated with WebCOM) would be a good idea.
> Best regards,

Some thoughts: The idea is to acquire an ACXML certificate (later 
possibly with a Geo-tag attached) when SSO registering and logging in to 
OSGeo. This is the authentication part and it can always be performed by 
OSGeo. This certificate has a lifetime and gets updated every time 
people log in. It would need to be recognized and eaten by all other 
services (i.e. telescience infrastructure, Wiki, OWS proxy, WMS facade, 
People's authorization will have to take place at each corresponding 
site individually. This is the larger task at hand as people who operate 
the other domains must know who they can trust with which task. This 
involves someone bringing the person (certificate) together with a 
privilege (edit WMS, log in ssh, install GeoServer, commit to CVS, 
create mailing list, edit Wiki, etc.).

Its a rather loose thing but it should work fine.

Best regards,

More information about the Webcom mailing list