In some cases, INSPIRE web services may need to be restricted public access due to organisational and/or technical requirements. To overcome this interoperability barrier, ARE3NA is analysing approaches and putting in place solutions that helps data users access protected services, often known as Authentication, Authorization and Accounting (AAA).
EIF interoperability level
The work on access control (AAA) is structured in two phases, with the first phase successfully completed in early 2015 in the form of a technical solution to access data services from different organisations through an Access Management Federation (AMF). Related to the work in STORK, the activity showed how different types of users could access secure resources with the appropriate permissions across borders from different data providers.
A second phase made a live demo of the former work and explored the overall variety of technical barriers to data access.
The evidence from this work is also applicable to other sector as details of AAA standards and technologies enabling interoperability for access control not only applies to INSPIRE web services.
Importantly, this work allows ARE3NA to not only focus on public administrations as data providers (following the requirements of the INSPIRE Directive) but also consider the needs of data users who could face legal, organisational, semantic and technical barriers to interoperability that diverging access control approaches could potentially create.
Phase I: AAA Study and Testbed (2014-2015)
Scope of the 2014-2015 activities
This study was undertaken in support of ISA Action 1.17: A Reusable INSPIRE Reference Platform (ARE3NA).
According to the INSPIRE Directive (2007/2/EC), data providers may limit access to services for a number of reasons. However, there has been no attempt to harmonise how access control and rights management are implemented, leading to a plethora of approaches across Europe. There is a need to take stock of the possible technical solutions and standards that support access control to INSPIRE data in the wider context of interoperability and data-sharing in cross-sector and cross-border contexts.
This study, therefore, has aimed to address the following issues/tasks:
- To identify and assess the current standards and technologies that would help to guarantee secure data exchange between public administrations, with particular focus on INSPIRE data and services, as well as those relevant in the context of the ISA programme and the Digital Agenda for Europe, as a broad evidence base.
- To identify and assess best practices in Europe with regard to the application of those standards and technologies for data and service sharing in order to better understand what works well, what not and what elements are missing or could be improved.
- To design, develop and deploy a AAA-testbed using open source technology, based on existing INSPIRE and SDI components in three Member States with varying organisational, legal and technical settings, so that solutions could be reusable and widely applicable lessons learnt.
- To involve actively Member State representatives on the proposed AAA-architecture and testbed and to collect feedback from them.
The work has involved the participation of other actions of the ISA Programme and experts from across the EU. This has also included the work being followed and reviewed by groups, including the INSPIRE Knowledge Exchange Network of Eurogeographics and the official technical expert group for INSPIRE, the Maintenance and Implementation Group.
The project space acts as a reference point for the study as part of ARE3NA and for the storage of its final deliverables.
WP1 Current Practice
This initial part of the work explored what standards and technologies are theoretically available for use in INSPIRE and what existing best practices can be found for AAA that INSPIRE should be aware of. The key deliverables are:
- Report: Analysing standards and technologies for Authentication, Authorization & Accounting
- Report: Best Practices of AAA implementations
WP2 Design choices for the testbed
This important step involved defining and analysing design choices and use cases for the testbed, as well as a meeting with stakeholders and experts to refine the approach and rapidly put designs into practice. The key deliverables are
- Report: Analysis of Evidence Base: Relationships and Gaps between Technologies, Standards and Best Practices
- Discussion document: SWOT analysis and initial testbed setup
- Results of the Workshop: ‘AAA-Architectures for INSPIRE’ 16-17 March, Leuven
WP3 Access Management Federation proof-of-concept
This last step involved implementing the chosen solution (based on Shibboleth). The work involved piloting the approach within the consortium partners before extending it out to a series of pilots with INSPIRE stakeholders, including the JRC.
The documentation for the testbed includes the following reports and software package:
- Testbed software Overview
- Testbed software package
- Testbed Guidelines:
WP4 Final report
Final report summarising this work and providing recommendations is also available:
Phase II: AAA Testbed Demo and State-of-the-Art (2015-2016)
Where the first phase explored a potential technical solution to AAA in practice, the second phase aims to explore the extent to which a full European solution could be put in place to aid access to geospatial data and services.
This work work is composed of three main activities, a demonstrator of the testbed from Phase I; an analysis of the protected services found in the INSPIRE geoportal and investgations into how an AMF could form part of a European solution.
Based on the testbed from the first phase, the demonstrator for accessing protected INSPIRE services has been created to show stakeholders how such a AMF works in practice, helping to view geospatial data across borders in web-based map browsers. Outputs include:
- An AMF demonstrator (click to launch)
- Guidelines for using the Testbed & Supported Use Cases (to be used with the demonstrator)
INSPIRE Geoportal Protected Services Review
A tool has been developed to analyse the content of the INSPIRE Geoportal to understand the different types of access control/AAA organisations have put in place. Such variation in approaches may create interoperability issues as well as barriers to reusing data. The outputs of this work include a dataset the tool creates (to be used in following work) and the documentation, below:
Investigation into AAA for INSPIRE and eGovernment
This forthcoming work involved desk research to further analyse the outputs of the Protected Services Review and run experiments to understand the interoperability-related barriers that end-users of data may face.
The work also involved interviewing public Administrations involved in INSPIRE and eGovernment at national and European levels to understand how an AMF may support AAA for INSPIRE and how this may fit with pan-european solutions, including those developed by ISA and the Connecting Europe Facility (CEF).