C5.84 Integrate the CSSO Identity Provider component with the Experts-DB

The general objective of the activity covers the design of a security infrastructure for the platform and the introduction of a secure Single Sign-On service (SSO) for the platform. The task to be achieved within the third JPA concerns the integration of a Community Single Sign-On (CSSO) security infrastructure within the platform. The CSSO enables the various EDIT service providers to protect their services and resources defining individual access control policies, while users can access different services using only one identity. The security infrastructure bases on the Shibboleth single sign-on framework which relies on the SAML protocol family. In particular, Shibboleth provides a federation concept to realise the community aspect. This component reports on the integration of the EDIT component ExpertsDB into the CSSO security infrastructure. 


The EDIT component ExpertsDB could have been successfully integrated into the CSSO security infrastructure. Hereby, the Shibboleth attributes of registered users, which have been successfully authenticated by the Identity Provider (IdP) component of the Shibboleth based CSSO-infrastructure, will be transmitted to the user login component of the ExpertsDB. Since, the implementation of the ExpertsDB founds on the Content Management System Drupal, we developed a Drupal plugin providing Drupal's access control component with the necessary user information. The plugin retrieves that information from the Shibboleth service provider component, which runs on the same host and delivers the Shibboleth attributes received from the authenticating IdP via the web server's environment context to the Drupal system. Finally, the plug-in submits the relevant information to Drupal's authentication procedure and the user will be logged in automatically. Thereby, the decision whether to accept the user login or not, and the access rights granted to that specific user are completely up to the underlying access control policies of the Drupal system, i.e. the ExpertsDB application.

Unfortunately, our initial purpose to use the ExpertsDB as an attribute source to the Shibboleth IdP component turned out to be unsustainable. This is mainly caused by the different aspects of the information contexts accompanying data gathered using the ExpertDB on the one hand, and the level of authenticity required with regard to the trustworthiness of information delivered by any Shibboleth IdP on the other hand. The open attribution of data expected regarding the information about taxonomic experts gathered by the ExpertsDB partially clashes with the precision of reference indispensable in respect of the security related context of the IdP. For instance, the institutional membership of a person can be certified by an IdP only for that institution the IdP authenticates users for, while the taxonomic interest on the same piece of information usually includes any institutions the taxonomic experts has been working for.

The development of an EDIT specific application unifying the requirements of both directions would cause a serious effort to the EDIT project. In consideration of the fact that there are already some existing or currently developing attribute management applications originated by the Shibboleth community, this additional expenditure becomes unjustifiable. Consequently, the further development will be adapted to the individual purpose of the respective component. In terms of the Shibboleth attribute management tool, the currently known applications will be evaluated and the most suitable tool for EDIT will be installed.


For more detailed information regarding CSSO or the current development state of this activity, please refer to the CSSO section within the WP5 developer’s  wiki (http://dev.e-taxonomy.eu/trac/wiki/CSSO).