CubeWerx Identity Management Server

CubeWerx® Identity Management Server lets administrators centrally control user access, enabling Single Sign-On through a policy server that grants authorization rights to each web resource. Implemented as a web server, this product offers a distributed access control framework that facilitates secure sharing of web resources inside and outside the organization. This includes any static or computational resources available through a web server using HTTPS. A web resource can be a web page, document, CGI/ ASP program, servlet, OGC web service, database query, file upload/download, generated image, etc.

Product Overview
In response to customers cross-jurisdiction service requirements many organizations, large and small, are realizing the benefits of delivering web resources using a collaborative framework.

Built on simple identity concepts CubeWerx® Identity Management Server product innovates by allowing organizations to establish a single web-enabled collaborative framework for sharing all their secure and non-secure web resources with users inside and outside their organizations

This product enhances standard web server products by implementing a secure distributed framework for supporting the following functions:

• Authentication
• Single sign-on
• Access control

Product Description
CubeWerx® Identity Management Server is a lightweight mechanism that facilitates the cooperation of autonomous organizations to securely control users' access to information resources delivered through the World Wide Web. Interacting with existing authentication systems, CubeWerx® Identity Management Server provides a uniform way for users to identify and authenticate themselves and for organizations to share their information assets and web services with those users in a controlled and collaborative way.

CubeWerx® Identity Management Server aims at supporting virtually any authentication method that can be implemented as a web service. This product (Figure 1) is designed as a general-purpose authentication and access

control mechanism suitable for a wide variety of environments and applications. Access control is performed on a service request, which is a URL that identifies the desired resource or computation, and, when applicable, the arguments and environment associated with the service request.

Figure 1 - CubeWerx® Identity Management Server product components.

Key Features

• Supports communities composed of trusted jurisdictions.
• Promotes the use of public and private web resources within the same secure and collaborative access framework.
• Supports Single Sign-On (SSO) within a community of trusted jurisdictions.
• Supports many authentications methods already implemented within an organization (X.509, Unix Password, IMS Password, Microsoft NTLM, Pluggable Authentication Method - PAM.
• Maintains customers identity for requesting web resources.
• Supports secure and access controls to all web resources within an organization
• Allows each organization to maintain its administrative autonomy including full access controls to its web resources.
• Supports the creation of access control rules using customer credentials.
• Supports access control rules by specifying: WHO can access the web resource, HOW the resource can be accessed and WHAT web resources (URLs) the rule(s) applies to.
• Allows access control rules to apply to users or group of users
• Implements fine grain access control rules for accessing OGC WxS operations, layers/ features, including spatial extents for OGC WxS data services (i.e. WMS, WFS).

Major Benefits
Enabling the transformation of a rigid, bureaucratic, inward-looking organization into a more agile, responsive, cost-effective and customer-centric organization driven by collaborative partnerships are potentially the largest benefits derived from the use of CubeWerx® Identity Management Server product. Among common drivers cited for selecting CubeWerx product are:

• Security
• Organizational efficiency
• Competitive advantage
• Robust delivery of web service products
• Integrated Information Infrastructure

Usage of CubeWerx® Identity Management Server
The following diagram illustrates a typical use of CubeWerx product:

1. Customer equipped with a web based application connects to CubeWerx® Identity Management Server using a valid “username/ password” or an X.509 certificate.
2. CubeWerx® Identity Management Server access a local authentication service and upon valid authentication returns a “cookie” to the application.
3. Customer application, using the cookie, formulates requests for web resources at a different site.
4. CubeWerx® Identity Management Server enforces the customer’s credentials, and access control rules if they exist.
5. If granted, customer’s requests for web resources are processed normally.
6. Fine grain access control rules for OGC WxS Services are enforced by CubeWerx CubeSERV product.

System Requirements
We currently support the following Operating Systems: Linux, SUN Solaris and Windows

Optional:
Components for fine grain access control using WMS and WFS services are provided with CubeWerx® CubeSERV product.

Acknowledgments:
This product was developed with funding support from GeoConnections in a GeoInnovations 2003 Program.