talk on conference website
(or what happens when GeoServer and PostGIS meet Active Directory)
This talk will present a case study of how Astun implemented a single sign on (SSO) system for a large
commercial client. The client stored their spatial data in a PostGIS database and provided both direct access
to the database via QGis and from QGis via WMS using GeoServer to carry out the styling and rendering of the
data. Staff are divided into 4 teams and then are subdivided by end client in to small groups. Some of the
data in the system is restricted to just the group working on a specific problem for a specific client, other
data is shared with the whole team, and some is available to the whole company.
The client brief was to move their on site system to "the cloud", and to allow staff to connect to the data
from anywhere in the world with only one user account and password for access to PostGIS and GeoServer data.
Initially, the project planned to leverage the existing corporate Azure Active Directory system to provide the
necessary authentication and authorizations. However, early experiments showed that the time between
requesting a new group and it appearing on the server was (sometimes) longer than the lifetime of the new
group.
Astun provided an open source solution, using Keycloak to handle the user and administrator facing frontends,
with user data being stored in an OpenLDAP server. It was then possible to make use of the LDAP service to
perform authentication and authorization of users to both PostGIS and GeoServer, making sure that data
restrictions applying in one were duplicated in the other.
The talk will cover details of the process and look at some of the issues that were encountered during the
project.
None