The User Management Services allow to control the access to GENESIS services which need to be secured, that is services that can be invoked only by authenticated (and possibly authorized) users.

They are made of three main logical components:

• The User Registration Service, in charge of registering the users wishing to use a secured service or to deploy a new service on the Portal;
• The Authentication Service, in charge of authenticating a previously registered user though provision of credentials;
• The Authorization Services, in charge of enforcing access policies on the final GENESIS services.

The following picture shows the security scenario implemented in the GENESIS framework.

The access to the services that need to be secured (in the picture, those related to Service Provider 1 and Service Provider 2) is carried out through the following steps:

• The user registers him/her using the GENESIS Portal registration form: the data entered are saved in an internal directory of the Central User Management (UMG) Entity.
• The user authenticates him/her using the GENESIS Portal login/signing form: the authentication request is issued towards the Identity Provider of the Central UMG which, in case of success, returns an authentication token in SAML format;
• The Portal inserts the token in the SOAP messages to be sent to the services, as a result of user requests; through the SAML token, the security layer of the recipient service can check that the user is authenticated;
• The security layer of the service, once validated the user authentication, can enforce access policies, if any, to the service.

The scenario is detailed in the OGC 07-118 specification, which is a GENESIS contribution to OGC standards. The implementation of the security framework is also compliant with the relevant standards at international level: WS-Security, XACML, and SAML from OASIS, XML Signature and Encryption from W3C, GeoXACML from OGC.