Versions Compared

Old Version 11

changes.mady.by.user Jiří Pavlík

Saved on

compared with

New Version 12

changes.mady.by.user Jiří Pavlík

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

DARIAH is therefore using community attributes to authorize access to internal services and potentially to all the services supporting the community.

EISCAT

 

EISCAT, the European Incoherent Scatter Scientific Association, is established to conduct research on the lower, middle and upper atmosphere and ionosphere using the incoherent scatter radar technique.

 

...

EISCAT Scientific Association is funded by six research councils. The operations of the facilities are divided in two halves, one common programme for joint activities, and the other is distributed among the associates according to funding.

 

...

The lower levels of data gathered are available only to the associate countries, and in the non-common each associates have exclusive rights for one year. In recent years, a programme for smaller organisations have been opened to operate the facilities at relative small costs. These affiliate organisations have the right to access data for one year after the date of observations.

...

 

Access control of this has so far been based on IP addresses, but with the inclusion of affiliates this becomes more and more complicated. Also, the logging of who downloads data is not done, meaning there is no way of communicating to the users any new information of problems with the data they have taken. Also, for the reporting to the owners, there is no information taken for what kind of study the data has been downloaded.

...

 

The use case here, would be a good way for authentication of who and possibly why they download data. An 'EISCAT' certificate for users, including who, why, when, how the user will handle the data. One could think of different levels of the certificate for different levels of data.

...

Trust models and workflows

...

 

The main use case for authentication and authorization in EISCAT is to grant access to datasets to the institutions/users who are eligible to download the data.  Federated AAI could also make easier the accounting for the data usage.

...

 

The control over the access to the datasets have been done, so far, using the IP address of the client. But with the extensions of the use base, including additional affiliates, service providers will need to adopt a more sophisticated authorization mechanisms, with a user-by-user granularity.

 

...

Also, the logging of who downloads data is not done, meaning there is no way of communicate to the users any new information of problems with the data they have taken. Also, for the reporting to the owners, there is no information taken for what kind of study the data has been downloaded.

 

...

The use case here, would be a good way for authentication of who and possibly why they download data. An 'EISCAT' certificate for users, including who, why, when, how the user will handle the data. One could think of different levels of the certificate for different levels of data.

 

 

Currently EISCAT is not using AAI solutions directly integrated with the services.

 

Penetration of federated identity management

 

...

In general the EISCAT community lacks information about federated identity management.

 

 

 

 

 

 

 

 

 

 

 

 

...

Photon and Neutron community (Umbrella)

The Umbrella is an identity system designed by the European Photon and Neutron source facilities (PaNs’). It aims to make life easier and science more productive both for the facilities and their users. The Umbrella first of all provides any PaN-user (and effectively anyone interested in scientific discovery) with a unique identity, the UmbrellaID. Equipped with such an ID a user can virtually access the facilities with a single sign-on. Since the same Identity is known at each of the facilities, a user can more simply access or share data, manage administrative processes or make use of services and infrastructures provided by the PaNs’. The Umbrella is a joint project of the PaNs’ and other facilities with similar needs for an Identity Management System. The joint nature of this undertaking is the major benefit for the facilities. It permits to share the efforts for developing and maintaining the Umbrella system. Services offered by one of the facilities can be used by any of the users, which allows sharing of services within the Umbrella federation, which not only reduces the overall maintenance efforts but also leads to a richer eco-system of services for the user communities.

Future user operation at large scale facilities enforces user needs which are asking for a unique persistent user identification to have unified access to the following functionalities: a) 40% of the users do experiments at different facilities and need transfacility access, b) need for access to and management of experimental data, c) online entry mode: remote experiment access, d) access to efficient data analysis tools, e) remote file access, f) minimal administration load for users.

Umbrella is part of several FP7 projects namely: EuroFEL- ESFRI project Free Electron Lasers of Europe, PaNData-Europe & PaNData ODI- FP7 projects, CRISP – Cluster project of different ESFRI projects, CALIPSO – I3 synchrotron community, NMI3 - I3 neutron community, BioStruct-X –structural biology with synchrtron radiation

Adopted Authentication & Authorisation Technologies

The photon and neutron community is using the Umbrella infrastructure for  authorization. The technologies relevant for the community are SAML2 and X509 certificates.

Umbrella users are using credentials from their institutional IdPs and the federation in eduGAIN is an added value, alternatively users who cannot access to a federated IdP can use the catch-all IdP provided by Umbrella itself.

For the photon and neutron use cases AAI must support: easy single sign on solution, web based and non-web applications, delegation.

Attribute release policies

Not relevant.

LoA management

LoA management is relevant for the Umbrella use case.

Attribute management and community managed authorization

The community has already an unique identifier for the users. This is provided by the Umbrella infrastructure, since this has been a very important requirement for the community use case from the beginning.

 Authorization based on community attributes is less relevant for the photon and neutron use case, since the authorization is entirely regulated by the service providers who enable users to access their services.