Versions Compared

Old Version 11

changes.mady.by.user Fernando Aguilar

Saved on

compared with

New Version 12

changes.mady.by.user Fernando Aguilar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This pilot activity aims to identify and enhance an existing AAI solutions to be adopted by LifeWatch ERIC as IdP, integrating already existing institutional or social identities in a federated way.

Pilot goals

Some questions to answer:

  • What are the goals of this pilot?

  • Why is it in AARC project?

  • How this pilot will improve AARC community?

  • Why should I use this pilot instead of other solutions?

 This IdP solution will be used for the following purposes:

  • To give access to restricted LW services. The services may be restricted because of processing power or storage demands.
  • To protect user data and scripts that are stored on the infrastructure (unix home folders etc)
  • To give access to data not yet in the public domain. (data in databases , project moratorium period )
  • To distinguish between users uploading data to the system (RvLab , eLab, data explorer)
  • To give access to openstack configuration interface and computing resources at infrastructure layer.
  • To manage roles/groups and authorize them to access specific services.

Currently, the different user apps manage their own users. The institutional credentials could be federated in the Identity Provider. Also, it should manage the following roles/users:

  • IT administrator who have access at infrastructural level.
  • Developers/Solver who have access to computing/storage resources to develop new Vlabs/VREs.
  • LifeWatch ERIC research users
  • Citizen Science (to have access to concrete applications)

The architecture suggested by AARC based on the blueprint is a promising approach to be adapted to the European framework, in particular for the European Open Science Cloud.



...

ComponentDescriptionWhy did we choose it?Link
KeycloakKeycloak is an open source Identity and Access Management solution aimed at modern applications and services. It makes it easy to secure applications and services with little to no code.

Keycloak fullfil all the required functionalities expected:

  • Compatible: OIDC (priority), SAML (interesting, eduGain).
  • Federation of 1-N Institutions. Citizen Scientists (Social IDs).
  • Roles Management. Role mapping (e.g. Google users to Citizen Scientist).
  • Identity linking (optional).
  • Group Management. Some groups are allowed to do…
  • Distributed, clustered. High availability. NATIVE
https://www.keycloak.org/
FEUDAL

Federated User Credential Deployment Portal.

One possibility to link between the IdP (Keycloak) and a "non-compatible" service.https://hdf-portal.data.kit.edu/
WaTTS

WaTTS allows using any legacy service with federated identities, such as eduGain or google.

For this, WaTTS accepts federated identities (via OpenID Connect) and uses a plugin scheme to generate credentials for your service. This allows you to provide services that do not normally support federated identities to federated users.

One possibility to link between the IdP (Keycloak) and a "non-compatible" service.https://github.com/indigo-dc/tts


Architecture

This section will provide 2 important parts:

...

...

Graphic representations of workflow

...

Lists of all components of related pilot



Pilot Vs AARC BP

Use Cases

This section should explain how this pilot works through use cases (at least 2).

...


(Here's a valid example LINK)

Use Case 1 -
Access to
service
Access to Rshiny (for the moment)
1.

Access RShiny research service to analyze/calculate thermoclines in water columns.

 

 

Afbeeldingsresultaat voor browser icon

2.

The User is redirected to LifeWatch IdP

3.

You can select among the list of federated institutions belonging LifeWatch. For example, IFCA SSO will redirect you to the IFCA IdP

4.

Overview of attributes being shared (to authenticate and perhaps authorize)...... 

5b.

The user is successfuly redirected to Rshiny app

   


Use Case 2 - User Role Mapping (Researcher Vs. Citizen Scientist)


Access to Rshiny (for the moment)
1.

LifeWatch ERIC IdP needs to federate different institutions and different social ids to distinguish between different types of users (Researchers, citizen scientists...).

 

 

2.

Keycloak allows mapping to defined roles depending on the identity provider used for accessing.

4.

It can be configures to propagate that information as an attribute for a service.

5.

So the service can get that info and decide if the user has or not access rights.

   


Further information

Last part contain a list of information, link or anything related to the pilot that was not mentioned in ahead seciton.