This Wiki is available to view at but still under maintenance. PLEASE DO NOT EDIT THE WIKI UNTIL FURTHER NOTICE. We are attempting to restore missing edits which took place between Monday 8 and Thursday 11 April 2019, therefore the site is likely to be taken off line at any time. Updated 20:43 CEST 16 April 2019.
Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Image Added

Pilot Description

LifeWatch-ERIC is a key Research (e-)Infrastructure for EU-Latin America and the Caribbean Cooperation on Research Infrastructures. They provide access to data (from different domains), analytical tools and computational facilities to support environmental research.

The purpose of this pilot is to demonstrate how a LifeWatch user can access a specific service, using the LifeWatch proxy based on AARC BPA. The solution deployed must be able to manage the different types of roles defined: Infrastructure Managers, Developers, Researchers and Citizen Scientists.

In order to support that list of different users, the system need to support both roles and group management.

The LifeWatch AAI will be used for the following things:

  • To give access to restricted LifeWatch services. The services may be restricted because of processing power or storage demands.
  • To protect user data and scripts that are stored on the infrastructure (e.g. Unix home folders)
  • To give access to data not yet in the public domain (data in databases , project moratorium period)
  • To distinguish between users uploading data to the system (RvLab, eLab, data explorer)
  • To give access to OpenStack configuration interface and computing resources at infrastructure layer
  • To manage roles/groups and authorize them to access specific services

At least two components have been identified to be part of the AAI infrastructure: a proxy (one or more components depending on the solution selected, to manage groups/roles, authorization) and a Token Translation System to allow access to non-web services.

The proxy component needs to satisfy the following requirements:

  • Federation of 1-N institutions
  • Support Citizen Scientists via Social IDs)
  • OpenID Connect for LifeWatch services (priority); SAML for LifeWatch services (optional)
  • Roles Management. Role mapping (e.g. Google users to Citizen Scientist)
  • Group Management
  • Identity linking (optional).
  • Distributed, clustered. High availability. Via Database.

INDIGO IAM has been tested for supporting this, but there are some limitations in IdP federation.

The intended AARC AAI setup consists of:

  • Proxy based on Keycloak or a different solution satisfying the requirements
  • WaTTS: configured to link to HPC resources

The current pilot setup consists of:

  • Keycloak instance: federates IFCA SSO, Google (for citizen scientists). On going: eduGAIN, VLIZ...
  • WaTTS: deployed but not yet configured/tested

 is a European Infrastructure Consortium providing e-Science research facilities to scientists seeking to increase our knowledge and deepen our understanding of Biodiversity organisation and Ecosystem functions and services in order to support civil society in addressing key planetary challenges.

LifeWatch-ERIC was established as a European Research Infrastructure Consortium by the European Commission Implementing Decision (EU) 2017/499 of 17 March 2017.

During its ESFRI stage, LifeWatch was composed by different national initiatives working on different services and solutions for the research community. During this new ERIC stage, LifeWatch ERIC requires a solutions to provide access to the different services in a common way, as well as organize the different defined groups and roles. Currently, the different LifeWatch services, Virtual Laboratories and Virtual Research Environment manage their own local users, with some exceptions that allows institutional IDs. The technology behind depends on the services, but they mainly support web-based authentication, with some exceptions using, for example, HPC resources.

This pilot activity aims to identify and enhance an existing AAI solutions to be adopted by LifeWatch ERIC as IdP, integrating already existing institutional or social identities in a federated way.


During the test phase, the pilot will be integrated with the official LifeWatch ERIC portal to provide access to restringed areas as well as the Virtual Laboratories and services. The IdP based on Keycloak will be integrated with already running services and Vlabs to prove that the solution fullfil the community needs.
The goals proposed for this pilot by the beginning of the project have been achieved since an AAI solution has been selected to act as LifeWatch ERIC IdP and it is being integrated with the service catalog. For those services that are not compatible with technologies like OIDC or SAML, different solutions have been identified in the context of the project, which is suitable to be integrated with the system. 
The pilot has been implemented and deployed in a testbed aiming at proving that everything will work as expected. The AARC BPA has been used to identify which components are needed to address the pilot needs. The BPA has also been the model to define the pilot architecture, as the following schema shows:

The pilot will be the official LifeWatch ERIC IdP and it will be used to access the services taking into account the different roles in the community. It will be deployed in a high-availability environment since it will be a critical service for the Research Infrastructure, and it will be one of the keys to integrating LifeWatch ERIC in the context of the European Open Science Cloud, so the sustainability of the pilot is guaranteed.
The deployed solution has integrated different Identity Providers to manage users from different roles: Citizen Scientists (Social IDs like Google or Github), Researchers (Institutional IDs from edugain thanks to rediris SIR2 and ORCID) and administrators (Institutional IDs like IFCA SSO).


Image Added