EISCAT_3D Pilot Description

EISCAT_3D will be an international research infrastructure using radar observations and the incoherent scatter technique for studies of the atmosphere and near-Earth space environment above the Fenno-Scandinavian Arctic, as well as for support of the solar system and radio astronomy sciences. The radar system is designed to investigate how the Earth’s atmosphere is coupled to space but it will also be suitable for a wide range of other scientific targets for e.g space weather forecasts and detecting space debris.

The EISCAT_3D users are expected to access the User Analysis Facility through a user portal (Web) or a command-line interface to the virtualized resources. The metadata searches for analyses may also be performed through either the EISCAT_3D portal or command line interface. The data that is to be analysed must be accessed from the data centres from the fast and slow data stores and transferred to the computing resources where the analysis code will run. As the EISCAT_3D users will access the computing e-infrastructure from different countries (also expected to be from outside the Nordic area), a common means of authenticating (identifying) users and authorising access is needed.

EISCAT currently provides their resources to their partners through a web portal, which uses IP addresses and country codes to provide access. The current setup, all made of software components written in Python, consists of:

• CGI portal under Apache.
• Separate data download service, IP based.
• Processing services, IP based.
• Schedule request service, open.

The intended AARC AAI setup consists of:

• SATOSA IdP/SP Proxy
• COmanage
• EISCAT and eduGAIN Identity Providers
• Plugins for Social Identity providers (OIDC/OAuth2)
• SAML to OIDC/OAuth2 TTS

The main goal of the pilot is to have EISCAT_3D move away from the IP based Authentication model they are currently using for their portal to embrace the federated AAI model based on the AARC BPA for authenticating and authorising their users. In fact, EISCAT_3D has a large set of user roles and functions.

To achieve this goal, the Authentication part of the Python code currently implementing the IP based authentication will be replaced by a page published as a user landing page, after successful proxy authentication, protected by a SAML service provider, whose content will be displayed only to successfully authenticated and authorised users.

The main implementation phases designed for this pilot are the following ones:

1. Cloning of the current EISCAT_3D production environment, including the main portal, to provide pilot/test instances for AARC to commit the pilot required changes.
2. Porting of the main EISCAT_3D data access portal to a SAML Service Provider (offer the functionality currently provided by the IP based portal).
3. Careful definition of the key attributes used to map 1:1 the current Authentication and Authorisation model into the new SAML-based one.
4. Implementation of a test Identity Provider for the EISCAT_3D community for testing/piloting purposes, to be used jointly with the test Service Provider.
5. Set up of the COmanage instance.
6. Set up of the SATOSA proxy.
7. Integration of SP, Proxy, IdP, COmanage.
8. Integration of plugins vs Social Identity Providers (OIDC/OAuth2).
9. First full functional test of the whole, integrated system.
10. Plan and Implement of the migration of the current user community to the federated AAI model.

To support the implementation of the whole pilot in its various phases, a specific training for the EISCAT_3D community will be organized by AARC NA2 at a later point, in close collaboration with SA1.

Current understanding of pilot architecture, as proposed in Milan at the PlugFest - Sketchy whiteboard notes :