AAI needs of the Distributed Computing Infrastructures - CLARIN Dieter Van Uytvanck Max Planck Institute for Psycholinguistics EGI Technical Forum 2010 Amsterdam

2 Overview  Introduction: what is CLARIN?  Long-term AAI objectives:  Cross-border federation  License consent service  Relayed trust for web services  Issues

3 What is CLARIN?  “Common Language Resources and Technology Infrastructure”  The CLARIN (FP7) project:  a distributed pan-European research infrastructure  aim: providing language resources and technology in a user- friendly way  target group: Humanities and Social Sciences researchers  Resources: Lexica, text corpora, multi-media/multi-modal recordings, …  Software: parsers, speech/video recognizers, editors, …

4  an EU Infrastructure project  with 4.2 mio euro funding for a  3 year preparatory phase (2008 – 2011)  Additional funding from national governments, currently at least 16 ME  The CLARIN consortium has now 32 partners from 26 EU countries and 178 member organisations  CLARIN EU continuation after the preparatory phase as an ERIC  This is important if only to provide a legal entity that is able to establish contracts with outside parties on behalf of the CLARIN community. CLARIN Organization

5 CLARIN and the Holy Grail (1)  A researcher authenticates at his own organization and creates a virtual collection of resources from different repositories.

6 CLARIN and the Holy Grail (2)  On the basis of:  browsing a catalogue  searching through  metadata  resource content  Afterwards:  use a workflow specification tool and  process this virtual collection using web services  (Intermediate) results and provenance data are stored in a user specific workspace that can also keep a user profile  After evaluation resulting data (including metadata) can be added to a repository and the “virtual” collection specification can be stored for future reference

7 Infrastructure components  CLARIN centers with reliable repository systems  Stable pillars of the infrastructure  Main function is taking care of data preservation and access with depositor/owner specified restrictions  Persistent identification of resources  Metadata catalog: harvesting, browsing and searching  Registries for centers and services  E.g. which centers offer metadata, where can I store my virtual collection?  Specification tool for workflow chains of web services  EU-wide federated authentication

8 Long term AAI objectives (1)  Rely on user’s home organization membership of national IDFs for establishing trust relations with the SPs  A CLARIN SP organization as a legal entity able to sign contracts with the national Identity Federations SP2 SP3 SP1 IDF a IDF b homeless users? IDF c

9 Service Provider Federation  Some numbers:  270k (FI) + 511k (NL) + ? (DE) (DK)  = more than 4 million potential users MPI BBAW IDS INL CSC SURFfederatie (~ 50 IdPs) HAKA (~ 40 IdPs) DFN-AAI (~ 60 IdPs) CLARIN SP federation prototype

10 Long term AAI objectives (2)  The CLARIN SPs become members of their national IDFs  Rely on the eduGAIN confederation to provide the trust between the national IdFs SP2 SP3 SP1 IDF a IDF b homeless users? IDF c

11 License Acceptance (1) IdP SPa SPb user SP requires license to be signed and takes care of this but only for its own domain This can break the SSO if the user is required to sign the same license several times browser license DB CLARIN will harmonize the licenses to a limited number

12 License Acceptance (2) IdP SPa SPb user browser Store the license info in the user attributes at the IdP But how does it get there? Special application? Not every IdP will/can run this license DB

13 License Acceptance (3) IdP SPa SPb user browser VO Platform license DB Create special license service. This is part of the CLARIN SPF CLARIN independent of the IDFs External User Attribute Authority

14 WS Security / delegation tokenizer parser semantic tagger WF engine authentication dataflow parserA parserB delegation Composite Web service }

15 Web Services – solutions?  “always trust the web service” rule. Any registered web service should be trusted if it claims to act on behalf of a specific user.  web services identify each other by means of server certificates, user identity itself is not proven  solution for a relatively limited number of web services, not a scalable solution.  Embody the identity (and thus the authority) of the user in a user certificate (upload, SLCS, …)  certificate is then propagated from web service to web service.  Use SAML assertions especially the Relayed-Trust SAML assertion.  the workflow engine will use the original authentication assertion it obtained from and build a RT SAML assertion that is specific for itself and the web service it needs to access

16 Issues encountered  AAI should make access to Services easier, but  Multi-level WAYF screens (confusing for users!)  Attribute release consent dialog (confusing for users!)  Opt-in policy to give IdPs access to SP (SurfFederatie eg.)  Sometimes even an additional contract to be signed per SP Service Provider

17 Further information 

Thank you for your attention CLARIN has received funding from the European Community's Seventh Framework Programme under grant agreement n°