J. Quinteros, A. Heinloo, B. Weber, L. Hämmerle and W. Pempe

Slides:



Advertisements
Similar presentations
Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
Advertisements

Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing.
CLARIN AAI, Web Services Security Requirements
Office 365 Identity June 2013 Microsoft Office365 4/2/2017
A Very Brief Introduction to iRODS
Grid Security. Typical Grid Scenario Users Resources.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
WebFTS as a first WLCG/HEP FIM pilot
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
Understanding Active Directory
The Study of Security and Privacy in Mobile Applications Name: Liang Wei
EGI-Engage EGI-Engage Engaging the EGI Community towards an Open Science Commons Project Overview 9/14/2015 EGI-Engage: a project.
Digital Object Architecture
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
1 School of Computer, National University of Defense Technology A Profile on the Grid Data Engine (GridDaEn) Xiao Nong
Identity on Force.com & Benefits of SSO Nick Simha.
Scalable Systems Software Center Resource Management and Accounting Working Group Face-to-Face Meeting October 10-11, 2002.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.
GRID Overview Internet2 Member Meeting Spring 2003 Sandra Redman Information Technology and Systems Center and Information Technology Research Center National.
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.
European Life Sciences Infrastructure for Biological Information ELIXIR and Identity Management 2 nd Workshop on Federated Identity.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
ESG-CET Meeting, Boulder, CO, April 2008 Gateway Implementation 4/30/2008.
GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
1 A Scalable Distributed Data Management System for ATLAS David Cameron CERN CHEP 2006 Mumbai, India.
The Exchange Network Node Mentoring Workshop User Management on the Exchange Network Joe Carioti February 28, 2005.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No EPOS and EUDAT.
CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.
Science Gateway- 13 th May Science Gateway Use Cases/Interfaces D. Sanchez, N. Neyroud.
Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Grid Services for Digital Archive Tao-Sheng Chen Academia Sinica Computing Centre
EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No Herbadrop.
Science engagement in GÉANT: how we do it
Introduction to AAI Services
Accessing the VI-SEEM infrastructure
WLCG Update Hannah Short, CERN Computer Security.
PIDs in EUDAT Webinar, 15 Februari 2013
EGI Applications Database
Mechanisms of Interfederation
What are they? The Package Repository Client is a set of Tcl scripts that are capable of locating, downloading, and installing packages for both Tcl and.
AAI for a Collaborative Data Infrastructure
Grid Security.
eduTEAMS platform for collaboration Niels Van Dijk
Tweaking the Certificate Lifecycle for the UK eScience CA
EGI-Engage Engaging the EGI Community towards an Open Science Commons
ELIXIR Safeguarding the results of life science research in Europe
The Web Service based approach for data distribution at the IRIS DMC
ESA Single Sign On (SSO) and Federated Identity Management
NAAS 2.0 Features and Enhancements
Materials Microcharacterization Collaboratory
Community AAI with Check-In
AAI in EGI Status and Evolution
WP6 – EOSC integration J-F. Perrin (ILL) 15th Jan 2019
eIDAS-enabled Student Mobility
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

J. Quinteros, A. Heinloo, B. Weber, L. Hämmerle and W. Pempe A novel AAI approach for the European Integrated Data Archive within EPOS J. Quinteros, A. Heinloo, B. Weber, L. Hämmerle and W. Pempe DI4R-2016 – Krakow, September 28th 2016

EIDA within Orfeus The European Integrated Data Archive (EIDA) is a distributed data center established to: securely archive seismic waveform data and metadata gathered by European research infrastructures, and to provide transparent access to the archives by the geosciences research communities. EIDA nodes are data centers which collect and archive data from seismic networks deploying broad-band sensors, accelerometers and other geophysical instruments.

EIDA within Orfeus Protocols to share data Daily synchronization of metadata Development of clients and tools Common policies for data curation Statistics Maintenance of Routing Tables

Existing EIDA authentication mechanisms Arclink Proprietary protocol to access seismic waveforms. It was a de facto standard in Europe. It allowed for the creation of federations of datacenters. Authentication is based on the email account and no passwords need to be sent by the user, but... Passwords are needed to decrypt data! (one password per data center). Authorization is based on pattern-matching of email address. FDSN* web service It works on datacenters and not federations. HTTP digest authentication. (* Federation of Digital Seismograph Networks)

Why HTTP digest is not optimal for EIDA? User perspective User has to manage independent credentials for each EIDA data center (unless a central LDAP server or similar is used). Datacenter perspective Pattern-matching (*@gfz-potsdam-de) is not possible, each individual user has to be added manually. Each user has to be deleted when the account expires. Problematic for brokers (who makes requests on behalf of users).

EIDA Authentication System (EAS) Challenges Users from hundreds of institutions want to access data. Unified login for users. Can we skip the maintenance of a users database? No exchange of sensitive information. Support retrieval of restricted data from scripts! EAS prototype, no user DB!, eduGAIN, 2000 IdPs, token, use it for services.

Why eduGAIN initially? It works with one of the de facto standard (SAML/Shibboleth). We do not need to keep track of the user database (at least passwords). ca. 2000 Identity Providers. Some nodes belonged already to eduGAIN when we started. Most of them have joined since then and we work to include the few remaining DCs. EAS prototype, no user DB!, eduGAIN, 2000 IdPs, token, use it for services.

EIDA-AAI solution We developed a prototype of an Authentication system to be used in Federated environments. Secure use of the services from scripts and browser. EAS provides users with a digitally signed token valid for limited time and with information about the user. This token can be used to query services without the need to login once you have it locally.

EIDA-AAI solution Separate authentication from data services (leaving just authorization to data services). Pattern-based authorization (data access rules). The Authorization system can make use of these attributes to allow/deny access to resources. We also support email-based authentication and in the future other mechanisms (e.g. oAuth, etc.).

FDSN web service extension The user presents the list of attributes to /auth method (https) of a data service. The digital signature is verified. A temporary account (for /queryauth) is created. Access is granted based on pattern-matching of the attributes (eg., eduPersonPrincipalName LIKE '%@gfz-potsdam.de' is given access to network XX).

Example Authenticate in web browser eduGAIN: https://EAS/eidaws/auth/1/sso E-Mail: https://EAS/eidaws/auth/1/email ... Get temporary queryauth credentials wget --post-file eidauser.asc https://WS/fdsnws/dataselect/1/auth -O cred.txt Get data wget http://`cat cred.txt`@WS/fdsnws/dataselect/1/queryauth?net=... -O data.mseed EAS prototype, no user DB!, eduGAIN, 2000 IdPs, token, use it for services.

Command line client (fdsnws_fetch) Example fdsnws_fetch -a token.asc -N "*" -S "A*" -L "*" -C "LHZ" -s \ "2010-02-27T07:00:00Z" -e "2010-02-27T08:00:00Z" -v -o data.mseed Work on top of the official EIDA Routing Service running at GEOFON. Data and metadata are retrieved from standard FDSN web services. Able to handle token issued by the EIDA Authentication Service.

Conclusions GEOFON is continuously working to improve: the user experience and to facilitate access to data and its usage. The exchange of data between data centres. Federation instead of centralization: Provide users a unified, integrated view of data. Search data focused on scientific purposes and not on management/political reasons. scalable solution, researcher worldwide can benefit through global eduGAIN infrastructure. solution developed user driven - from researchers for researchers. adaptable to other communities, who already have expressed their interest.

Thank you for your attention! http://geofon.gfz-potsdam.de/

EPOS-IP European Plate Observing System EPOS is integrating the diverse, but advanced European Research Infrastructures for solid Earth Science, and will build on new e-science opportunities to monitor and understand the dynamic and complex solid-Earth System. GEOFON involvement: EIDA-NG development Routing service Federated Identity management The second pillar id the GFZ seismological data archive, the largest seismological archive in Europe… ~10 GB/day incoming ~200 GB/day from archive in peak days http://www.epos-eu.org/ 15 15

GFZ scientific infrastructure Enhancing accessibility at European and Global scale GFZ seismological datasets are open data (except embargo for temporary experiments) EIDA (European Integrated Data Archive) => EUDAT (The pan-European Data Infrastructure) => EPOS (European Plate Observing System) Safe replication Identity Management Data Discovery Data Staging Dynamic Data Integration and interoperability with other solid earth science infrastructure

Federative Authentication EAS prototype, eduGAIN, 2000 IdPs, token, use it for services.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.