Authentication and Authorization Overview Kimmo Koskenniemi, Antti Arppe, Mikael Lindén University of Helsinki, CSC – IT Centre for Science Consortium meeting – Legal thematic session Barcelona

Consortium Meeting Barcelona CLARIN players and their relationships dashed arrows: flow of permissions solid arrows: data flow and other connections Content Provider Service Provider CLARIN User Copyright Owner Authorization Records Access Database

Consortium Meeting Barcelona CLARIN legal entities (1)  Copyright Owner – CO  Content Provider – CP  Service Provider – SP  Identity Federation – IdF  Identity Provider – IdP  CLARIN User – CU  How do these map with the CLARIN centre types (in the WP2 documentation)?

Consortium Meeting Barcelona CLARIN legal entities (2)  Copyright owners (CO)  the authors and publishers or whoever possesses the original (or acquired) rights.  Content Providers (CP)  organizations which acquire language materials and sufficient rights from the Copyright Owners (CO)  may also produce these resources themselves  The rights needed by the CP typically include  right to grant some end users the right to access and use the materials  COs may put some restrictions on who may use the materials and in which ways they may be used, e.g. only for research purposes or not to make copies other than customary citations  deposits the material at a CLARIN Service Provider (SP)

Consortium Meeting Barcelona CLARIN legal entities (3)  Service Provider (SP)  institution which provides technical access to the LRT  usually a computing centre  agrees to allow CLARIN end-users access the materials only according to the authorization by CPs:  some materials automatically for larger groups, others only according to individual applications  agrees to protect the material against unauthorized access  CLARIN infrastructure will consist of several SPs which are linked together with agreements  Several CPs may be connected to each SP

Consortium Meeting Barcelona CLARIN legal entities (4)  CLARIN Identity Federation (IdF)  Consists of IdPs which operate according to a common policy (e.g. Haka in Finland, DFN in Germany, SurfFederatie in Holland)  SPs make agreements with IdFs  Each SP cooperates with all CLARIN IdFs  Identity Providers (IdP) are existing institutional identity services (e.g. University of Helsinki as a part of Haka)  Used for identifying large groups of people such as staffs of organizations or students  The (unique) identity provided by IdPs within IdFs is the basis for identifying CLARIN Users (CUs)  CLARIN User (CU)  Identified and authenticated with the attributes provided by an IdP as

Consortium Meeting Barcelona CLARIN legal entities (5)  The CLARIN AA infrastructure consists of  many CP institutions  not so many SP centres  each CP is typically associated with one SP centre  CO involvement restricted to the negotiations and agreements by which CPs acquire LRT content from them  CLARIN SPs are linked with all national IdFs using SAML2 and identities  One organization may offer several functions  some units may provide both the CP and SP functions  some CLARIN SP may maintain a national IdP federation (e.g. CSC maintains Haka in Finland)

Consortium Meeting Barcelona Authorization  CP institutions control the authorization by maintaining the contents of CLARIN Authorization Records (ARs)  Binding legal documents with (electronic) signatures which indicate which materials each CU is allowed to use and how  Some end-user licenses may be granted automatically by the electronic signature by the CU  The permitted uses of the material may vary  Some materials require more elaborate application by the CU and processing by the CP, including  explaining and justifying the need to use a material  possible recommendation (through an electronic signature)  acceptance or denial of the application  All rights the CP can grant to the CUs to use materials, must have been acquired from the CO

Consortium Meeting Barcelona CLARIN players and their relationships dashed arrows: flow of authorizing red arrows: flow of access Content Provider Service Provider CLARIN User Copyright Owner Authorization Records Access Database

Consortium Meeting Barcelona Authorization  The ARs are technically maintained by the SPs  The ARs are based on  Unique IdP identities:  Potentially required (electronic) signatures confirming the acceptance of relevant license terms  The Access Database contains the core information of ARs, i.e. which materials identified by PIDs a user identified as is allowed to use – according to the Single-Sign-On (SSO) principle

Consortium Meeting Barcelona Agreements between CLARIN legal entities  CO-CP acquisition of permissions  CP-SP resource depositions agreements including AR and access database maintenance  SP-SP agreement of uniform services  SP-IdF agreement of secure and uniform identification – SP-IdP agreement of the same in the absence of national IdFs  IdF-IdF confederations (eduGAIN etc.) on common policies and interpretation of attributes  CP-CU end-user license

Consortium Meeting Barcelona CLARIN players and their relationships red arrows: agreements Content Provider Service Provider CLARIN User Copyright Owner Authorization Records Access Database Service Provider

Consortium Meeting Barcelona CLARIN SP-SP agreement (1)  links all CLARIN SP centres together  harmonizes their CLARIN services  CUs can identify themselves using their local IdP services  access the materials on any SP centre according to their permissions in the ARs  contains some obligations for each of the participating centres  responsibility to enter into necessary agreements with the IdPs used within CLARIN  may include the agreements allowing the use of identity information in a systematic way together with other centres in the group

Consortium Meeting Barcelona CLARIN SP-SP agreement (2)  states the set of minimum requirements for usage, deposition and authorization rights  which a CP must be able to grant to all SPs  which each CP has to have negotiated with and acquired from each CO  to allow for the use of these materials throughout the CLARIN federation of SPs.  (in the form of a checklist or model licensing templates)  requires that the CPs of the SP may only include materials with sufficient rights in the CLARIN services

Consortium Meeting Barcelona CLARIN LRT deposition agreement: CP ↔ SP  Between each CP institution and the associated SP centre  Preferably, the rights should permit the depositing of the material in more than one CLARIN SP centres at the same time → back-up, mirroring etc.  The SP (or the SPs) must agree to allow users to access only materials for which they have an explicit authorization by the CP  The SP must also agree to destroy the copies of the materials at the possible termination of the agreement.

Consortium Meeting Barcelona Deposition agreement: CP ↔ SP  The materials, tools and services can be classified according to the limitations of their use to three general categories 1. Materials which can be freely used by anyone, 2. materials to which the CP can grant a license automatically through an electronic signature by the user (unilaterally) 3. materials which can only be accessed according to an individual application by the user and after individual consideration by the CP (bilaterally)  License agreements typically impose limitations of usage to which the user commits itself upon receiving permission  e.g. only for academic research and education.

Consortium Meeting Barcelona Deposition agreement: LRT metadata requirements  In addition to providing the actual content the CP is also responsible for  supplying some metadata in a CLARIN standard format  exact information about the authorization scheme for the material i.who is/are authorized to grant the permissions for users ii.what qualifications the individual applicants must satisfy, and iii.what license agreement the applicants must sign (including the license text which tells the exact conditions of use)  The CP may also have to indicate the level of trust needed for identifying the CUs

Consortium Meeting Barcelona Metadata for M Assurances and Licenses Material M Access Database IdP Content Provider User site Service Provider Authorization – Access

Consortium Meeting Barcelona Simple authorization workflow (1) Category 2 – Resource available to users upon one-sided commitment to research use 1. Raymond Researcher from the MPI in Nijmegen wants to use language resource G, stored at CSC in Helsinki/Espoo 2. Raymond goes to CLARIN resource listing at a s a new CLARIN user 3. Raymond selects resource G – with unique PID(G) – from a list  Service informs Raymond that he has to agree to and sign a CLARIN general End-user License Agreement (EULA) concerning research use 4. Raymond clicks link  ”Apply for access to resource G”

Consortium Meeting Barcelona Simple authorization workflow (2) 5. Raymond is redirected to the AR service at CSC https/ar.csc.fi/licenses/request via logging in through his Dutch national IdF service SurfFederatie (specifically his local IdP: MPI/Nijmegen)  Raymond is shown the general CLARIN terms of use (EULA) for research purposes 6. Raymond ticks the box ”I have read and understood these terms of use for research and agree to abide by them” and presses the ”Agree” button Raymond's Identity Attributes ( ) as provided by his IdP (MPI/Nijmegen) are now linked with the resource identifier PID(G) in Authorization Records (AR) at CSC

Consortium Meeting Barcelona Simple authorization workflow (3) 7. Raymond proceeds to get access to resource G

Consortium Meeting Barcelona Complex authorization workflow (1) Category (3): User commitment to specific license terms and individual recommendation and consideration required 1. Raymond Researcher from the MPI/Nijmegen wants to use language resource S at CSC ”managed” by Kimmo Koskenniemi 2. Raymond goes to CLARIN resource listing at 3. Raymond selects resource S – identified with unique PID(S) – from a list  Service informs Raymond that access to resource S requires authorization granted personally by Kimmo Koskenniemi 4. Raymond clicks link  ”Apply for access to resource S”

Consortium Meeting Barcelona Complex authorization workflow (2) 5. Raymond is redirected to the AR service at CSC via logging in through his national IdF service SurfFederatie (specifically his local IdP: MPI/Nijmegen) 6. Raymond writes an English motivation why he should be granted access to resource S. In addition, Raymond  Includes his PhD research plan abstract  Provides a link to his home page at his home university  Selects Peter Wittenburg from a list of Dutch national referees  Reads and signs the general and resource specific terms  Clicks the button 'Send application'

Consortium Meeting Barcelona Complex authorization workflow (3) 7. Peter Wittenburg receives an from AR at CSC  ”Raymond Researcher from the MPI/Nijmegen asks you for a recommendation to use resource S. In order to give the recommendation, click the link 8. Peter clicks the link and logs into AR at CSC with the Dutch national IdF SurfFederatie (specifically his local IdP: MPI/Nijmegen) 9. Peter is presented with Raymond's application (along with the attachments), browses them, writes a few words of recommendation to Kimmo, and clicks the button 'Recommend'

Consortium Meeting Barcelona Complex authorization workflow (4) 10. Kimmo Koskenniemi at the University of Helsinki receives an from AR at CSC – ”Raymond Researcher from the MPI/Nijmegen asks you for permission to use resource S. Peter Wittenburg from MPI/Nijmegen supports Raymond's application. In order to grant the permission, click the link /” 11. Kimmo clicks the link and logs into AR at CSC with the Finnish national IdF Haka (specifically via his local IdP: University of Helsinki)

Consortium Meeting Barcelona Complex authorization workflow (5) 12. Kimmo is presented with Raymond's application (along with the attachments) as well as Peter's recommendation, browses them, and clicks to button 'Grant permission'  Raymond's Identity Attributes ( are linked in AR at CSC with the data indicating that he is now authorized to access resource S – identified by the unique PID(S) 13. Raymond receives an from AR at CSC: ”You have been granted permission to use resource S. You now have access to this resource.”  Raymond may then access S at CSC by authenticating himself via the Dutch SurfFederatie IdF ( ) which has CSC as one of its many Service Providers

Thank you for your attention CLARIN has received funding from the European Community's Seventh Framework Programme under grant agreement number

Consortium Meeting Barcelona CLARIN players and their relationships Content Provider Service Provider CLARIN User Copyright Owner Authorization Records Access Database dashes red arrows: next talk by Marjut Salokannel