VAMP 2012: Chair notes on VO Use Cases

Chair notes on VO Use Cases (iv), 12:45 – 14:15 6th September 2012

ELIXIR EGA AAI Pilot – Mikael Linden

ELIXI EGA AAI project is part of the work of the European Bioinformatics Institute (EBI). EBI has specific requirement regarding release of data sets relating to genomes, where permission has not been granted by the individuals involved in the study. This is the focus of the European Genome-phenome Archive (EGA). The data is over 400TB, with over 200,000 samples. EBI is effectively a secure broker for making this information available effectively.

ELIXIR itself is a large umbrella project with this work forming a small element. The EGA AAI work is due to end in April 2013.

EGA currently issues a password to each individual researcher involved. This has created a scenario where usernames are actively shared within each research groups – and these credentials are often used by researchers who have left the project, and whose access should have been revoked. There is a large incentive to stop this common practice given the sensitivity of the data involved.

To support this requirement, the pliot is integrating the EGA web portal with a SAML2 SP. EBI has joined the Haka federation, and the intention is to interfederate using eduGain and Kalmar.

The authorization flow for EGA is complex because of the approval points needed for each individual. There have been many manual steps involved, and the pilot project is trying to automate these processes.

The project has identified 3ways in which the authorization can be expressed:

  1. With the web portal acting as a SAML proxy, injecting an eduPersonEntitlement to the authentication flow. This is the one that has been implemented at the moment using SimpleSAMLphp.
  2. With the web portal acting as a SAML AP attaching eduPersonEntitlement to an attribute query.
  3. Using XACML with the portal (Argus).

The software created for the project will be released under an opensource license.

Discussion from the group was around two themes that will come up repeatedly within the VAMP programme: the need for all the home organizations of the researchers to be participating in identity federations and the reuse and applicability of the software created in the project – could we reduce overheads and development time by facilitating the sharing of software developed to support VO workflows?

EUDAT: Towards a European Collaborative Data Infrastructure – Federated Identity Management and Access Control – Mark van de Sanden

EUDAT is a European Commission programme with a focus on data infrastructure. It has been in operation since 1st October 2011 and will run for 36 months.

Partners involved in the project include:

  • EPOS – European Plate Observatory System – which has a large and complex dataset with distributed data sensors, largescale statistics and a full metadata schema unique to EPOS.
  • CLARIN – Common Language Resources and Technology Infrastructure – CLARIN have a specific problem with having users spread over 300 centers within the EU. CLARIN have been working with Identity Federations for some time to try and find a common solution and experience for their users.
  • ENES – Service for Climate Modeling in Europe – ENES again want to provide a consistent experience for its users and want to be able to work with other climate groups
  • .

  • VPH – Virtual Physiological Human – this project currently has a complex dataset with both structured and unstructured data, and complex environments to work with through typical hospital infrastructure.
  • LifeWatch – Biodiversity Data and Observatories – users within this project can often in place for a short time, and the solution for AAI needs to be flexible, transient and immediate.

EUDAT are looking to provide common services to these varied VO projects, and federated identity is clearly a key component as a enabling service for the data. EUDAT has to work with many different identity domains, including community domains, federated NRENS, existing indfrastructures (EGI, PRACE, eduGain), local institutions, OpenID providers etc. Each of the communities are supported by different technologies including OAuth, OpenID, RADIUS, SAML2, X.509, XACML. EUDAT is keen to distinguish between leveraging IdPs and APs, with community provided APs. EUDAT ask the commomn question, what about homeless and citizen scientists?