Presentation is loading. Please wait.

Presentation is loading. Please wait.

J. Quinteros, A. Heinloo, B. Weber, L. Hämmerle and W. Pempe

Published byLewis Anthony Clarke Modified over 6 years ago

Similar presentations

Presentation on theme: "J. Quinteros, A. Heinloo, B. Weber, L. Hämmerle and W. Pempe"— Presentation transcript:

1 J. Quinteros, A. Heinloo, B. Weber, L. Hämmerle and W. Pempe
A novel AAI approach for the European Integrated Data Archive within EPOS J. Quinteros, A. Heinloo, B. Weber, L. Hämmerle and W. Pempe DI4R-2016 – Krakow, September 28th 2016

2 EIDA within Orfeus The European Integrated Data Archive (EIDA) is a distributed data center established to: securely archive seismic waveform data and metadata gathered by European research infrastructures, and to provide transparent access to the archives by the geosciences research communities. EIDA nodes are data centers which collect and archive data from seismic networks deploying broad-band sensors, accelerometers and other geophysical instruments.

3 EIDA within Orfeus Protocols to share data
Daily synchronization of metadata Development of clients and tools Common policies for data curation Statistics Maintenance of Routing Tables

4 Existing EIDA authentication mechanisms
Arclink Proprietary protocol to access seismic waveforms. It was a de facto standard in Europe. It allowed for the creation of federations of datacenters. Authentication is based on the account and no passwords need to be sent by the user, but... Passwords are needed to decrypt data! (one password per data center). Authorization is based on pattern-matching of address. FDSN* web service It works on datacenters and not federations. HTTP digest authentication. (* Federation of Digital Seismograph Networks)

5 Why HTTP digest is not optimal for EIDA?
User perspective User has to manage independent credentials for each EIDA data center (unless a central LDAP server or similar is used). Datacenter perspective Pattern-matching is not possible, each individual user has to be added manually. Each user has to be deleted when the account expires. Problematic for brokers (who makes requests on behalf of users).

6 EIDA Authentication System (EAS)
Challenges Users from hundreds of institutions want to access data. Unified login for users. Can we skip the maintenance of a users database? No exchange of sensitive information. Support retrieval of restricted data from scripts! EAS prototype, no user DB!, eduGAIN, 2000 IdPs, token, use it for services.

7 Why eduGAIN initially? It works with one of the de facto standard (SAML/Shibboleth). We do not need to keep track of the user database (at least passwords). ca Identity Providers. Some nodes belonged already to eduGAIN when we started. Most of them have joined since then and we work to include the few remaining DCs. EAS prototype, no user DB!, eduGAIN, 2000 IdPs, token, use it for services.

8 EIDA-AAI solution We developed a prototype of an Authentication system to be used in Federated environments. Secure use of the services from scripts and browser. EAS provides users with a digitally signed token valid for limited time and with information about the user. This token can be used to query services without the need to login once you have it locally.

9 EIDA-AAI solution Separate authentication from data services (leaving just authorization to data services). Pattern-based authorization (data access rules). The Authorization system can make use of these attributes to allow/deny access to resources. We also support -based authentication and in the future other mechanisms (e.g. oAuth, etc.).

10 FDSN web service extension
The user presents the list of attributes to /auth method (https) of a data service. The digital signature is verified. A temporary account (for /queryauth) is created. Access is granted based on pattern-matching of the attributes (eg., eduPersonPrincipalName LIKE is given access to network XX).

11 Example Authenticate in web browser
eduGAIN: ... Get temporary queryauth credentials wget --post-file eidauser.asc -O cred.txt Get data wget -O data.mseed EAS prototype, no user DB!, eduGAIN, 2000 IdPs, token, use it for services.

12 Command line client (fdsnws_fetch)
Example fdsnws_fetch -a token.asc -N "*" -S "A*" -L "*" -C "LHZ" -s \ " T07:00:00Z" -e " T08:00:00Z" -v -o data.mseed Work on top of the official EIDA Routing Service running at GEOFON. Data and metadata are retrieved from standard FDSN web services. Able to handle token issued by the EIDA Authentication Service.

13 Conclusions GEOFON is continuously working to improve:
the user experience and to facilitate access to data and its usage. The exchange of data between data centres. Federation instead of centralization: Provide users a unified, integrated view of data. Search data focused on scientific purposes and not on management/political reasons. scalable solution, researcher worldwide can benefit through global eduGAIN infrastructure. solution developed user driven - from researchers for researchers. adaptable to other communities, who already have expressed their interest.

14 Thank you for your attention!

15 EPOS-IP European Plate Observing System
EPOS is integrating the diverse, but advanced European Research Infrastructures for solid Earth Science, and will build on new e-science opportunities to monitor and understand the dynamic and complex solid-Earth System. GEOFON involvement: EIDA-NG development Routing service Federated Identity management The second pillar id the GFZ seismological data archive, the largest seismological archive in Europe… ~10 GB/day incoming ~200 GB/day from archive in peak days 15 15

16 GFZ scientific infrastructure
Enhancing accessibility at European and Global scale GFZ seismological datasets are open data (except embargo for temporary experiments) EIDA (European Integrated Data Archive) => EUDAT (The pan-European Data Infrastructure) => EPOS (European Plate Observing System) Safe replication Identity Management Data Discovery Data Staging Dynamic Data Integration and interoperability with other solid earth science infrastructure

17 Federative Authentication
EAS prototype, eduGAIN, 2000 IdPs, token, use it for services.

Download ppt "J. Quinteros, A. Heinloo, B. Weber, L. Hämmerle and W. Pempe"

Similar presentations

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing.

Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing.
CLARIN AAI, Web Services Security Requirements

CLARIN AAI, Web Services Security Requirements
Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
A Very Brief Introduction to iRODS

A Very Brief Introduction to iRODS
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
Understanding Active Directory

Understanding Active Directory
The Study of Security and Privacy in Mobile Applications Name: Liang Wei

The Study of Security and Privacy in Mobile Applications Name: Liang Wei
Www.egi.eu EGI-Engage www.egi.eu EGI-Engage Engaging the EGI Community towards an Open Science Commons Project Overview 9/14/2015 EGI-Engage: a project.

EGI-Engage EGI-Engage Engaging the EGI Community towards an Open Science Commons Project Overview 9/14/2015 EGI-Engage: a project.
Digital Object Architecture

Digital Object Architecture
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
1 School of Computer, National University of Defense Technology A Profile on the Grid Data Engine (GridDaEn) Xiao Nong

1 School of Computer, National University of Defense Technology A Profile on the Grid Data Engine (GridDaEn) Xiao Nong
Identity on Force.com & Benefits of SSO Nick Simha.

Identity on Force.com & Benefits of SSO Nick Simha.

Similar presentations

Ads by Google