Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

LSC logo - click to go to LSC homepageImage Added

...

Pilot Description

The LIGO Scientific Collaboration along with the Virgo collaboration analyses data generated by the LIGO, Virgo and Geo600 detectors to search for gravitational waves. It enables collaboration between approximately 1000 researchers in 20 countries. Data, documents, and other resources need to be shared amongst many different combinations of groups of researchers. We use SAML and X.509 certificate technologies with a single internal Identity Provider.

This pilot will introduce an AAI architecture according to the AARC BPA. The pilot will also be used to move several service providers to make use of the AAI and therefore federated identities. We will use SATOSA for the SAML proxy and PyFF for metadata aggregation and discovery.

(LSC) is a group of scientists focused on the direct detection of gravitational waves, using them to explore the fundamental physics of gravity, and developing the emerging field of gravitational wave science as a tool of astronomical discovery. The LSC works toward this goal through research on, and development of techniques for, gravitational wave detection; and the development, commissioning and exploitation of gravitational wave detectors. The LSC carries out the science of the LIGO Observatories, located in Hanford, Washington and Livingston, Louisiana as well as that of the GEO600 detector in Hannover, Germany. Our collaboration is organised around three general areas of research: analysis of LIGO and GEO data searching for gravitational waves from astrophysical sources, detector operations and characterisation, and development of future large scale gravitational wave detectors. Founded in 1997, the LSC is currently made up of more than 1200 scientists from over 108 institutions and 18 countries worldwide.

Each member of the LSC is assigned an albert.einstein identity and they manage this account and their credentials via the my.ligo.org application. This pilot aims to investigate the infrastructure and organisational changes required to support the use of federated institutional entities alongside existing internal credentials. In particular it will identify technological components and deploy a pilot service to be used for evaluation. It will also work to understand the current limitations of federated identities as applied to the LSC, and recommend alternative approaches where applicable.

SAML proxies are increasingly being used to easily connect all of a collaboration's resources into the eduGAIN network and this would demonstrate it's success for a large, established collaboration. The AARC Blueprint Architecture is important in shaping the design and features of this pilot.

Results


Following discussions within the LSC Identity and Access Management group it was decided that the pilot will deploy SATOSA and pyFF to create a SAML proxy between the eduGAIN institutional identity providers and the LSC's service providers. SATOSA will act as the central SAML Proxy of the project, while pyFF will be used to aggregate SAML metadata from Edugain and the LSC, and also provide the discovery service interface. This would allow LSC and Virgo members to use their institutional credentials to access LSC resources directly. Institutional identities would be mapped to a user's albert.einstein identity via an account linking step, so that LIGO specific information; in particular group and identity information would be connected to the user identity.
Image Added

A pilot instance was deployed registered in the eduGAIN metadata and underwent extensive testing using a number of existing LSC resources. Within the pilot, account linking between institutional identities and a user LSC identity was performed using a manual administration step.
Demonstration of the discovery service in action.

Demonstration of the discovery service in action.Image Added

Sustainability


Going forward an instance of COManage will be deployed to handle the account linking workflow, as well as more aspects of user management currently handled by a number of custom applications. To move the pilot into production the SATOSA and PyFF services must be deployed in a fault tolerant manner. The LSC has recently deployed a cloud based instance of the main Identity Provider, and we will be take a similar approach to deploy this suite of componentsThe project is deploying an IdP/SP proxy based on SATOSA. The IdP/SP proxy will be registered in the LIGO metadata and pushed up to eduGAIN. A number of SPs will be connected to this proxy.