Pilot Description
The LIGO Scientific Collaboration (LSC) is a group of scientists focused on the direct detection of gravitational waves, using them to explore the fundamental physics of gravity, and developing the emerging field of gravitational wave science as a tool of astronomical discovery. The LSC works toward this goal through research on, and development of techniques for, gravitational wave detection; and the development, commissioning and exploitation of gravitational wave detectors. The LSC carries out the science of the LIGO Observatories, located in Hanford, Washington and Livingston, Louisiana as well as that of the GEO600 detector in Hannover, Germany. Our collaboration is organised around three general areas of research: analysis of LIGO and GEO data searching for gravitational waves from astrophysical sources, detector operations and characterisation, and development of future large scale gravitational wave detectors. Founded in 1997, the LSC is currently made up of more than 1200 scientists from over 108 institutions and 18 countries worldwide.
Each member of the LSC is assigned an albert.einstein identity and they manage this account and their credentials via the my.ligo.org application. This pilot aims to investigate the infrastructure and organisational changes required to support the use of federated institutional entities alongside existing internal credentials. In particular it will identify technological components and deploy a pilot service to be used for evaluation. It will also work to understand the current limitations of federated identities as applied to the LSC, and recommend alternative approaches where relevant.
SAML proxies are increasingly being used to easily connect all of resources within a collaboration into the eduGAIN federation and this would demonstrate it's application for a large, established collaboration.
Pilot goals
The goal of this AARC project is design and deploy a pilot SAML proxy instance that would allow users to use their Institutional Identities in a federated manner. It will also investigate the limitations of a SAML proxy and recommend alternative solutions to these issues. Finally, we will look at other areas where the SAML proxy can be utilised.
Description
Following discussions within the LSC it was decided that the pilot would deploy SATOSA create a SAML proxy between the eduGAIN institutional identity providers and the LSC's service providers. This would allow LSC and Virgo members to use their institutional credentials to access LSC resources directly. Institutional identifies would be mapped to a user's albert.einstein identity via a internal account linking, and LIGO specific information; in particular group and identity information would be used to annotate the account. SATOSA will act as the central SAML Proxy of the project, while pyFF will be used to aggregate SAML metadata from EduGAIN and the LSC, and also provide the discovery service interface.
Components
| Component | Description | Technology | Why did we choose it |
|---|---|---|---|
| SAML Proxy | SAML IdP to SAML SP Proxy | SATOSA | Popular Python based package that includes services for adding attributes from external source |
| Metadata aggregation | Aggregate and process SAML metadata from multiple sources | PyFF | Popular Python based package that allows you to customise SAML metadata processing and also supports Metadata Query Service |
| Discovery Service | Present list of IdPs to user | PyFF | PyFF already used to aggregate metadata, and includes a good, theme-able discovery service interface |
| Attribute Store | Source of additional user attributes and group membership | Grouper + LDAP | LSC user group membership and extended attributes already managed and stored in Grouper |
| Account Linking Service | Link institutional IdP identity to LSC user identity | COManage | COManage provides workflows for linking accounts and is already used with the GW Astronomy community for collaboration management. |
Architecture
Use Cases
Successful Federated Identity Login
| Step | Action | Screenshot |
|---|---|---|
| 1 | Visit SP Website and select Satosa SAML Proxy from the list of IdPs |
|
| 2 | Select Home IdP from DS |
|
| 3 | Login at Institutional IdP |
|
| 4 | Access SP |
|
Link Federated Identity
| Step | Action | Screenshot |
|---|---|---|
| 1 | Visit SP Website and select Satosa SAML Proxy from the list of IdPs |
|
| 2 | Select Home IdP from DS |
|
| 3 | Login at Institutional IdP |
|
| 4 | Account Linking |
|
| 5 | Access SP |
|
Results
A Pilot instance has been deployed and has been registered in the eduGAIN metadata and is undergoing testing.
Limitations
There are two areas where the use of federated identities is limited. Firstly, the the LIGO detectors are situated in remote locations loss of access to the internet are common and it would be impossible for anybody working thereto connect to their home IdPs. Therefore, people working at or visiting the detectors will need to continue to use their LSC credentials and the local IdP replicas. Secondly, the LSC rely on X509 certificates to access compute clusters and other resources. Most users obtain their certificates from the CILogon service using the ligo-proxy-init command line tool which uses SAML ECP to obtain a certificate without a web browser. Although some institutional IdPs support ECP this is severely limited, and not expected to improve. Therefore, for users who require this they will still require a dedicated password to access this resource via the LIGO IdP.
Further information
Following the completion of this pilot the service will be adopted into the LSC Identity and Access Management core services. A fault tolerant service will be maintained in the cloud.