EGI AAI integration with ELIXIR AAI

From EGIWiki
Jump to: navigation, search

EGI AAI: Integration with the ELIXIR AAI

How to use it?

The EGI AAI and ELIXIR AAI systems have been integrated to enable:

  • Write access to the GOCDB service registry for ELIXIR service operators. As result of the integration, 'ELIXIR service operators' can now register and update service entries in GOCDB using their ELIXIR account for login
  • Access to the EGI Applications Database (AppDB). The AppDB can be used as a marketplace of Virtual Machine Images (VMIs) within the ELIXIR Compute platform. A user can have three roles when accessing the EGI AppDB marketplace:
    • Visitor: Can browse publicly visible VMIs and download them for local use. Visitors do not have to login.
    • Member of a scientific community: Can register new VMIs and VMI versions in the marketplace and (optionally) can submit these to community coordinator for inclusion in the community image list. Community members have to login to AppDB and must have user attribute that express affiliation to the community (ELIXIR VO members).
    • Coordinator of a scientific community: Can add VMIs to the community image list to trigger the replication of these VMIs to the cloud sites that support the community. Community image list includes VMs that are of high relevance to the scientific community. Community coordinators have to login to AppDB and must have attributes that express affiliation to a community and coordinator role within that community (ELIXIR VO managers).

You can try the integrated system in the following way:

  1. Apply for an ELIXIR account at https://www.elixir-europe.org/intranet (Conditions and restrictions apply. Please check the page for further details)
  2. Join the ELIXIR Virtual Organisation (to connect your account with AppDB, GOCDB and cloud resources): https://perun.cesnet.cz/edugain/registrar/?vo=vo.elixir-europe.org. (This URL will change in a near feature)
  3. Apply for an 'ELIXIR service operator' or 'ELIXIR infrastructure manager' role in email to Steven Newhouse <steven.newhouse@ebi.ac.uk>.
  4. If you have a 'service operator' role, then go to http://goc.egi.eu and after login add/edit your services.
  5. If you have an 'infrastructure manager' role, then go to http://appdb.egi.eu and after login add/remove VM images in the ELIXIR list: https://appdb.egi.eu/store/vo/vo.elixir-europe.org/imagelist

Architecture

ELIXIR AAI Requirements and Design

https://docs.google.com/document/d/1CMY1np3GyvPD8LcKvXljXcRO04V2zu3n_Jcg19jgNOw/edit?usp=sharing

Current status

ELIXIR VOs/groups enabled in EGI

  • Group: Community:Compute:Grid site managers - manager Steven Newhouse <steven.newhouse@ebi.ac.uk>.
  • VO: vo.elixir-europe.org where two roles have been identified: member and manager

Only users from VOs/groups listed above will get the entitlement.

GOCDB access

Access to the GOCDB requires substantial (or higher) LoA. Currently, all ELIXIR users who are members of the Grid site managers ELXIR VO group are assigned substantial LoA by the EGI AAI and are thus able to accesse the GOCDB. ELIXIR group membership information is conveyed through the `eduPersonEntitlement` SAML attribute to the EGI AAI. More specifically, when a member of the Grid site managers group signs into the GOCDB using their ELIXIR login, the EGI proxy receives an `eduPersonEntitlement` attribute containg the value "elixir:Community:Compute:Grid site managers". This is mapped to a `eduPersonAssurance` attribute with a value of `"https://aai.egi.eu/LoA#Substantial"` which is then transferred to the GOCDB to denote access with a substantial LoA.

Attribute Value(s)
Input from ELIXIR AAI eduPersonEntitlement
Output from EGI AAI eduPersonAssurance

AppDB access

Authorisation of ELIXIR users is based on relevant entitlements returned by the ELIXIR AAI IdP through the EGI AAI proxy:

Attribute Value(s)
Input from ELIXIR AAI eduPersonEntitlement
Output from EGI AAI eduPersonEntitlement

Plans

  • Integrate EGI registry sign up process in the workflow