Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page is about a service, offered by SURFin development at SURF (production slated for Q3 2020), that makes it easier for research collaborations to set up and manage access to (data and compute) services they need for their projects. Using our service saves those collaborations time and enables them enables collaborations to spent more time on research instead of managing infrastructure. Everybody involved benefits: researchers, providers of services for researchers and institutions. Anybody is invited to read about the service, but it the service is geared towards Dutch led research projects .

Don't want to read the information below but want to know how this can help you? Or have questions? You can send us an email and we'll set up a call!

Table of Contents

Why

...

this service?

Research is more and more about collaboration, also confirmed in the Dutch NWO 2019-2022-strategy. Researchers that want to collaborate (internationally) and providers of resources who parties that want to offer research facilities to collaborative organisations therefor face the question: how to provide secure access to resources.? Researchers have typical access needs that aren't taken care of by the current solutions, and they have documented them in FIM4R-documents (Federated Identity Management for Research). We address a number of those problems in the SCZ-project:

  • Providing access to invited people to the actual resources currently often takes a relatively long time (working with system admins of all resources, setting up 'account management', provisioning etc). 

  • You want to streamline the invitation process (invites, enrollment). When the collaboration grows, there is a need to manage collaboration groups (membership etc).
  • Researchers often want access to 'non-web' services (think of resources accessed via SSH or WebDAV ): those are currently not tied to their institutional accounts, which makes access revocation a problem.

  • Research is often international and providing people without an institutional account (eg from companies involved in the research project, 'guest-access') secure access often is a problem.

  • Authorization often is a problem. Group membership can be used to decide on authorization: what is a user allowed to do within a certain service? This requires a solution that can convert the group information into attributes that are subsequently consumed and interpreted by the resources to be shared (eg wikis, compute or data) for authorising users.

Currently, for every new research the wheel is reinvented to arrange for the things mentioned. Collaborations and research are delayed in the start-up phase because providing access takes time. What if there was a plug and play service?

People from around the world have been thinking about how to solve the access issues, a solution was architected, and project SCZ is building an implementation of that international effort.

A great basis for easy secure access, is using the institutional accounts most researchers have. This for instance allows easy set up, easy validation, and better control when a researcher for instance stops working for an institution.

In the European AARC-project (Authentication and Authorisation for Research and Collaboration) the specific identity and access challenges researchers face are addressed, and they made a clear video about the problem:

Widget Connector
urlhttps://www.youtube.com/watch?v=Xpwb6BNxNW4

AARC crafted a blueprint architecture that addresses those challenges. SCZ is basically doing an implementation of that blueprint.

We provide an Authentication & Authorisation Infrastructure-as-a-Service focused on the needs of researchers, research projects and providers of resources for researchers. It takes care of user management. The service name: SURF Research Access Management (SRAM). On these pages we describe what the SCZ project and the resulting SRAM-service is about. 

Besides SRAM, which is tailored for Dutch-led research projects, similar AARC-based initiatives exist, like the EOSC-Life AAI and eduTEAMS

.

How does SCZ provide a solution?

With the SCZ project, we:

  • ensure that parties who want to share resources can do so by connecting the resource to the SCZ proxy (only once). The SCZ solution takes care, amongst others, of making the service available via eduGAIN.

  • provide an environment where institutions and collaborative organisations can quickly request a collaboration group, assign group managers and then manage that group themselves, invite people, etc.

  • provide a possibility to manage specific attributes per collaborative organisation.

  • ensure that people without an edu account can also easily be invited and access the resources, where possible with a higher 'Level of Assurance' than with a social identity.

  • ensure that non-web resources like SSH and WebDav can be approached via federated authentication (eg institutional account) (for the benefits of federated authentication see "Why federative"? ).

  • ensure that an institution only has to join the SCZ once in order to give all its researchers (via one or more collaborations) access to the participating services and resources.

To get an extra idea of what SCZ wants to offer, here we share the 'user stories' (in broad outline) for which we want to offer a solution with SCZ.

SCZ and Open Access / Open data

Open Access and access regulation mechanisms often go together. Possible scenario's:

  • The research team has every intention to publish lots of data and results at some point, but at the start or during the research, access has to be limited. SCZ can provide for this.
  • Certain data is available for open access, but for all kinds of reasons, certain other data is only available for authorised users (see for instance page 75, 13.2 and 13.4, in 'RDM Toolkit'. SCZ can provide for that as well. 

Schematic overview of the SCZ solution 

Schematically the SCZ can be drawn as follows:

Image Removed

The picture above shows that the research services are linked to the SCZ proxy: these services only have to make and maintain one link. The picture shows the features of the SCZ infrastructure:

  • Connects with eduGAIN so that research services are accessible for researchers at institutions outside the Netherlands.

  • Provides a mechanism (via COmanage) to invite users and manage groups and attributes (a so called 'Membership Management Service').

  • Provides a solution for people without an edu account to use services (such as via Google and / or other social accounts).

  • Link with SURFconext so that researchers at Dutch institutions can make use of the research services via SURFconext and the SCZ proxy.
  • Provides a solution to securely unlock non-web services.

Video and demo you can try yourself

Wondering how a flow of inviting a user to access via SSH looks like? See the below video, but know this is just to get an idea as the environment is developing continuously (if the video doesn't start playing, try opening it full-screen via the icon in the top right corner. The cow-sound at the start of the video is related to the name of the company involved in work on COmanage, Spherical Cow Group of which the name is based on the usage of spherical cow, a humorous metaphor for highly simplified scientific models of complex real life phenomena):

...

allowfullscreentrue
srchttps://drive.google.com/file/d/0BwSgD_8NVoJcSTd4UmRqc0g1Yk0/preview
nameHow user enrollment works in COmanage
width640
idCOmanageEnrollment
titleCOmanage enrollment
height480
longdescVideo showing how access to a SSH resource works via COmanage, which is part of the SCZ-stack

Another People from around the world have been thinking about how to solve the access issues. In the European AARC-project (Authentication and Authorisation for Research and Collaboration) the specific identity and access challenges researchers face are addressed, and they made a clear video about the problem:

Widget Connector
urlhttps://www.youtube.com/watch?v=Xpwb6BNxNW4

AARC crafted a blueprint architecture that addressed those challenges. SURF has followed up that development with a project (SCZ, Science Collaboration Zone), to develop a service based on the gained insights: SURF Research Access Management, SRAM. SRAM enables you to:

  1. Simply create a group (CO, team) in our Membership Management Service.
  2. Choose and connect the services you need for your collaboration.
  3. Invite your collaborators: as soon as someone accepts the invitation, accounts get created automatically for all connected services.

  4. Easily manage your group: adding or removing a member adds or inactivates accounts in connected services, so only allowed people have access and resources and data are secure and not misused.
  5. Connect to web and 'non-web' services (think of resources accessed via SSH or WebDAV ): with SRAM those can be tied to institutional accounts, improving access revocation.

  6. Work with people from all over the world, either through their institutional account or one of the available guest identity providers SRAM offers.

  7. Simply manage authorization. Group membership in SRAM  is converted to attributes that can be used by the connected services to decide who can do what.

  8. Improve your security by providing step-up authentication (two-factor etc)

No more need for zero hours (nul-uren) accounts that take forever to arrange for and stay in existence far too long and often incur unnessary cost (for licenses for example). Currently, for every new research project the access-wheel is reinvented. Collaborations and research are delayed in the start-up phase because setting up secure access takes time (and IT-expertise). What if there was a plug and play service? SRAM is delivering just that.

SRAM provides an access Authentication & Authorisation Infrastructure-as-a-Service focused on the needs of researchers, research projects and providers of resources for researchers. It takes care of user management. On these pages we describe what SRAM is about. 

Besides SRAM, which is tailored for Dutch-led research projects, similar AARC-based initiatives exist, like the EOSC-Life AAI and eduTEAMS.

How does SRAM provide a solution?

  • on the SRAM website researchers can create a collaboration, manage membership, connect services etc.
  • SRAM offers a tool to put the collaboration in control, while allowing others involved enough control as well, while everyone saves time. Who better knows who needs to be in (and out) of the collaboration at what moment? What services everyone needs to use for the research? What everyone should be allowed to do in connected services? Instead of a PI having to email with many people to allow or revoke access, zero hours contracts, many hours wasted on managing access instead of doing research: use SRAM.
  • allowing guests from other institutions access to a resource nowadays often leads to just creating temporary accounts in one or more places. SRAM leverages institutional accounts and the existing global educational federated identity landscape. This improves data security (GDPR!), as access is revoked much faster. We're reusing the global institutional account 'telephone book', eduGAIN, so almost everyone with an institutional account can sign in.
  • institutional accounts also offer better identity assurance: institutions check the identity of their researchers. So when someone logs in using their institutional account, everyone has a high level of confidence this is the intended person.
  • we offer people that for any reason can't use an institutional account, like from a company, guest identity providers so they can use that to sign in and collaborate.
  • we offer mechanisms that, together with federated identity, revokes access to data and resources as soon as possible. While nowadays, people often have access far to long, amongst others because no federated identity is used.
  • providers of services for researcher also save time because they technically have to connect their services to SRAM only once (using open standards like LDAP, OIDC and SAML) and thereafter can easily offer their service to unlimited collaborations and people. Providers can configure and offload simple repetitive fault sensitive user creation tasks, while still being in control over which collaborations are are allowed access etc.

  • institutions can decide how their researchers use SRAM, and are offered more insight in research collaborations their researchers are involved in. Institutions only have to connect (their identity management system, IdP) to SRAM once in order to give all its researchers (via one or more collaborations) access to SRAM. Actual access to participating services and resources is managed by the respective services (without approval of one or more service providers, users of SRAM can't use services) . Institutions can use granular authorisation options like authorisation rules and groups (as described in this blog) to limit who can access SRAM with their institutional account, and for instance have their research support office or data competence center create CO's etc
  • we make it easier for service providers to allow people from outside of the Netherlands to access resources.

Here we share the 'user stories' (in broad outline) collected when we started developing SRAM.

SRAM and Open Access / Open data

Open Access and access regulation mechanisms often go together. Possible scenario's:

  • The research team has every intention to publish lots of data and results at some point, but at the start or during the research, access has to be limited. SRAM can provide for this.
  • Certain data is available for open access, but for all kinds of reasons, certain other data is only available for authorised users (see for instance page 75, 13.2 and 13.4, in 'RDM Toolkit'). SRAM can provide for that as well. 

Schematic overview of SRAM

Schematically SRAM can be drawn as follows:

Image AddedImage Added

The picture above shows that the research services are linked to SRAM: these services only have to make and maintain one link to service all Dutch led research collaborations that use SRAM to manage access. The picture shows the features of SRAM:

  • Connects with eduGAIN so that research services are accessible for researchers at institutions outside the Netherlands.

  • Provides a mechanism (via a 'membership management service, like COmanage, Hexaa, Perun or SBS) to invite users and manage groups and attributes.

  • Provides a solution for people without an edu account to use services (guest providers in the Identity HUB, such as via ORCID, eIDAS, social accounts like from Microsoft and Google etc).

  • Link with SURFconext so that researchers at Dutch institutions can make use of the research services via SURFconext and the SRAM proxy.
  • Provides a solution to securely access (web and) non-web services.

Video and demo you can try yourself

A way of logging in is shown in a video at the bottom of PAM Module. We've also made a connection to Azure AD VM's which we show in this video.

You can also try a demo yourself.

...

How SRAM aligns with GDPR/privacy

Many federated academic services require a few user attributes to successfully complete login, usually name, email, and a persistent user identifier (called the “R&S attribute bundle”). An international program called the Research & Scholarship Entity Category (R&S) was established to meet this need. This program enables federated services serving a research or scholarly purpose to request that their national R&E federation (as InCommon is for the US) “tag” them with the R&S entity category. It also specifies how R&E federation operators vet such requests to ensure that such tags are only applied to appropriate services.

...

Which technical components are used?

Interested in the components used? See Technical overview of SCZ .

COmanage documentation

Curious about how you can get started in COmanage? We have organised and provide links to End user documentation SCZ COmanage

Interested in the components used? See Technical overview of SCZ .

Connecting services

Connecting Services to the SCZ environment describes how to services to the SCZ infrastructure. A list of connected services can be found at https://mdq.pilot.scz.lab.surf.nl/role/sp.html .

...

  • Aug / Sep 2017 - Establish pilot environment
  • Oct / Nov 2017 - Connecting backend systems
  • Oct / Nov 2017 - Set up and test deployment flows
  • Oct-Dec 2017 - Set up and fine-tune access for external people / guests / etc
  • Dec 2017 - Jun 2019 - Pilot with the pilot environment:
    • Access for "ordinary" (pilot) users
    • Finetuning flows
    • Connect more services
    • Develop the platform
  • Jun 2019 - mid 2020 - SCZ phase 3 (service development)

Support

...

Support

  • Support questions and emails can be directed to scz-support@surfnet.nl .
  • Want to save a URL that will 'always' bring you to the best SRAM SCZ info? Use this short URL:  https://edu.nl/sram . If at some point this wiki gets replaced by another URL, we'll make sure that short URL will bring you to the new page!

More information

Children Display
alltrue