Versions Compared

Old Version 26

changes.mady.by.user Raoul Teeuwen

Saved on

compared with

New Version 27

changes.mady.by.user Raoul Teeuwen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Researchers who want to collaborate (internationally) and providers of resources who want to offer research facilities to collaborative organisations often face questions related to providing access to resources. It takes valuable time and resources to set up systems to control access and to connect services. The Science Collaboration Zone SCZ project (SCZ, FIAM for collaborating researchers ) tries to solve a number of issues in the field of authentication, authorization and policies. The SCZ-project wants to offer a "as a service"-solution for authentication and authorization.

This page is for people who want to know more about the infrastructure the SCZ-project is trying build & pilot. The SCZ is currently being developed by SURF on the basis of use cases and scenarios from a number of institutions. The project also examines whether and, if so, how the SCZ can be offered by SURF as a service.

...

There are a number of specific problems for collaboration collaborations between researchers, which we will try to solve with address in the SCZ-project:

  • Something has to be arranged to invite people who need access to resources (invites, enrollment). Often there There is a need to manage collaboration groups (membership etc).

  • Providing access to invited people to the actual resources currently often takes a relatively long time (need for working with system admins of all resources, setting up 'account management', provisioning etc). 

  • Apart from enabling access to browserIn addition to web-based services, this also explicitly concerns for 'non-web services for which there are currently no possibilities for federated authentication ' services (think of resources accessed via SSH or WebDAV ) there are currently no possibilities for federated authentication.

  • Giving access to a service to international (in our case non-Dutch) researchers and people without an institutional account (eg from companies involved in the research project) requires a relatively large amount of work.

  • Authorization often is a problem. Group membership can be used to decide on authorization: what is a user allowed to do within a certain service? This requires a solution that can convert the group information into attributes that are subsequently consumed and interpreted by the resources to be shared (eg wikis, compute or data) for authorizing users.

Currently, for every new research the wheel is reinvented to arrange for the things mentioned. Collaborations are delayed in the start-up phase because providing access takes time. The Science Collaboration Zone SCZ project wants to offer a "as a service"-solution for authentication and authorization.

...

In the Science Collaboration Zone project, we want to offer a solution:

  • To ensure Ensure that parties who want to share resources can do so by simple connecting the resource to the SCZ proxy. The SCZ solution takes care, amongst others, of making the service available via eduGAIN.

  • Ensure that non-web resources like SSH and WebDav can be approached via federated authentication (eg institutional account) (for the benefits of federated authentication see "Why federative"? ).

  • Provide an environment where institutions and cooperative organisations can quickly request a collaboration group, assign group managers and then manage that group themselves, invite people, etc.

  • To provide Provide a possibility to manage specific attributes per collaborative organisation.

  • To ensure Ensure that people without an edu account can also easily be invited and access the resources, where possible with a higher 'Level of Assurance' than with a social identity.To ensure

  • Ensure that non-web resources like SSH and WebDav can be approached via federated authentication (eg institutional account) (for the benefits of federated authentication see "Why federative"? ).

  • Ensure that an institution only has to join the SCZ once in order to give all its researchers (via one or more collaborations) access to the participating services and resources of their collaborations.

To get an extra idea of what SCZ wants to offer for the time being, here we share the 'user stories' (in broad outline) for which we want to offer a solution with SCZ.

...

The picture above shows that the research services are linked to the SCZ proxy: these services only have to make and maintain one link. The picture shows the features of the SCZ infrastructure:

  • Link Connects with SURFconext eduGAIN so that research services are accessible for researchers at Dutch institutions can make use of the research services via SURFconextoutside the Netherlands.

  • Provides a mechanism (via COmanage) to invite users and manage groups and attributes.

  • Provides a solution for people without an edu account to use services (such as via Google and / or other social accounts).Connects

  • Link with eduGAIN SURFconext so that researchers at Dutch institutions outside the Netherlands can make use of the research services .Provides a mechanism (via COmanage) to invite users and manage groups and attributesvia SURFconext and the SCZ proxy.

  • Provides a solution to securely unlock non-web services.

Wondering how a flow of inviting a user to access via SSH looks like? See the video at the bottom of the End user documentation SCZ COmanage .

...

  • Building a largest-commoner service for use cases and pilots.

  • Building the SCZ technical infrastructure

  • Drafting the SCZ policy.

  • Testing the SCZ technical infrastructure and policy on the described use cases.

  • Acquiring experience with the SCZ through pilot projects with institutions

  • Drafting a business case.

Schedule

  • Aug / Sep 2017 - Establish pilot environment
  • Oct / Nov 2017 - Connecting backend systems
  • Oct / Nov 2017 - Set up and test deployment flows
  • Oct-Dec 2017 - Set up and fine-tune access for external people / guests / etc
  • Oct 2017 - May 2018 - Pilot:
    • Access "ordinary" users
    • Finetuning flows
    • Connect more services
    • Develop a platform
  • Q3 2018 - go / nogo SCZ phase 3 (service development or realized controlled phasing out)
  • Until the end of 2018 - Regardless of the decision (go or nogo) pilot partners will be supported until the end of 2018.

...

Curious about how you can get started in COmanage? We have organised and provide links to End user documentation SCZ COmanage .

Connecting services

On Connecting Services to the SCZ environment you will find information about connecting  describes how to services to the SCZ infrastructure.

...

Will this be a SURF service?

SURF is conducting the pilots to also answer this question. In this way, after the pilots, we can draw conclusions about the functionalities: does the SCZ actually solve these problems? We also have a better idea of the feasability to offer this centrally and if so including the costs (in equipment and people) that are needed to offer such a central infrastructure. In the summer of 2018 we will decide on this based on the experiences with the pilots. Naturally, the pilot partners have considerable influence on this process. Should it be decided not to offer the SCZ as a service, we will enter into a phase-out process with each pilot partner, for example SURF can help transferring transfer the infrastructure to a local copy an institution can run locally.

...