EPOS Pilot Description
EPOS is a pan-European collaboration which aims to establish a comprehensive multidisciplinary research platform for the Earth sciences in Europe. It spans 25 countries, involves 4 international organisations and 256 national research infrastructures. The expected number of users will likely grow to a total of 2000. EPOS already has established an AAI prototype with the EGI CheckIn service as an IdP and Unity-IdM as its core. The aim of the AARC pilot is to vastly extend this prototype to meet the full EPOS requirements concerning AAI and get a more mature, production setup.
The ultimate goal for EPOS is to implement SSO for their users while accessing EPOS services: the so-called EPOS Thematic Core Services (Web based services in specific Earth Science domains) and the Integrated Core Services (General, cross-domain computing and storage resources, user management, metadata catalogue). TCS and ICS are interconnected by an EPOS interoperability layer.
The abstraction, interoperability layer, will ensure interoperation between the Integrated Core Services and the Thematic Core Services (TCS). As an example, Cloud services can be provided at the ICS level, but in some cases need to be accessed by a TCS. National Research Infrastructures will contribute to the provisioning of TCS services.
The pilot will focus on the implementation of an architecture according to the AARC BPA, whose central element is an IdP/SP proxy acting as a central AAI hub, based on Unity. Furthermore, Service Providers will be integrated using SAML or OIDC/OAuth2; Identity Providers using X.509, SAML or OIDC.
Thematic Core Services (like the domains: Anthropogenic Hazard and Computational Seismology) will be accessed via the central proxy service.
In addition, a core reference scenario for the pilot will consist in a user being able to access both EGI and EUDAT services by means of one account and one login process (SSO). Such a use case implies for example being able to retrieve seismological data on the EUDAT One Data service and compute being able to compute with those data on the EGI infrastructure. This implies token exchange for the user either internally, within the given science gateway, or while getting token from One Data, use B2SAFE or B2STAGE EUDAT services to move the data where they can be accessed by an analysis program running on an EGI Federated Cloud Virtual Machine.
Overall, a possible simplified workflow related to the above-mentioned scenario is the following one: Seismological Cloud Services will talk to the EPOS AAI, pull user credentials, based on them, pull the data, feed EGI with the data and request for Data Analysis.
A training for EPOS has been provided by AARC NA2 Task 2 and held on March 14, 2018 in Lisbon: "Introduction to AAI concepts and federated access for the EPOS community".
The current setup consists of several scattered services, non-usable by means of a Single Sign On procedure.
The intended AARC AAI setup consists of:
- Unity IdP/SP Proxy
- EPOS Attribute DB
- LDAP
- RCAuth as a Token Translation System