Trust and Internet Identity Meeting Europe
17.-20. Feb 2020: Workshops and Unconference

FIM (ESA - Industry collaboration)

(Marco Leonardi)

Marco: The specific use case I am not so in deep in perspective for. I am working with people that support the tech stuff, but the use case is about a bigger initiative of a space agency. That is coming from 4-5 years at the level of strategy. What we are going to do is no longer to provide data. This is not a scope, it’s to somehow promote the usage of the data and the earth observation services. What we want to do is to promote the proliferation of services. To do this in an economical way, the most important thing is to engage industry and to make industry able to somehow make money from the services. If you are a research community, I can sponsor you to use the platform. It’s developed and engineered and it’s a kind of an overall circle that we are trying to put in place but in the end, we can’t think about all of these services will be under the single hat of EU space agency, they will come from different companies. The agency is experimenting in collaboration with IOGC that are responsible for standardizing things. Between Earth Observation services but then at the end because we want to make services interoperable, which means that if some service can talk with another service in some way but then there is another layer, but there are many other layers that we need to take care about. Because those services could compose a complex workflow. This means that a researcher coming from somewhere can access a place that could be a marketplace, research institutions can give money to them to access. Authenticate himself through what, not through commercial platform but through some organization. I want to authenticate my home organization and enter a platform and check which kind of things I can do, and I want to do that. All of the magic things that happen after that I don’t care about. I need to say what happened because on one side I am taking care about how to make services to talk to each other and we are working on it, and getting good results but then there is the other player I need to recognize the user and the fact that a specific process has been triggered by the user, because at the end of the day someone has to pay this. Many services, okay, but this needs to be tracked somehow.

I am sure that the info about the user needs to be propagated. What does propagated mean? Another story, but for sure I need to let the user access a portal. If the scientist is a good scientist, he just would open the terminal and do things. What about SAML and these things? Even starting from the portal, we can use SAML and all of these things. This is just to describe the overall use case but it’s useful for the discussion because I know that there is additional technological layer but also another one that we can put in place many services, but they need to understand the same processes and information. I don’t want to run from the tech POV because even having this in place tomorrow I will not be able to use it because of this luck. We need to work on the aspects. There are many initiatives.

Mischa: Everything that you mentioned is based on abstract layers, to give you something on the cmdln. It doesn’t even have to be one, you can also have a collaboration of NAS and ISA. At that point you get to the business of EGI and EU Data and they want to be able to use each other services. If you have these central components you need to reduce the crosslink that you need. The interface is when a company offers a data storage, what type of auth would they allow you to do, would they require a researcher to use their IDP?

Marco: At the moment, yes. Actually, I am talking about the DIAS, platforms which are thematic platforms for processing, application platform, and somehow this platform they rely on this. Processing capability and this is a part of a big architecture, like ICT resources, knowledge, the stack but at the end we could not impose the federation requirement because it didn’t fit with the technology, so actually now we have the position where the user accesses the platform and one that you could use as a scientist. IdM system, and for you as a scientist the layer for you is transparent but if you want to access the lower layer directly you have to authenticate at this level. Of course, since the beginning we have it as a strict requirement. Pathfinder activities whether these platforms can connect to eduGain or not. Whether their technology is supporting, and the answer is NO. The pilot was a success because it failed. But if you want to provide your services, your data that are used for research but also for commercial usage, you can’t avoid supporting eduGain. Now they realized that they are not compliant and that they will do something. We did something with the layer above. At this layer we imposed something, an infrastructure that is a shibboleth infrastructure. This is the situation. We started with this, 7 platforms, 5 DIAS but then the expectation is to have this kind of platforms growing and because we are trying to support and to engage communities. EPOS is a perfect example, at a certain part of time, the federation of communities worked together to build a common platform for the exploitation of data. All communities provide their services through this platform. One of the communities is supported by ISA. One of these thematic platforms. There are other communities with their services. All of these communities have their services, from the tech POV they will be under the same hat, EPOS, but then at the end the services are not federated. This is the point.

M: Auth is completely separated from the communication between servers.

Marco: Let’s separate the attributes for authenticating users from other things. The most important thing is to authenticate the user. If my service needs something, it can ask the user for this if the user agrees. If an attribute is not provided you can’t access the service.

If you have a service you can have an end service doing this management, but what if you have multiple services and you also expect this, you need a central entity, and this is one of the main use cases. A proxy that is connected to the group management systems. Assigned to users in groups.

But you need to have all services in the same infrastructure. Or to at least have them understand what the services are talking about.

Everything fits well in a closed environment. In my view all of these things are a part of an ecosystem.

What does some other service can do, how can it talk with another service which is outside? What you can do is that it’s a generic service and if it follows the same standards and understands the stuff the same way then no it’s not a limitation, it doesn’t have to be a limitation.

It doesn’t matter that it’s in the same ecosystem, it follows the standards and you have a trusting education.

It’s what you have with eduGain 2 essentially, having external requirements they can make sure that the auth is right, but you don’t have to belong to the same ecosystem, you have a base trust in what you have and need to know what the assurance level is.

Nikolas: If you have the same infrastructure you need to have the services interpreted.

Alberto: Enable student mobility and the goal is to make higher edu to connect to the AIDES network, high level insurance. Erasmus student registration for example. It’s cumbersome for each to go to the EIDAS federation and to provide a gateway which provides an interface.

That may be a practical limitation that all of these scenarios assume that they are in the browser SSO flow, to type something into a form and once they talk to each other than you might no longer be in that space and need to find solutions. Machine 2 machine.

Mischa: Depends where you start. You have goals and portals and services can contact services. Those types of scenarios are easier, start with OAuth flow and get your token.

Marco: Of course, this is interesting and of course without the work proposed this could be done in your local domain because somehow you could agree with your services, you, the agency could have them involved in this, take care of one of the gateways and then what we can do locally is to make everyone to agree to a certain vocabulary. What I would like is to build a tech background capable of supporting the additional support by changing the vocabs and if we are able to build a good technical infrastructure this should be easier to be more independent. We could try starting from more controlled environment by setting this gateway and proxy, thank you for the precious information, because otherwise for the initial activity for this service, single researchers need to go there and spend their voucher by registering in the platforms. Also, because this is much more about research, but we need to provide services. We can’t just wait for the standard solution, we invest a lot to try to standardize all the platforms.

Mischa: The AARC project is going to end it there is a group called AEGIS which has diff community representatives in it, that discusses stuff like people from the US, but a lot of communities are in there. Daria, Life Scientist, but that platform could be good to keep an eye for. AEGIS. If you are an operator of an AEI, then this sounds great. AEGIS is for operators.

Marco: It’s interesting for me to know. Many communities use our observation services so it’s quite difficult to identify the communities. AISCOT is also the same. It’s not a community, it’s more like you have a group of communities.

Nikolas: One last note is we work on M2M use case so probably come up with some concrete guidelines. This is one of the missing parts, web SSO flow works, as many proxies as you want but the non-web machine 2 machine, when you have a multiproxy scenario. EOS hub we will also give a presentation on this. 10th - 12th of April, in Prague.