13-18 March 2016
Academia Sinica
Asia/Taipei timezone

INDIGO-DataCloud: enabling collaboration in an identity-rich world

Mar 15, 2016, 4:20 PM
BHSS, Conf. Room 2 (Academia Sinica)

BHSS, Conf. Room 2

Academia Sinica

Oral Presentation Networking, Security, Infrastructure & Operations Networking, Security, Infrastructure & Operations Session II


Dr Andrea Ceccanti (CNAF-INFN)


INDIGO-DataCloud is an €11m project funded by the EU’s Horizon 2020 programme that harness 23 collaborator institutes from 11 countries. Over a 30 month period, it will develop a data/computing platform targeting scientific communities, deployable on multiple hardware and provisioned over hybrid (private or public) e-infrastructures. It is now commonplace for collaborations within scientific communities to span organisational boundaries, which introduces the possibility for users within a collaboration authenticating using different technologies. In WLCG, a single technology was adopted: X.509. However, due to its overhead, X.509 has seen little use by scientific communities outside of particle physics. Instead most communities use either SAML or OpenID Connect. While the former is more mature and widely available within scientific communities, the latter has the backing of industry. As a result, INDIGO-DataCloud must allow scientists to authenticate with different mechanisms, supporting at least X.509, SAML and OpenID Connect. Once users are authenticated they can interact with many INDIGO-DataCloud services directly. However, some services cannot easily be modified to support direct use of the INDIGO-DataCloud login session. Instead, the agent (a user or an application running on behalf of the user) must obtain the credentials necessary for interacting with the service; for example, an Amazon-S3-like service may require a username and password. We present the INDIGO-DataCloud AAI infrastructure and describe how users can authenticate with X.509, SAML and OpenID Connect, along with how group membership and identity harmonisation are solved. We also describe how delegation between different agents is achieved and how these agents can obtain additional credentials when necessary for interacting with a service.

Primary authors

Dr Andrea Ceccanti (CNAF-INFN) Mr Bas Wegh (KIT) Dr Patrick Fuhrmann (DESY/dCache.org) Dr Paul Millar (DESY)

Presentation materials