Cherenkov Telescope Array

How CTA is deploying elements of the AARC Blueprint Architecture to build an AAI for thousands of astronomers.

The Cherenkov Telescope Array (CTA) will be the major global observatory for very high-energy gamma-ray astronomy over the next decade and beyond. CTA will be operated as an open, proposal-driven observatory, with all data available on a public archive after a predefined proprietary period.

CTA is a collaboration between 1350 scientists and engineers from 32 countries, set up with the mission to direct CTA’s science goals and array design. When in production, CTA will collect the data scientists need to understand the role of high-energy particles in the most violent phenomena of the Universe and to search for annihilating dark matter particles.

The AAI challenge

Preparing the IT infrastructure necessary to process, distribute, analyse and store the Petabytes of data expected annually from the CTA is a huge challenge. Getting an Authentication and Authorisation Infrastructure (AAI) in place to serve thousands of scientists is not simple either.

The current CTA AAI implementation provisions more than 1000 consortium SAML identities and is releasing a persistent and non-reassignable ID as defined by CTA user requirements. The authorisation is performed through a dedicated Attribute Authority which grants the definition, management and provisioning of roles based on groups and subgroups.

How did the AARC project help?

The CTA team set up a pilot to improve their AAI service. The team adopted SaToSa as an Identity Provider / Service Provider proxy (IdP/SP) following the recommendations of the AARC Blueprint Architecture.

The existing CTA user IDs were integrated into COmanage, through a dedicated LDAP COmanage plugin. This created a catch-all IdP for all existing users.

Then, the team implemented a workflow to enroll eduGAIN users in the CTA AAI and give new researchers access to CTA data and services. To do this, the team integrated COmanage with Grouper, a group management tool used by the CTA community to manage Authorization.

Given that COmanage is a comprehensive Attribute Authority, it is possible to enrol users via their IdPs through different configurable workflows.

What was the added value?

For the CTA team, the AARC Blueprint Architecture meant that they don’t have to invent an AAI service from scratch. They saved time building a custom system, based on best practices and tried and tested solutions.

Another advantage was the opportunity of being part of a large community and witness the development of AAIs for a wide set of requirements. This allowed the CTA team to observe real world implementations and their advantages and disadvantages.

The AARC Blueprint Architecture represents the possibility for us to speak with other technological partners using a common language describing AAI and its complex world.

Alessandro Costa, National Institute of Astrophysics (INAF) and CTA.