LIGO Scientific Collaboration
How the LSC community used AARC Blueprint Architecture to support federated identities in their AAI
The LIGO Scientific Collaboration (LSC) is a group of scientists focused on the direct detection of gravitational waves, using them to explore the fundamental physics of gravity, and developing the emerging field of gravitational wave science as a tool of astronomical discovery. Founded in 1997, the LSC is currently made up of more than 1200 scientists from over 108 institutions and 18 countries worldwide.
The AAI challenge
Each member of the LSC is assigned an albert.einstein identity and they manage this account and their credentials via the my.ligo.org application. The LSC-AARC pilot project was set up to investigate the infrastructure and organisational changes required to support federated institutional entities alongside existing internal credentials. The goal was to identify technological components and deploy a pilot service to be used for evaluation.
How did the AARC project help?
The pilot deployed SATOSA and pyFF to create a SAML proxy between the eduGAIN institutional identity providers and the LSC’s service providers. SATOSA acts as the central SAML Proxy of the project, while pyFF will be used to aggregate SAML metadata from Edugain and the LSC, and also provide the discovery service interface.
This set up allows LSC and Virgo members to use their institutional credentials to access LSC resources directly. Institutional identities would be mapped to a user’s albert.einstein identity via an account linking step, so that LIGO specific information; in particular group and identity information would be connected to the user identity.
The pilot instance was deployed registered in the eduGAIN metadata and underwent extensive testing using a number of existing LSC resources. Within the pilot, account linking between institutional identities and a user LSC identity was performed using a manual administration step.
Going forward an instance of COManage will be deployed to handle the account linking workflow, as well as more aspects of user management currently handled by a number of custom applications. To move the pilot into production the SATOSA and PyFF services must be deployed in a fault tolerant manner. The LSC has recently deployed a cloud based instance of the main Identity Provider, and we will be take a similar approach to deploy this suite of components.