dexesESC: Development and EXpansion of Existing Services Associated with the EUROPEAN STUDENT CARD, EUt+ Sofia Week, 18-10 January, 2023

THE EUROPEAN STUDENT CARD INITIATIVE An initiative to help students and higher education institutions on Erasmus+ exchanges by simplifying administrative processes and enhancing digitalisation. It is also crucial to promoting student participation in educational and cultural activities in line with the vision to create a European Education Area by 2025

OpenID Connect Client Registration API for Federated Cloud Platforms

Nowadays, information technology is a key driver in our world. Big cloud federations are aiming to increase their computing power and achieve better results while being scalable. This huge IT systems are managed by multiple users having different roles and at the same time, new services deployment automation is needed to be able to cope with the rising need of resources. This flexibility in deployment has created concerns on the security and the main- tainability of these extensive systems. These requisites have led to start CYCLONE platform, a project focused to provide authentication and authorization services towards services running under control of federated unions of users. CYCLONE, at the moment working as a proof of concept, now allows to authenticate and authorize access to users using one-click-deployment applications against their federation’s credentials. However, actual SSO systems require registration of the services against their Identity Providers in order to provide user validation. In this master thesis, we present two the components of CYCLONE. The first one is a service registration for clients of the OpenID Connect Single Sign-On protocol that allows newly deployed services to be registered automatically against CYCLONE’s SSO component, using RedHat’s Keycloak authentication solution. Based on the real world scenarios that defined the CYCLONE platform, we have designed and implemented a solution alternative to the ones provided by Keycloak, and to evaluate it we have compared it to Keycloak’s alternatives. As a result we have created a simple API implementation from where it’s possible to track who is executing this registrations of new clients, in comparison to the anonymous ones provided by other solutions. The second one is a module that allows easy SSH authorization through the use of CYCLONE’s SSO backend as identity provider and that has been evaluated and tested by one of CYCLONE’s use cases

Architektur und Werkzeuge für dynamisches Identitätsmanagement in Föderationen

Federated Identity Management (FIM) hat die Motivation, Identitätsdaten eines Benutzers von einer Heimatorganisation, d. h. Identity Provider (IdP), einem Dienstbetreiber, Service Provider (SP) genannt, bereitzustellen. Dies ermöglicht zum einen die Vermeidung von Redundanzen und Inkonsistenzen und zum anderen kann der Benutzer viele weitere Dienste nutzen, ohne sich zusätzliche Benutzerkonten merken zu müssen. Mit der Security Assertion Markup Language (SAML) und dem Protokoll OpenID Connect haben sich in Wirtschaft und Research & Education (R&E) zwei Standards etabliert. Durch die vermehrte Vernetzung zeigen sich zunehmend die Grenzen der aktuell eingesetzten Architektur. In dieser Arbeit wird zunächst eine umfangreiche Anforderungsanalyse anhand verschiedener Szenarien durchgeführt, die unterschiedliche Perspektiven auf die Architektur und ihre Anforderungen ermöglicht. Die Schwerpunkte dieser mehr als 70 strukturierten und gewichteten Anforderungen liegen dabei auf der Automatisierung und der Skalierbarkeit, Vertrauen sowie der Interoperabilität. Zudem sollen organisatorische Randbedingungen wie Sicherheits- und Datenschutzaspekte eingehalten werden. Im Rahmen eines umfassenden, gesamtheitlichen Architekturkonzepts wird anschließend eine Managementplattform für dynamisches Federated Identity Management erarbeitet. Neben der Spezifikation des orchestrierten, technischen Metadatenaustausches, der den bestehenden Ansätzen fehlt, fokussiert diese Arbeit auf die organisatorische Eingliederung hinsichtlich des IT Service Managements. Hierbei liegt der Fokus auf Security Management und Change Management. Zur Kompensation weiterer Defizite bisheriger Ansätze werden zwei zusätzliche Werkzeuge spezifiziert, die auf eine optimierte Interoperabilität bestehender FIM-Systeme sowie die Automatisierung und Skalierbarkeit existierender Abläufe abzielen. Eine Beschreibung der prototypischen Implementierung der Managementplattform und der Werkzeugkonzepte mit einer Diskussion ihrer Skalierbarkeit und die methodische Anwendung auf ein realistisches Szenario runden diese Arbeit ab.Federated Identity Management (FIM) has the motivation to provide identity data of users from their home organisation, also called Identity Provider (IdP), to a Service Provider (SP). This facilitates the prevention of redundancy and inconsistency, while users can re-use their home account for other services, without remembering further user accounts and passwords. The Security Assertion Markup Language (SAML) and the protocol OpenID Connect are two well-known standards within the industry sector and research & education (R&E) environment. Due to the ongoing interconnectedness, the limitations of the current architecture are increasingly revealed. In the first part of the thesis, a profound and comprehensive analysis is presented, in order to illustrate different perspectives on the architecture and the requirements. The focus of the more than seventy structured and weighted requirements in the categories function, non-functional, organizational as well as privacy- and security-specific categories lays in the automation and scalability of the approach as well as trust implications and interoperability. As part of the holistic, integrated architecture conceived in this thesis, a management platform for dynamic FIM has been developed. Besides the precise specification of the orchestrated, technical metadata exchange, special emphasis has been put on the organizational integration concerning the IT service management. Dependencies and effects on the security management and change management have been investigated in detail. To compensate further shortcomings of existing approaches, two new FIM components have been specified, which enhance the interoperability between FIM systems in heterogeneous identity federations, as well as the scalability and automation of existing workflows. The thesis is concluded with a description of the prototypical implementation of the management platform and the tool concepts as well as a discussion on their scalability characteristics and the application of the architecture to a realistic scenario

Architektur und Werkzeuge für dynamisches Identitätsmanagement in Föderationen

Federated Identity Management (FIM) hat die Motivation, Identitätsdaten eines Benutzers von einer Heimatorganisation, d. h. Identity Provider (IdP), einem Dienstbetreiber, Service Provider (SP) genannt, bereitzustellen. Dies ermöglicht zum einen die Vermeidung von Redundanzen und Inkonsistenzen und zum anderen kann der Benutzer viele weitere Dienste nutzen, ohne sich zusätzliche Benutzerkonten merken zu müssen. Mit der Security Assertion Markup Language (SAML) und dem Protokoll OpenID Connect haben sich in Wirtschaft und Research & Education (R&E) zwei Standards etabliert. Durch die vermehrte Vernetzung zeigen sich zunehmend die Grenzen der aktuell eingesetzten Architektur. In dieser Arbeit wird zunächst eine umfangreiche Anforderungsanalyse anhand verschiedener Szenarien durchgeführt, die unterschiedliche Perspektiven auf die Architektur und ihre Anforderungen ermöglicht. Die Schwerpunkte dieser mehr als 70 strukturierten und gewichteten Anforderungen liegen dabei auf der Automatisierung und der Skalierbarkeit, Vertrauen sowie der Interoperabilität. Zudem sollen organisatorische Randbedingungen wie Sicherheits- und Datenschutzaspekte eingehalten werden. Im Rahmen eines umfassenden, gesamtheitlichen Architekturkonzepts wird anschließend eine Managementplattform für dynamisches Federated Identity Management erarbeitet. Neben der Spezifikation des orchestrierten, technischen Metadatenaustausches, der den bestehenden Ansätzen fehlt, fokussiert diese Arbeit auf die organisatorische Eingliederung hinsichtlich des IT Service Managements. Hierbei liegt der Fokus auf Security Management und Change Management. Zur Kompensation weiterer Defizite bisheriger Ansätze werden zwei zusätzliche Werkzeuge spezifiziert, die auf eine optimierte Interoperabilität bestehender FIM-Systeme sowie die Automatisierung und Skalierbarkeit existierender Abläufe abzielen. Eine Beschreibung der prototypischen Implementierung der Managementplattform und der Werkzeugkonzepte mit einer Diskussion ihrer Skalierbarkeit und die methodische Anwendung auf ein realistisches Szenario runden diese Arbeit ab.Federated Identity Management (FIM) has the motivation to provide identity data of users from their home organisation, also called Identity Provider (IdP), to a Service Provider (SP). This facilitates the prevention of redundancy and inconsistency, while users can re-use their home account for other services, without remembering further user accounts and passwords. The Security Assertion Markup Language (SAML) and the protocol OpenID Connect are two well-known standards within the industry sector and research & education (R&E) environment. Due to the ongoing interconnectedness, the limitations of the current architecture are increasingly revealed. In the first part of the thesis, a profound and comprehensive analysis is presented, in order to illustrate different perspectives on the architecture and the requirements. The focus of the more than seventy structured and weighted requirements in the categories function, non-functional, organizational as well as privacy- and security-specific categories lays in the automation and scalability of the approach as well as trust implications and interoperability. As part of the holistic, integrated architecture conceived in this thesis, a management platform for dynamic FIM has been developed. Besides the precise specification of the orchestrated, technical metadata exchange, special emphasis has been put on the organizational integration concerning the IT service management. Dependencies and effects on the security management and change management have been investigated in detail. To compensate further shortcomings of existing approaches, two new FIM components have been specified, which enhance the interoperability between FIM systems in heterogeneous identity federations, as well as the scalability and automation of existing workflows. The thesis is concluded with a description of the prototypical implementation of the management platform and the tool concepts as well as a discussion on their scalability characteristics and the application of the architecture to a realistic scenario

Helmholtz Portfolio Theme Large-Scale Data Management and Analysis (LSDMA)

The Helmholtz Association funded the "Large-Scale Data Management and Analysis" portfolio theme from 2012-2016. Four Helmholtz centres, six universities and another research institution in Germany joined to enable data-intensive science by optimising data life cycles in selected scientific communities. In our Data Life cycle Labs, data experts performed joint R&D together with scientific communities. The Data Services Integration Team focused on generic solutions applied by several communities

Towards Interoperable Research Infrastructures for Environmental and Earth Sciences

This open access book summarises the latest developments on data management in the EU H2020 ENVRIplus project, which brought together more than 20 environmental and Earth science research infrastructures into a single community. It provides readers with a systematic overview of the common challenges faced by research infrastructures and how a ‘reference model guided’ engineering approach can be used to achieve greater interoperability among such infrastructures in the environmental and earth sciences. The 20 contributions in this book are structured in 5 parts on the design, development, deployment, operation and use of research infrastructures. Part one provides an overview of the state of the art of research infrastructure and relevant e-Infrastructure technologies, part two discusses the reference model guided engineering approach, the third part presents the software and tools developed for common data management challenges, the fourth part demonstrates the software via several use cases, and the last part discusses the sustainability and future directions