The EIDA Authentication System: a federated approach to AAI for the scientific community
Home»Use cases»The EIDA Authentication System: a federated approach to AAI for the scientific community
EIDA is a collaborative network of seismological data centres aimed at securely storing seismic waveform data and metadata collected by European research infrastructures. Established over a decade ago, the federation now comprises 12 European data centres, with two more expected to join in the coming months.
While EIDA's data can be accessed either by smart clients or programmatically via a standard API at each data centre, this initially posed a challenge for users who needed to know which centre hosted a specific dataset. This issue was resolved with the creation of a Routing Service. This service automatically directs smart clients to the appropriate data centre, effectively creating the impression of a single, unified virtual data centre for the user.
The Scientific Challenge
In Europe, EIDA rapidly emerged as the go-to platform for sharing seismic waveforms within the seismological community. Enhanced Data Management Policies allowed for early-stage archiving of datasets, such as during embargo periods, with restricted user access until the data became fully open. Initially, individual data centres managed user permissions through their own access control lists.
However, the advent of European Projects generating large datasets, which required archiving across multiple data centres, presented a challenge. Managing user permissions through a single data centre became untenable. To address this, EIDA sought a technical solution for federated authentication. This eliminated the need to synchronise access control lists among various data centres, reducing security risks, potential GDPR violations, and multiple points of failure.
Who benefits and how?
The service outlined in this use case is available to any member of the seismological community for accessing restricted datasets. Although its use is entirely optional, nearly 600 users are registered and actively using the service. We encourage its adoption even for open data, as it enhances our statistical analysis and provides insights into dataset usage patterns.
Through this system, users can obtain a token from the EIDA Authentication Service (EAS). The EAS then communicates with a backend B2ACCESS instance to generate the token. Users can save this token locally and use any of the smart clients to access both open and restricted datasets seamlessly.
The German Research Centre for Geosciences (GFZ) initiated the development of the EIDA Authentication System (EAS) between 2016 and 2017. The EAS features a straightforward web interface allowing users to request a personal token for accessing EIDA services. Behind the scenes, EAS connects to the B2ACCESS service hosted by Forschungszentrum Jülich (FZJ). Through B2ACCESS, users can authenticate by logging in via their home institutions, facilitated by the global eduGAIN initiative.
Upon successful login, the system returns basic user attributes. One key advantage of using B2ACCESS and eduGAIN is the flexibility it offers in terms of data privacy; users and institutions can decide how much information to share, in compliance with varying regulations like GDPR.
The EAS then issues a digitally signed token to the user, incorporating additional authorisation details through FZJ's "upman" solution. This graphical interface enables the management of user groups and their respective permissions. When the frontend receives these comprehensive user attributes, it already contains all the information needed to grant or deny access to datasets.
This interface for managing federated access control lists is user-friendly and can be operated by anyone responsible for the task, from data centre operators to researchers publishing restricted datasets. Changes are automatically updated across all data centres upon the release of a new token.
This system has enabled us to offer a complete federated authentication and authorisation solution across all our European data centres. The approach has garnered interest from significant data centres outside Europe and is being adopted internationally, potentially setting the stage for a future global standard through our International Federation of Digital Seismograph Networks (FDSN).
Subscribe to our newsletter to get the latest updates