ELIXIR EGA AAI PILOT Mikael.Linden@csc.fi, project manager VAMP - - PowerPoint PPT Presentation

European Life Sciences Infrastructure for Biological Information www.elixir‐europe.org

ELIXIR EGA AAI PILOT

Mikael.Linden@csc.fi, project manager VAMP workshop 6th Sep, 2012

Outline

• EBI, EGA and Nordic Control database
• Pilot goals
• Pilot 1: Federated authentication
• Pilot 2: Authorisation management
• Snapshots from the REMS tool

EBI‐European Bioinformatics Institute

• Academic research institute ‐ part of EMBL

– European Molecular Biology Laboratory – Funded by 20 European countries, EC, NIH etc – ”The CERN for bioinformatics”

• Located in Hinxton, Cambridge, UK
• Hosts databases for bioinformatics, e.g.

– EMBL‐bank (DNA and RNA sequences) – Ensembl (genomes) – UniProt (protein sequences)

• Mission is to support science by providing maximal

access to data stored at the institute.

European Genome‐phenome Archive (EGA)

• One of the EBI services
• Stores any data where informed consent requires

controlled access (AuthN&AuthZ needed)

• 8/2012: 323 datasets, 370TB, 200.000 samples

– Growth rate is very fast at the moment

• Access to datasets granted by a Data Access

Committee (DAC)

– DACs nominated by the original data owners – 8/2012, 68 DACs around Europe and beyond – EGA acts as a secure broker

• www.ebi.ac.uk/ega

Nordic Control Database (NCDB)

• 6000 samples from DK, EE, FI and SE
• Collected and deposited to EGA by the Nordic Center of

Excellence in Disease Genetics

• http://nordicdb.org/

ELIXIR EGA AAI pilot

• Common project for EBI, CSC and FIMM
• Funded by ELIXIR

– EC project building infrastructure for biological information in Europe

• 4/2012‐4/2013

Project goals

Pilot 1: federated authenticaton

• Allow EGA data users to use their federated identity

for requesting services from the EGA

• Remove user’s temptation to share their uid/pwd
• Ensure access ceases when the user departs from

the Home Organisation Pilot 2: authorisation management tool for NCDB

• A workflow tool for applicants and DACs
• Reporting on access rights
• Reporting on scientific publications made based on

the datasets

Pilot 1: Current authentication

Pilot 1: expected outcome

• Integrate EGA web portal to SAML2 SP
• EBI to join Haka federation and register EGA as an

SP to Haka

– And possibly expose to an interfederation, such as Kalmar Union or eduGAIN

Pilot 2: NCDB application workflow

Resource Entitlement Management System

Metadata

• n R1&R2

REMS Workflow Reports Catalogue Resource 2 Resource 1 Owner1 Owner2 Researcher2 Researcher1 research group Principal Investigator Researcher3 SP IdP IdP IdP

Apply for access Circulate to owner Approve application Use

European Life Sciences Infrastructure for Biological Information www.elixir‐europe.org

Screenshots from REMS

Disclaimer: Work in progress!

Creating a workflow for a dataset

Resource (dataset) owner:

• 1. Adds a new dataset to REMS
• 2. Create a workflow for the dataset
• License of the dataset (applicant

needs to accept it)

• Reviewer(s) of the application
• Approver(s) of the application

Filling in an application

Research group leader (Principal Investigator):

• 1. Identifies the dataset(s) to

apply access for

• 2. Identifies the members of

the research group

• 3. Provides contact

information etc

• 4. Attaches a research plan to

justify the application

• 5. Submits the application

Reviewers’ and approvers’ view

• Reviewer(s) can comment the application
• Approver(s) can approve or reject the application

Using the access rights, alternatives

• 1. REMS as a SAML proxy
• Injects an eduPersonEntitlement to the SAML assertion
• 2. REMS as a SAML AP
• Return an eduPersonEntitlement to an attribute query
• 3. REMS as XACML PDP
• Argus

IdP Dataset REMS web portal

SAML proxy SAML AP Argus

REMS intends to be a generic tool

• Applying access to any resources

– Identified by an identifier

• Complex workflows
• Several members in one application
• License terms for resources
• Federated authentication
• Reporting
• The aim to release on an OS license