Fourth workshop on Federated Identity Management for Scientific Collaborations

Bob Jones (CERN), Daan Broeder (Max-Planck Institute for Psycholinguistics)
This workshop in the fourth in a series that started in summer 2011 to investigate Federated Identity Management (FIM) for scientific collaborations. The first workshop was held at CERN in June 2011 (, the second at RAL in November 2011 ( and the third at ISGC in February 2012 ( Through these workshops, several research communities have converged on a common vision for FIM, enumerated a set of requirements and proposed a number of recommendations for ensuring a roadmap for the uptake of FIM is achieved. These points have been documented in a paper ( for which comments are welcome ( An objective of this workshop is to gather feedback from the research communities on the recommendations and roadmap described in the paper with the intention of endorsing the common vision. The organisational and financial aspects of ensuring a common FIM will also be addressed.
The first day of the workshop was intended to get an overview of the current FIM & AAI work also from non-FIM group organizations and stakeholders while the second day was dedicated to community reports and discussions on next steps.

Thursday June 21

Daan Broeder gave a small introduction to the workshop explaining that since the Social Sciences & Humanities were hosting the event, there would be more invited presentations from those disciplines. Another focus for this workshop are FIM sustainability issues, especially with organizational and financial issues. Of course the status of the FIM report and further steps will be also discussed.
Welcome to the MPI for Psycholinguistics
Peter Wittenburg gave an introduction to The Max-Planck Institute for Psycholinguistics, the hosting organization. Explaining about the often external collaborations of the institute's 200 researchers that frequently concern sensitive materials for which access has to be restricted and so security is an issue.
FIM paper status, Bob Jones
Bob gave an overview of the current status of the FIM report, explaining the origin of the initiative in 2011 and the issues, that what is now informally called the FIM group, wants to tackle. The FIM report presents a vision about the role of FIM, gives a number of recommendations to different stakeholder groups and describes a number of community FIM pilot projects. The paper is now available for comments and the work has been presented in a number of workshops.

The Manifesto; requirements of Research Infrastructures and FIM, Peter Wittenburg, MPI for Psycholinguistics
Peter Wittenburg gave a presentation on the ICRI manifesto "A New Global Data Generation" a short document supported by many (ESFRI) research infrastructure initiatives that was launched at the ICRI meeting in Copenhagen earlier this year. The Manifesto is addressed at the EC, the member countries, infrastructure projects and institutes to come to sustainable solutions for sharing in e-science scenarios and have more discussions and coordination to achieve this. AAI is one important item specifically mentioned in the manifesto. He ended the presentation with a slide stating that the FIM initiative is very good, but that more was needed. (Peter mentioned some dates for conferences and web sites that are copied at the bottom of this summary.)
An industry perspective on FIM and Open Data Centre Alliance work, Mike Symonds ATOS
Mike Symonds from ATOS gave a presentation where he mentioned a number of issues. Firstly he introduced the Open Data Center Alliance a cloud user group of important players that will not create standards but will provide requirements. He also introduced "Helix Nebula" an initiative to create an EU cloud, usable for EU research and indicated how FIM is relevant in that. Thirdly he put forward that the contribution of industry to FIM for research is that industry knows how to deliver services including organizational and business models.
Organizational issues at the NREN level for FIM, Wolfgang Pempe DFN
Wolfgang Pempe from the DFN talked about the role of a national Identity Federation (IDF) in FIM. He explained the legal issues concerning a national IDF joining eduGAIN and the opt-in/opt-out policy issue. eduGAIN has currently 90 SPs and IdPs, is technically homogeneous but policy heterogeneous. Concerning the separation of identity and authorization attributes, he is unsure how the authorization attributes get updated by the home organization.
FIM and Access Management for the Max-Planck Society, Ramin Yahyapour, GWDG/MPG
Ramin is the director of the GWDG one of the two big MPG compute centers. He gave a comprehensive overview of the FIM related issues within a big research organization such as the Max-Planck Society (MPG). The MPG is an organization of 80 institutes that requires internal collaborations for many different services from SAP & E-procurement to wifi-roaming while the individual MPG institutes all want to keep their autonomy. A special IDF for access to publisher resources is maintained by the MPDL (Max-Planck Digital Library). Ramin presented a few possible infrastructure and funding models to support FIM within the MPG but currently only a limited number of MPG institutes support FIM. In the discussion afterwards it was pointed out that this is similar for some countries such as Denmark and they may serve as inspiration.

FIM: Status and Perspectives of EGI, Gergely Sipos
Gergely spoke about the 45 National Grid Initiatives (NGIs) that are using X509 certificates to control access to resources and services as the EGI cloud, but that alternative schemes are used to provide access at a federated level. The question remains if Short Lived Certificate Services (SLCS) can be a sustainable solution for a federated ID implementation.
TERENA & EC activities on FIM, Licia Floria TERENA
Licia Floria presented the work of an EC funded AAA study looking into issues as the feasibility to harmonize existing AAIs, requirements from researchers in data sharing, usage and access and identify obstacles and legal issues. There are recommendations, not very different from those in the FIM paper, that should be taken up by the EC, whereupon there can be a call for a design. There will be a workshop in Brussels on July 12, where many representatives of stakeholder organizations can discuss the report.
Licia offered to have a joined proposal by TERENA and FIM group for EC funding to improve the FIM situation. In the end the FIM group, although welcoming cooperation, preferred common projects to be guided through the communities (e.g. FIM pilot projects), rather than be involved itself.
GEANT Data Protection Code of Conduct, Mikael Linden, CSC
Mikael presented the Data Protection Code of Conduct for SPs (DPCoC), an agreement that can bring about easier permission of IdP administrators to link their users to the SPs available via eduGAIN. Currently the administrators are reluctant to have their user's attributes released to any SP especially across national borders.
There will be a pilot project with a few IDFs, TERENA, and SPs trying to ascertain the suitability of the DPCoC, public consultation of the DPCoC content starts now.
FIM shortcomings revealed, Michal Prochazka, CESNET
Michal Prochazka (replacing Ludek Matyska) gave a presentation on different shortcomings of FIM at different levels both technical (configuration) and administrative (scaling, legal). This was based on the experience of trying to make a pathological atlas service available within 15 national identity federations. He presented a possible solution "Aditi" that is somewhat similar to CardSpace but relies on SAML to collect user attributes from different IdP in "cards".
Contrail and FIM, Phil Kershaw, STFC
Phil Kershaw presented Contrail an EC project aimed at providing access to cloud services and resources using existing IDFs. It is also intended to support commercial cloud providers. According to Phil, Federated Identity as a Service (FIMaaS) is still far away due mainly to policy issues, not missing technology. He also mentioned the 'delegation problem' where automated services call on other services on behalf of a user a problem shared with other projects (such as CLARIN) and for which no satisfactory solution has yet been found. Phil claimed that SLCS and OAuth2.0 offer the best chance to solve this.

Friday June 22

DARIAH FIM experiences and plans, Peter Gietz, DAASI International Gmbh
This presentation was about the DARIAH ESFRI project that is aimed at providing research infrastructure for the wider humanities. DARIAH is not built around physical centers but rather uses the concept of virtual expertise centers that are each collaborations between several institutes. A first version of the DARIAH AAI uses LDAP for authentication and authorization and federates via Shibboleth. DARIAH also supports a 'home for the homeless' - an IdP for users without an academic affiliation. DARIAH found that the use of the SAML ECP profile for non web-clients or delegation purposes is not widely possible since this is only supported by the DFN-AAI (officially) and two IdPs in the UK. He stated that eduGAIN needs improvement before it becomes usable and FIM infrastructure itself will probably take some years to mature.
CESSDA PPP and FIM, Ornulf Risnes, NSSDS
This presentation explained the AAI work done in CESSDA, a long-time cooperation of Social Sciences institutes (21) across Europe. Some experiments were done in cooperation with the UK and Norwegian federations. However Ornulf does not see any possibility of rolling out a common AAI system for CESSDA in the medium-term due to political and legal reasons.  The effort is seen as too high compared to the expected results, many of CESSDA institutes are relatively small and cannot spare the human resources to manage complicated AAI software.
User attributes, who, where how many? Daan Broeder, MPI for Psycholinguistics
This presentation was an attempt to bring some order in the different types of attributes that are necessary for users to participate in research infrastructures and get access to resources and services. An inventory of possible attribute providers was presented and also a discussion of the scaling problems involved. In the subsequent discussion there was general agreement on promoting the principle of subsidiarity with respect to attribute management where possible.
FIM and the Photon/Neutron Community, Heinz Weyer, PSI
Heinz Weyer gave a report on the feedback from his community on the FIM report. This approval was limited because currently there is already a decent work environment for present-day demands and the scientists are conservative and IT issues are not at the top of their priority list. However the users do expect the experts to come up with solutions when needed. He advocated a duel top-down and bottom procedure to bring things forward. A common approach to policies and deriving of synergy should be combined with considering real use-cases.  New social media such as face-book should also be considered to share information.

CLARIN: status of FIM, Dieter van Uytvanck, MPI for Psycholinguistics
Dieter gave an overview of the current status of FIM and AAI in CLARIN and especially in the German national CLARIN project. Registering SPs with multiple federations does not scale very well and the situation is made worse by the opt-in policies that some federations have. Also the official federation policies with respect to the required release of attributes are often not complied with (DFN).
FIM for HEP, David Kelsey, CERN
The FIM paper was presented to HEPiX and was elsewhere presented to and endorsed by the Worldwide LHC Computing Grid (WLCG) management board. There are two proposals for FIM pilot projects. (1) Using a collaborative Web application and (2) service enabling access to WLCG Grid resources using home-issued credentials but hiding the use of X.509 certificates from the user.

General FIM discussion

·      In the general discussion afterwards, it was decided to add one extra recommendation to the paper: “EC funded e-infrastructures (EGI,GEANT, EUDAT,PRACE) should work together on supporting FIM for researchers”. FIM group will propose to the ESFRI cluster projects  (BioMedBridges, CRISP,DASISH, ENVRI) that FIM is the first subject on which they could work together. All the authors of the FIM paper are from organizations participating in one of these ESFRI cluster projects.
·      The representations of the communities within FIM may need to increase since they may want to have every individual ESFRI project involved.
·      The FIM group needs to determine how it will engage with policy bodies such a IGTF, REFEDs, Global Data Initiative, etc.
·      A suitable name and web-presence should be arranged for FIM. It was decided on FIM4R (FIM for Research)
·      With respect to the TERENA offer for further cooperation with the FIM group:
·      the research communities welcome a written response to the FIM paper from TERENA before Sept 2012
·      the research communities are willing to work with TERENA and the NRENs to review and prioritize requirements
·      the research communities will contribute input to GEANT3+ project proposals with a focus on improving eduGAIN and linked to the pursuit of pilot projects. In addition to the FIM paper, we will provide descriptions of our pilot projects and the effort that is being invested in them and foreseen milestones.
·      The Photon/Neutron community will host a FIM workshop at the Paul Scherrer Institute, Viligen Switzerland on 20-21 March 2013 associated with the CRISP annual meeting. We will discuss with the LifeSciences community if they want to host a FIM workshop.
·      We should engage with the research community in North America, as was done with the Asian communities through the workshop held in Taipei. Perhaps the Global Data event to be held in Washington on 2-3 October can accommodate a FIM workshop (NOTE: In the mean time this idea proved impractical)

Relevant conferences, documents and websites.

·      DAITF:
·      ECRI Manifesto:
·      eIRG workshop on global data, 3-4 Dec, Amsterdam
·      EU preparation for global data workshop 24 Sept, Garching/Munich
·      Global data event 2-3 Oct, Washington
·      EGI authentication Solutions Report:
·      EGI Technical Forum AAI workshop, Prague, 17-21 Sept
·      Data Protection Code of Conduct:
There are minutes attached to this event. Show them.