Integration of new cohort infrastructures to the ELIXIR AAI

In order to support collaborative research utilising the enormous quantity of data spread across the world, we need to develop a methodology to properly identify a researcher and manage their access to this data. In the CINECA project, one of the key goals is to enable access to cohorts’ data by researchers from various research projects. A proper authentication and authorisation infrastructure (AAI) is the core building block which ensures user identification and controls access to the data. Fortunately, we do not need to build an AAI from scratch, as there are existing AAIs within the LifeScience communities. One of the most advanced AAIs has been developed in the ELIXIR research infrastructure -- ELIXIR AAI. The ELIXIR AAI has features which support access control to the sensitive human data. ELIXIR is open to providing its services, including the ELIXIR AAI, to other communities. The CINECA project has decided to leverage on ELIXIR AAI because it supports all necessary requirements for our AAI and CINECA can start onboarding services and users almost immediately. Because in addition to European cohorts CINECA includes Canadian and African cohorts, we need to provide them with a way to integrate to ELIXIR AAI with their existing AAI approaches. In this blog post, we will briefly describe the process of integrating the ELIXIR and CanDIG AAI. This blog includes a list of integrated services.

ELIXIR AAI Introduction

The ELIXIR AAI provides services for data providers and authorities for researcher identification, authentication and authorisation. ELIXIR AAI assigns each end user a permanent unique identifier (ELIXIR ID), which allows end-users to use the same credentials (e.g. home university username and password) to login to services that belong to ELIXIR. The data access and resource allocations are stored as part of the identity. The ELIXIR AAI allows authentication against services associated with ELIXIR research infrastructure, and in the long term it can be used with other research infrastructures and e-infrastructures. There is also ongoing activity to migrate ELIXIR AAI into the LifeScience AAI which will provide exactly the same services across the wider life sciences research community in Europe.

The authentication of the identity is done by external authentication providers, such as eduGAIN, Google, LinkedIn and ORCID. The ELIXIR service providers hosting sensitive data require an added level of assurance regarding user authentication, therefore ELIXIR AAI provides various levels of user verification. For the most sensitive data and computing services, two-factor authentication is also available. 

User authorisation to access services can be based on many factors. For some services, authorisation is based on the user’s current affiliation. This user information can be received from the Identity Provider of the user’s Home Organisation. For some services, the user’s authorisation and profile are based on their group memberships managed by the Perun software integrated to the ELIXIR AAI. ELIXIR uses the GA4GH concept of “a bona fide researcher”, where the researcher may use various mechanisms to demonstrate their researcher status, such as other users vouching that they are a member of the scientific community in good standing, and therefore eligible to access the services. The most sensitive services, such as access to human genome datasets, requires presenting a research plan to a Data Access Committee (DAC). The REMS software integrated to ELIXIR AAI supports the application process in conjunction with the GA4GH Passport and AAI standards which are also supported by ELIXIR AAI.

More information about ELIXIR AAI can be found in an article: Linden M, Procházka M, Lappalainen I et al. Common ELIXIR Service for Researcher Authentication and Authorisation. F1000Research 2018, 7(ELIXIR):1199 (https://doi.org/10.12688/f1000research.15161.1)

How to connect service to the CINECA/ELIXIR AAI

The registration procedure is described here:  Documentation for service providers in CINECA.

CanDIG AAI Introduction

Fundamental to CanDIG is the national scale of analysis but using locally-controlled data. The CanDIG platform is completely distributed, with no central infrastructure to maintain or secure. Researchers need to be able to readily discover, access, and analyse this information, possibly jointly across sites, while allowing the data stewards to ensure the security and privacy of their data.

CanDIG does this by building on established or in-progress projects elsewhere such as OpenID Connect for AAI, and using tools like Keycloak as Identity Providers and Brokers. OpenID Connect enables CanDIG to maintain researcher identities locally, i.e. on-site, while allowing for OIDC Claims to be embedded and/or fetched that provide authorisation. These claims allow data stewards to authorise researchers who belong to an institution but need access to a project which may involve more sites than just their own (i.e. prove the “bona fide researcher” status).

For more information, please see CanDIG’s architecture page.

The reason for interoperability between CanDIG and ELIXIR is to facilitate cross-continental genomic data sharing. CanDIG is the federated system that facilitates this on the Canadian side while ELIXIR is the European counterpart. There are some key differences in the approaches, where CanDIG is fully distributed but ELIXIR has a more central identity infrastructure. This work is done to showcase that with modern tooling and standards, interoperability between the two systems can be achieved to share data and analyses.

CanDIG AAI to ELIXIR AAI Integration

Premise

A researcher wants to be able to log into the CanDIG environment using ELIXIR AAI.

Requirements

• A user account registered in ELIXIR. See the process above for doing this.

• At least one CanDIG site added as an OpenID Connect Client in ELIXIR.See the process above for doing this.

ELIXIR AAI to CanDIG Integration

Premise

A researcher wants to be able to log into ELIXIR environment using CanDIG AAI.

Requirements

• A user account is registered in at least one CanDIG site.

  • Email the site coordinator for now.

• ELIXIR AAI service is added as an OpenID Connect Client with the CanDIG site.

  • Email the site coordinator for now to give you an access token for new client.

Integrated Services

During the first year of the project services related to the CINECA scope were integrated to the ELIXIR AAI. The complete list of integrated services in ELIXIR AAI can be seen at https://login.elixir-czech.org/services.

MOLGENIS

MOLGENIS test service integrated to the ELIXIR AAI.

CanDIG Test Service

CanDIG test service integrated into the ELIXIR AAI which demonstrates the interoperability between CanDIG and ELIXIR AAI.

Other Services

https://usegalaxy.eu and some other instance are integrated into the ELIXIR AAI and thus available for CINECA users. Other services are considering connection to the ELIXIR AAI, e.g. Estonian ETIAS Compute Infrastructure (https://etias.ee) which is used for analysing data from the Estonian Biobank. Another service is the UMCG Cluster which is used for computations.