WissKI

For the Scientific Communication Infrastructure (WissKI), the joint initiative of the Data Competence Centre SODa is planning to set up a didmos Community AAI Single Sign-On (SSO) system from DAASI as part of the IAM4NFDI incubator fund. WissKI-based services such as the WissKI Cloud and the Semantic Coworking Space (SCS) as well as the entire NFDI network will also benefit from this.

With the aim of creating a robust, compatible authentication and authorisation infrastructure (CAAI) for the WissKI-based infrastructure offerings, the open source didmos solution was selected due to its compatibility with dockerisation and its proximity to the GLAM and DH communities, in particular NFDI4Culture, NFDI4Objects and NFDI4Memory, and comprises the following work steps:

1. Setting up a client in the central didmos instance
2. Configuration of the NFDI AAI federation
3. Configuration of the WissKI instances as clients

Terminology Services2.0

While our initial incubator proposal focused solely on the Terminology Service (TS), we soon realised that its requirements did not encompass the full spectrum of services within the NFDI4Chem consortium. Consequently, we expanded our approach to include the major services of NFDI4Chem in the Community AAI. Currently, in addition to the Terminology Service (TS), we are testing the Community AAI with Chemotion Repository, nmrXiv and COCONUT. We plan to integrate more services with the Community AAI in the future.

Goals

Our primary objective is to establish a unified AAI solution within a single consortium, enabling users to seamlessly access and utilise all available resources. In the second phase of the incubator project, we aim to integrate test instances of various services with the chosen CAAI. This will help us gather requirements that might necessitate modifications on both services and CAAI.

This will help us ensure that we meet our requirements of the majority of these services.

• Support different logins both institutional and non-institutional. (Flexibility of customising the list)
• Multiple account creation and linking
• REST API with authentication code, so as to ease the maintenance of a service (for example during account deprovisioning, or movement of staff within the department)
• Improve flexibility of creating LDAP servers (internal and external) and communication with its OIDC instance.
• Facilitate both GUI and non-GUI based logins [optional]

Open Energy Platform

With this incubator process, we (NFDI4Energy) want to commit to a specific CAAI solution, namely Reg-APP, and integrate it on the OpenEnergyPlatform (OEP). NFDI4Energy is committed in reusing already existing solutions and platforms. As a result, the OEP will serve as one of the main bases for further developments in Research Data Management in the Energy domain and will be a linking and collection point for further NFDI4Energy services.

The OEP currently consists of a simple local login (E-Mail and Password) based on basic services available through the python package Django with a PostgreSQL database and simple fronted technology (HTML, JavaScript, CSS). To add Reg-APP support we plan to use the django-allauth module, which supports SAML as well as OpenID Connect.

Goals

• Integrate RegAPP on the OpenEnergyPlatform as the primary Authentication Service.
• Transfer or map existing user accounts, since we plan to maintain the legacy login as well as the RegAPP login.
• Operate the OEP and associated services under real environment conditions. As the OEP is a community service we think that a connection to the NFDI Infra proxy will not be necessary.
• The served user base will be a mix of researchers, industry partners and society. As such an authentication method that is not based on the research infrastructure needs to be supported, as well.

NOMAD Integration

We want to link NOMAD to the NFDI AAI. NOMAD is a web-based research data management (RDM) platform for material science. It integrates a data repository, Electronic Lab Notebook (ELN), and JupyterHub into a unified platform. It is the main service developed and offered by the FAIRmat consortium.

NOMAD uses Keycloak as a Single Sign-On (SSO) solution. We operate a single central instance that is used by all NOMAD installations and services. Currently, we only allow users to use NOMAD accounts that were created on this Keycloak instance. NOMAD uses Keycloak primarily for authentication since all rights are managed within the NOMAD application. Therefore, we currently do not see any need for (community) roles, attributes, or similar functionality within NFDI AAI.

Technically, we want to realise this integration either via OpenID connect or SAML depending on NFDI AAI capabilities. Since, NFDI AAI and Keycloak already support at least one shared protocol, the integration should be straight forward. Most of the work, will probably be dedicated to test the integration. We might need some assistance in configuring the connection via OIDC or SAML.

Goals

• Integrate the NFDI AAI as an identity provider for NOMADs central Keycloak instance. This should allow users to login with their existing NFDI AAI identities. A large portion of the ~4000 existing NOMAD users are affiliated with research institutes and Universities in Germany and Europe. Therefore, many of the existing users and potential new users might already hold identities within the 4 proposed NFDI AAI solutions.
• Simplify future integrations with other (NFDI) services (within the materials science community and beyond). For this it is necessary that services rely on a shared NFDI AAI solutions.
• Evaluate the use of linking different identities belonging to the same individual user.

NFDI4CAT Repository

The NFDI4CAT community requires a central solution for the storage and exchange of experimental and simulation data to streamline research activities and support collaboration. To address this need, NFDI4CAT propose the deployment of a central repository using Dataverse. This repository will facilitate organisation, sharing, and archiving of research data within the community, ensuring efficient data management and accessibility. We would like to explore the possibility to use the NFDI Authentication and Authorisation Infrastructure Framework for the NFDI4Cat Dataverse repository. This will enable our repository users with seamless and secure access to their data.

Goals

1. Incorporate the concepts of community and infrastructure proxy.
2. Integrate NFDI AAI single sign-on for Dataverse for the NFDI4CAT community.
3. Include all stakeholders (University, Non-University).
4. Address any issues identified during testing to ensure a smooth and reliable user experience.

File Transfer Service FTS

The File Transfer Service (FTS) is a Software that is developed by CERN and that specializes in easy, large scale data transfer. It allows the scheduling of transfers and results in a good utilization of the available bandwidth. We are currently setting up an FTS instance to enable users to transfer their research data between different endpoints, our research data management system, and the cluster.

Goals

As a result of the project, it should be possible to login through our community AAI solution at the FTS web-interface. This removes the need for client certificates. When granted permission to access FTS this way, an FTS user should automatically be created with basic transfer permissions. Users should also be able to view the Web Monitoring to see the status of their transfers, while administrators should be able to view the status of the overall service. Participants of this incubator are the project team members that implements this project. The communities that require a solution are researchers from different NFDI consortia that will use the FTS instance of the RWTH Aachen University to transfer their research data quickly and reliably.

• The RegApp is connected to the FTS server instance of the RWTH Aachen University.
• Generation of new FTS users is prompted by first-time access through the RegApp.
• The Web Monitoring platform of the FTS instance, which is separate from the server, is connected to the RegApp.

Forum 4 MICA

The idea of the incubator proposal is to use the Forum4MICA as a pilot project to connect the consortium KonsortSWD to Community AAI.

Forum4MICA is a publicly accessible exchange and information platform on topics related to the data collections of the participating Research Data Centers (RDC). The online forum gives RDCs (currently 18) an additional option for communicating with their data users and interested persons. It enables the provision of specifically requested information on the research data provided.

As submissions and interactions are only possible for registered users, logins via NFDI-AAI would substantially improve the user experience and reduce effort.

Goals

• Find out if an implementation of an IAM system in the consortia is possible and act as a demonstrator within KonsortSWD.

• Connect the existing community service Forum4MICA to NFDI AAI.

• Identify which possibilities exist to connect the service

• Evaluate the transferability of the IAM results in this incubator to additional services. E.g. institutional repositories (e.g. at GESIS) require registration but have so far not expressed interest in joining IAM4NFDI For these providers this incubator would be a demonstration of the service’s capabilities.

FairAgro

FAIRagro is the NFDI consortium focussing on agrosystems research. FAIRagro will offer various services, such as a Nextcloud system, a Zammad-based helpdesk system, and the FAIRagro Search Portal. These services will be integrated with an Authentication and Authorisation Infrastructure (AAI) based on NFDI recommendations to facilitate usage.

Further services will be connected to the CAAI, including consortium-internal services and community services.

Goals

Link the existing FAIRagro services to the CAAI and develop a group and role concept to enable authorisation of different user groups. The integration process will involve the definition of groups and roles with regard to the consortium

DataPlant

The DataPLANT consortium develops and provides a wide range of services to support FAIR data science in plant biology. In the past, we have implemented our own IAM infrastructure but as our collaborations with other consortia and institutions continue to grow, we are in need of a broader IAM integration.

Our infrastructure needs to be connected to the larger IAM4NFDI system to allow users from both DataPLANT and other consortia to use our services. The DataPLANT user base needs to be integrated as a community identity provider. Authorisation decisions within the services should be derived from user attributes provided by the respective consortia identity providers.

Goals

1. Integrate our identity provider with the IAM4NFDI system to allow DataPLANT users to easily connect to other NFDI services.

2. Connect the IAM4NFDI infrastructure to our services to allow users from other consortia to use our services.

3. Management of user attributes, their propagation across the service landscape and how we can use them to implement fine-grained authorisation policies based on entitlements, user affiliation and role, among other things.

Coscine-2

Coscine is an open-source platform for research data management (RDM) and can be used by all researchers of every field. In context of the FAIR-principles the login to Coscine is already possible with an institutional account (Single Sign-On) or using ORCID.

One aim of this incubator proposal is the extended support of social login possibilities within our CAAI (RegApp). Furthermore, we would strive for the connection of accounts inside RegApp (e.g., ORCID with Single Sign-On). This would simplify the usage of Coscine because now the user needs to manually connect the accounts within the platform itself. As a further point of the anticipated work, we would see the supply of intersections for delivering of information by the home organisation as well as by the AAI. This would improve the transfer of roles which is needed because in Coscine different functionalities are linked to specific roles.

Goals

• Enabling intersections in a decentralized way to get information from the Home Organisation as well as from the AAI Login about the roles which are given in Coscine.
• Analysing in which context the definition of roles in the framework of NFDI and Coscine makes sense and in how far they need to be implemented (e.g. as Reviewer for Application Profiles).

Come2Data

Come2Data aims to close a currently existing gap in support regarding a large range of data issues, such as:

• Data problems during any stage of the data life cycle (e.g. acquisition, management, analyses and publication)
• Trainings to acquire data competencies.

To address these issues, we operate a help desk (level 1 support) and provide educational resources, such as certified trainings (after completion of the current funding period for establishing the centre). For very specific data problems, we have a database of specialists in the respective fields who will gain access to Come2Data resources once they serve as data experts for our helpdesk (level 2 support).

In order to run the centre, we plan to implement a systematic technical infrastructure, containing a WordPress CMS-based website, a triple-store knowledge base, and storage space for large data

We seek support for an AAI solution that integrates the institution-specific IDM solutions to grant selective access on various levels (see above). We furthermore look for a solution to work with users with educational or scientific institutional login as well as without such a login possibility.

Goals

We aim for a broadly available authorisation process to gain access to our services that implements the use of existing AAI-solutions.

For users who are not affiliated with any community providing an AAI-service, an alternative solution is required, e.g. to register for our trainings and gain access to course material. The overarching goal is to make our services available to a broad range of users from both academic and non-academic (e.g. industrial, general public) backgrounds.

NFDIxCS

The current startup phase of NFDIxCS is characterized to hammer out the detailed requirements for the NFDIxCS platform. A key of both areas – the platform and the RDMCs – need a profound, flexible and extensible way to use and manage identities, authentication and authorization methods for accessing the plarform and the RDMCs managed within the platform.

The goal of the incubator is threfore to explore the field of identity management methods and technologies which are available and in wide use in the community – primarily in the field of platforms for management and publication of research data in Computer Science but also in related scientific areas beyond CS. The result of this will  be a list of related methods and architectural requirements to use the methods in the NFDIxCS systems that are implemented in the future.

Authorisation on Objects

Repositories in general need certain authentication and authorization functionalities for controlling import and export of data. It would be desirable, that an NFDI-wide IAM solution supports such AAI functions, as they are required by potentially all research data repositories across all disciplines.

We acceppt this challenge and use the TextGrid and DARIAH-DE Repositories as examples to implement such AAI functions, if as extension, integration or even overall management shall be subject to decision of the IAM4NFDI group.

Integration of NFDI AAI to Open edX

This Incubator Project focuses on integrating the NFDI Authentication and Authorisation Infrastructure (AAI) with Open edX. The primary goals are to gain an initial understanding of IAM4NFDI, test the usability and features of available Community AAIs, and determine the best Community AAI to use.

Three major steps

Authentication Process

• Applied for OAuth-Client with three Community AAIs (Unity, RegApp, AcademicID), created a Flask app for testing authentication methods.
• Integrated three Community AAIs into Open edX using Python Social Auth, with reusable Python classes for third-party authentication.

Virtual Organisations

Applied for admin accounts, tested UI handling, and examined the impact on authentication attributes.

Decision on CAAI

Compared three AAIs using a rating matrix, recommended one within the consortium, verified by an internal group, and finalised by the steering group.

Terminology Service

The goal of NFDI4Chem is to have a unified AAI solution within a single consortium, enabling users to seamlessly access and utilize all available resources. From the incubator project, we aim to integrate test instances of various services with the chosen CAAI. This will help us gather requirements that might necessitate modifications on both the services and the CAAI front, ensuring that the needs of the majority of these services are met. Following comprehensive testing across all facets, the test instances of each service will transition into production. The list of services to be connected with CAAI includes the Terminology Service (TS), Chemotion Repository, nmrXiv, COCONUT and more.

NFDI4Culture

The current NFDI4Culture IAM plays a pivotal role as the central AAI/SSO backbone of the consortium. It accommodates approx. 400 user accounts and seven integrated services, thus contributing significantly to the consortium’s operational efficiency. Due to the implementation of DFN standards, the current IAM already exhibits a high degree of compatibility with the IAM4NFDI set of SAML attributes. The logical next step for NFDI4Culture is the integration of its IAM into the evolving CAAI architecture of IAM4NFDI.

The transition is based on a two-tiered process:

1. On tier one (not part of the incubator), NFDI4Culture is going to cooperate with DAASI to migrate the existing IAM solution to the IAM4NFDI-compatible CAAI solution didmos.

2. On tier two (which is the focus of this incubator proposal), the consortium is planning to connect up to three exemplary services from its portfolio to the new IAM4NFDI-compatible CAAI while focusing on the conceptualisation, implementation, and operationalisation of the relevant NFDI policies and the design of a consortium-wide Incident Response Management system. The technical aspects of the integration of the services mentioned above will be done by DAASI in tier one. DAASI will also act as interface between tier one and tier two.

FDPG - Analysing data from clinical care

The German Portal for Medical Research Data (FDPG) is the central point of administration for scientists conducting research projects with routine medical data from German universities.

The Medical Informatics Initiative (MII), which is funded by the Federal Ministry of Education and Research (BMBF), collects patient data and biosamples taken during routine care for medical research and processes them at data integration centres based in university hospitals. The data are then made available in accordance with data protection regulations.

The FDPG offers:

• An overview of databases for cross-centre research the opportunity
• To evaluate the feasibility of specific research questions using
• Feasibility inquiries a standardised process for requesting data and
• Biosamples an established contractual framework for simple data use
• The central coordination of data provision the transparent
• Presentation of research projects in the project registry

Minimal OIDC login

Numerous web platforms, such as MediaWiki, support the OpenID Connect (OIDC) protocol, allowing users to sign in using their existing accounts. While Google or ORCID accounts were previously used for logging in, this incubator project aims to facilitate logging in using accounts from NFDI institutions with minimal effort for users and administrators while ensuring maximum privacy.

The Germany National Mathematical Research Data Initiative (MaRDI, mardi4nfdi.de) utilizes MediaWiki as its software to establish a comprehensive portal for research data in mathematics and related fields. This platform shares general-purpose technology with the Wikimedia Foundation and extends its functionality to cater to the specific needs of the MaRDI consortium. A fundamental requirement voiced by mathematicians contributing their research data is to avoid the maintenance of additional accounts, making the reuse of their institutional accounts a practical choice. Furthermore, this approach effectively mitigates the risk of spam by disallowing anonymous editing.

ArgoCD

IAM4NFDI aims to connect and expand current and new IAM (Identity and Access Management) systems, allowing researchers from various fields and institutions to easily access digital resources in NFDI.

To achieve this goal, IAM4NFDI introduced Incubator Cycles to promote ideas and needs for the NFDI-AAI (Authentication and Authorization Infrastructure).

NFDI4DS successfully proposed such an incubator project. It is using ArgoCD as a prototype for implementing IAM solutions and will be realized at TU Dresden.

The TU Dresden data center has already set up a Kubernetes Cluster for NFDI4DS users. It provides a user-friendly GitOps solution, ArgoCD, to access the cluster. The main users of ArgoCD within NFDI4DataScience are providers of our services, such as repositories and computation services for the data science community.

The goal is to authenticate our ArgoCD users through Single Sign-On with their institutional credentials to

• improve user experience
• increase employee productivity by reducing the time they must spend signing on and dealing with passwords
• achieve better access control
• improve security

Additionally, we’d like to gain a comprehensive experience from connecting ArgoCD to NFDI’s community AAIs. This incubator project will share the lessons learned to leverage the A (Accessibility) and I (Interoperability) in FAIR.

Coscine

Coscine is a platform for research data management. Coscine offers researchers:

• Storage space: access to free storage space (depending on organisational affiliation)
• Integration: Access to project-related data sources (e.g. research data repository, linked files, archived data)
• Collaboration: Access for all project members
• Metadata: Automatically linked to project data
• Individuality: Project-specific metadata can be created as application profiles
• Archiving: Archive research data on site

The metadata for research projects can be shared publicly on Coscine, made searchable and, in the long term, findable at national level. Coscine thus contributes to the goals of the National Research Data Infrastructure NFDI by making valuable scientific and research data accessible to the entire German scientific system.

JARDS Attribute Queries in RegApp

At RWTH Aachen University, the JARDS platform is used by researchers to apply for resources such as storage space or computing time. The applications are assessed in a multi-stage scientific review process. After approval, researchers must be given access to the resource and be able to manage other project members. This requires information about approved projects in RegApp. The aim of this project is to enable attribute queries via the SAML protocol in RegApp and to set up a Shibboleth-based attribute authority that returns user data from JARDS. This demonstrates how external applications can be integrated into the Community AAI as attribute authorities.

MetadataHub

MetadataHub allows access to various metadata stores developed in the NFDI. All operations from "Create" to "Search" can be performed on the metadata stores. There are two demonstrators for this, one showing the interfaces and the other providing a search across all metadata stores.