Tuesday, April 14, 2020

Transition to Practice success story, part two: How CILogon powers science gateways

Different authentication scenarios must all work together for science gateways
Marlon Pierce, Ph.D., is director of the Cyberinfrastructure Integration Research Center at Indiana University (formerly the Science Gateways Research Center). Pierce leads distributed systems research into scalable cyberinfrastructure to support computational and data-driven science.

Trusted CI spoke with Pierce about how science gateways use CILogon. CILogon enables researchers to log on to cyberinfrastructure (CI). CILogon provides an integrated open source identity and access management platform for research collaborations, combining federated identity management (Shibboleth, InCommon) with collaborative organization management (COmanage). (Read the interview with Jim Basney who leads the CILogon project >>)

Pierce and his team have worked with Jim Basney and the CILogon team for quite a while, especially with two projects. One of those is an NSF-funded project called the Science Gateway Platform as a Service (SciGaP) that uses their Apache Airavata software-as-a-service.

The platform and one code-based installation can support many different gateway tenants. Each of those gateway tenants can support many different users.

“We might have a gateway that could be out of anywhere,” says Pierce. “They could work with communities all over the country or all over the world that are not tied to Indiana University, for example, where we are. We work with PIs from all over the country who want to offer their gateways.”

The essence of a gateway is that it supports communities of users who need to be authenticated. The gateways are not just anonymous. In fact, that is an important characteristic that they are not an anonymous science service. They need to be able to log in and use it through a sequence of actions that need to be recorded so that the gateway can keep track of work they do.

“You could think of those as creating digital objects,” says Pierce, “so the ability to do federated authentication is a cornerstone of all these projects which we outsource to the CILogon team. That is extremely valuable because it’s already solved for us.”

Pierce says now they can automate through some new services that CILogon provides. “Now every time we create a new gateway tenant, it also becomes a new tenant inside the CILogon system. That gateway could decide what authentication providers it wants to use. It could turn on the spigot and say, ‘come with whatever you have.’ For example, ‘I only want this for my university.’ CILogon provides many different capabilities.

Pierce has another NSF-funded project called Custos (NSF Award 1840003) that is about halfway finished that incorporates CILogon.

“It’s a cyberinfrastructure program that Jim Basney is co-PI on,” says Pierce, “that takes on some of the things we learned from SciGaP. Many gateways want some of our services but not all of them. Let’s say a gateway has solved for their own purposes this problem of running a job with a supercomputer but they'd like to outsource some of the other things that we built. For example, the security pieces. CILogon is a key part of the Custos project for us to provide a targeted set of capabilities that are specifically for gateways use cases with authentication being the cornerstone.”

Currently, Pierce estimates that between 2,000 and 3,000 science gateway users are directly impacted by CILogon.

Pierce and his team first started using CILogon several years ago with a project called SeaGrid that was part of the SciGaP project. At the time, their other projects were using in-house authentication methods. During the SeaGrid project and designing the security infrastructure, they realized early on that CILogon was the way to go.

“We’d worked with Jim on an earlier project in 2010 or 2012,” says Pierce. “We realized there was no other service that offered this type of reliability and the type of support we get from them.”

“They've done all the hard work with the ‘plumbing’ of authentication systems, so we don't have to do it. There are things out there like Open ID Connect, which they support, but we needed more than that. Since gateways are typically with academic partners, that means that we need solutions where we have any number of different authentication scenarios that all work together that are appropriate for a gateway.”

SciGaP is funded by the National Science Foundation's Software Infrastructure for Sustained Innovation (SI2) program through award #'s 1339774, 1339856, and 1339649.