European Life Sciences Infrastructure for Biological Informationwww.elixir‐europe.org

ELIXIR EGA AAI PILOT

Mikael.Linden@csc.fi, project managerVAMP workshop 6th Sep, 2012

Outline

• EBI, EGA and Nordic Control database• Pilot goals• Pilot 1: Federated authentication• Pilot 2: Authorisation management• Snapshots from the REMS tool

EBI‐European Bioinformatics Institute• Academic research institute ‐ part of EMBL 

– EuropeanMolecular Biology Laboratory– Funded by 20 European countries, EC, NIH etc– ”The CERN for bioinformatics”

• Located in Hinxton, Cambridge, UK• Hosts databases for bioinformatics, e.g.

– EMBL‐bank (DNA and RNA sequences)– Ensembl (genomes)– UniProt (protein sequences)

• Mission is to support science by providing maximal access to data stored at the institute.

European Genome‐phenome Archive (EGA)

• One of the EBI services • Stores any data where informed consent requires 

controlled access (AuthN&AuthZ needed)• 8/2012: 323 datasets, 370TB, 200.000 samples

– Growth rate is very fast at the moment

• Access to datasets granted by a Data Access Committee (DAC)– DACs nominated by the original data owners– 8/2012, 68 DACs around Europe and beyond– EGA acts as a secure broker

• www.ebi.ac.uk/ega

Nordic Control Database (NCDB)

• 6000 samples fromDK, EE, FI and SE• Collected and deposited to EGA by the Nordic Center of 

Excellence in Disease Genetics • http://nordicdb.org/

ELIXIR EGA AAI pilot• Common project for EBI, CSC and FIMM• Funded by ELIXIR

– EC project building infrastructure for biologicalinformation in Europe

• 4/2012‐4/2013

Project goalsPilot 1: federated authenticaton• Allow EGA data users to use their federated identity 

for requesting services from the EGA   • Remove user’s temptation to share their uid/pwd• Ensure access ceases when the user departs from 

the Home OrganisationPilot 2: authorisation management tool for NCDB• A workflow tool for applicants and DACs• Reporting on access rights• Reporting on scientific publications made based on 

the datasets

Pilot 1: Current authentication

Pilot 1: expected outcome• Integrate EGA web portal to SAML2 SP• EBI to join Haka federation and register EGA as an 

SP to Haka – And possibly expose to an interfederation, such as Kalmar 

Union or eduGAIN

Pilot 2: NCDB application workflow

Resource Entitlement Management System

Metadata on R1&R2

REMS

Workflow 

ReportsCatalogue Resource 2

Resource 1

Owner1

Owner2Researcher2

Researcher1

research group

PrincipalInvestigator

Researcher3

SP

IdP

IdP

IdP

Apply for access Circulate to owner

Approveapplication

Use

European Life Sciences Infrastructure for Biological Informationwww.elixir‐europe.org

Screenshots from REMS

Disclaimer:Work in progress!

Creating a workflow for a dataset

Resource (dataset) owner:

1. Adds a new dataset to REMS

2. Create a workflow for the dataset• License of the dataset (applicant

needs to accept it)• Reviewer(s) of the application• Approver(s) of the application

Filling in an application

Research group leader(Principal Investigator):

1. Identifies the dataset(s) to apply access for

2. Identifies the members of the research group

3. Provides contactinformation etc

4. Attaches a research plan to justify the application

5. Submits the application

Reviewers’ and approvers’ view

• Reviewer(s) can comment the application• Approver(s) can approve or reject the application

Using the access rights, alternatives

1. REMS as a SAML proxy• Injects an eduPersonEntitlement to the SAML assertion

2. REMS as a SAML AP• Return an eduPersonEntitlement to an attribute query

3. REMS as XACML PDP• Argus

IdP Dataset

REMS web portal

SAML proxy

SAML AP

Argus

REMS intends to be a generic tool

• Applying access to any resources– Identified by an identifier

• Complex workflows• Several members in one application• License terms for resources• Federated authentication• Reporting• The aim to release on an OS license