Repositories and related services in NRP integrate with authentication and authorization infrastructure (AAI) to deliver streamlined login process and access control to users across NRP. The solution is provided by the e-INFRA CZ AAI service powered by Perun AAI software.

The integration is realized using the OIDC protocol for authentication, some authorization capabilities require API calls if a repository provides these (like integration with computational workflows). It must be implemented by the developers and/or operators of the repository system.

Current AAI architecture for NRP is described in this document.

How does it work for end users?

Authentication

AAI lets users log in with their home institution or social identity to access a repository in NRP, so that they needn’t register and log in with each repository or service individually.

• Users click on the Login button on the repository home page
• Users select their home institution or social identity provider
  • Note social identities are less trustworthy because of fake accounts
• Users new to e-INFRA CZ or the repository must register with it (submit an application), and consent to the terms of use and processing of their personal data
  • Note applications can be approved manually or automatically
• Users are logged in and redirected to the repository home page

Authorisation

In the ideal case, access control is invisible to the end users; they get what they need and nothing more.

AAI collects user attributes and lets repository administrators manage user groups and their association to protected resources. It may propagate this data to a repository if requested for user access control.

By default, user group membership in AAI represents user’s membership and role in community (e.g. data curator for canine research) that determines the scope of their access and permitted operations (e.g. canine-related datasets and approving uploads).

There are features on the AAI roadmap that will enable automation of more complex access control use cases.

How can integrators get there?

If you choose one of the core NRP repository systems, some groundwork has already been done for you. However, you must still decide which access control capabilities your repository needs (like custom roles) and the degree of their automation (like synchronizations), which will drive the scope of AAI integration and configuration.

Repository system specialists will help you clarify and formulate your requirements. Then, depending on your specific case, the repository system provider may offer to integrate and configure AAI on your behalf, or the repository system specialists will provide you with the necessary documentation to do it yourself.

In any case, you, as the repository administrator, must decide on:

• Repository full name (≤128 characters)
• Repository short name (≤24 characters; only letters, digits, dot, dash and underscore)
• Email of the primary technical administrator responsible for operating the repository
• Name of the institution and department responsible for operating the repository
• The chosen repository system (e.g. CESNET Invenio, CLARIN-DSpace, ASEP/ARL, etc.)
• Whether the repository will run on CESNET S3 storage and K8s cluster infrastructure
• Data your repository needs for access control, if any (like user’s academic affiliation)
• Properties of the storage space for provisioned files (like a URL endpoint for upload)

Afterwards, this information is used by you and/or the repository system provider to:

• Register the repository in the AAI Service Registry
• Create a virtual organization and facility records for the repository in the AAI Admin GUI
• Customize the group structure, registration process and email notifications in the AAI Admin GUI
• Set up the resource structure and cross-link it with the group structure in the AAI Admin GUI
• Configure or implement integration of non-standard access control capabilities, if any

Note repository integration with AAI must be tested before it is enabled for use in production environment.

Finally, if necessary, the repository system provider can arrange a consultation with AAI specialists for you.