ELIXIR AAI: Authentication and Authorisation Infrastructure

Illustration pictureWhile the majority of life science services are openly accessible to anyone across the world, many of them require researchers to sign in using a username and password. Sensitive data and licensed resources of course require strong security for access.

In these cases, research services have implemented local access management solutions and issued their own usernames and passwords. As a consequence, researchers quickly became overloaded with having to remember numerous login credentials.

The ELIXIR Authentication and Authorisation Infrastructure (AAI) enables researchers to use their home organisation credentials or community or commercial identities (e.g. ORCID, LinkedIn) to sign in and access data and services they need. It also allows service providers (both in academia and industry) to control and manage access rights of their users and create different access levels for research groups or international projects.

For example, two different researchers in the same university may be working on different European or national research projects and may need access to completely different data or compute resources. ELIXIR AAI ensures that they can access the right resources, using their university credentials, while making sure they can’t see each others’ data.

Benefits of ELIXIR AAI for researchers and service providers

The benefits of ELIXIR AAI go well beyond the convenience of not having to remember a new username and password combination. It offers:

  • Reduced bureaucracy and costs - reusing existing institutional identities means service providers don’t have to create and manage accounts for all their users. ELIXIR AAI helps service providers meet legal obligations in privacy and data protection legislation (GDPR), and are able to respond swiftly to security incidents.
  • Improved verification – researchers’ identities are usually personally verified by their home organisations with face-to-face checking of photo IDs or government documents. As such they provide reliable information on the researcher’s affiliation and greater confidence to the service and data providers. It would be lengthy and expensive for ELIXIR to manage this face-to-face vetting in the context of a distributed infrastructure
  • Regular updates – As researchers join or leave institutions their affiliation information is maintained regularly. When a user change affiliation (be it research group, department, EU project or university) the access rights coupled with this affiliation are automatically updated. This increases security of access and confidence that only authorised researchers have access to critical data.
ELIXIR AAI is open to all service providers in industry and academia. Read the ELIXIR AAI documentation or contact aai-contact[at]elixir-europe[dot]org to learn more.

The ELIXIR AAI was launched in late 2016. Since then it has been growing both in terms of the number of users and the number of service providers linked to ELIXIR AAI. By the end of the first year of operation, the ELIXIR AAI:

  • Deployed several highlighted-profile services:
  • de.NBI, TeSS, GlobusOnline, Meta-pipe, HNSciCloud, EMBL-EBI services, connected to EUDAT and EGI infrastructures
  • Had around 3000 logins per month
  • Enabled 493 institutions whose members can use ELIXIR AAI
  • Integrated 67 production services in total and an additional 65 in testing
  • had 1838 users and 370 groups

Genomics data sharing and ELIXIR AAI

The capabilities of ELIXIR AAI are demonstrated in the reference implementation of the ELIXIR Beacons. The three-tier access system was developed jointly by the ELIXIR Compute platform, the ELIXIR Human data Use Case and the Global Alliance for Genomics and Health. It allows data owners to publish their genomics data in one of the three access levels (public, registered and controlled), and control what kind of information will be provided to different types of users.

The public tier, open to all users, will only disclose allele frequencies in the genomic data; the registered users (scientists working at universities and research centres) have access to cohort specific allele frequencies; users in the controlled tier have to be individually approved by Data Access Committees and have access to individual level data from cohorts.

See more at https://beacon-project.io.

ELIXIR Beacon schema