The Fenix Authentication and Authorization Infrastructure (AAI) status and updates

10 Oct 2022

The Fenix infrastructure of today provides a federated and integrated environment as well as access to common infrastructure services across multiple sites. The main benefits come from providing a common trusted unique identity across sites and from the capability to maintain autonomy on policy decisions, while supporting the idea of a common identity layer. The Fenix AAI implements a trustworthy and federated environment, where users can be managed and where we grant them access to resources securely and as seamlessly as possible.

During the last year the Fenix AAI has been extended with new features and capabilities. One of the most important and recent updates is a completely new identity layer, the MyAccessID, which encourages service providers to start using a common identifier for all users, while at the same time single sites preserve the control over allowed Identity Providers (IdPs). The MyAccessID provides also isolation of complexity for contractual obligations with particular focus on the compliance regulations like the European General Data Protection Regulation (GDPR).


Figure 1: The new MyAccessID service introduced recently to improve access with Fenix Infrastructure Service Domain (ISD) Layer

The Fenix AAI main central component, the Fenix Central Proxy IdP, and the MyAccessID service are both operated by GÉANT in order to deliver federated compute and data services to European researchers by aggregating capacity from multiple resource providers and enabling access from existing community platforms, such as the EBRAINS Collaboratory developed by the Human Brain Project (Figure 1).

The two major use cases which are supported today via the Fenix AAI are the Data Mover service and the Data Transfer service that are currently under testing and will enter production level on the Fenix sites by the end of 2022. A production version of the Data Mover service is under evaluation at CINECA, the major supercomputing center in Italy, while at the same time a first production version of the Data Transfer service (integrated with the Fenix Central Proxy IdP) is currently operated at BSC (Figure 2).


Figure 2: The Data Transfer (DT) service (DB: data base; FTS3: File Transfer Service 3;Oidc:OpenID Connect)

The Fenix user provided with Fenix credits, project and associated budget will be able to upload files as data objects on the Fenix Archival Data Repositories (ARDs) (using the Data Mover), as well as to move data across sites (using the Data Transfer service), after authenticating to the Fenix AAI through the MyAccessID service and providing own credentials.
Moreover both web and non-web service providers will be accessible via the Fenix AAI and the MyAccessID through standard interoperability protocols such as OAuth2 and SAML. SSH access via two-factor authentication (2FA) will be provided, while at the same time each site will be free to provide its own technical solutions to support Fenix users.

Copyright 2022 © All Rights Reserved - Legal Notice
Follow us on Twitter
Follow us on Linkedin
Fenix has received funding from the European Union's Horizon 2020 research and innovation programme through the ICEI project under the grant agreement No. 800858.