Sketch: Seamless access to Helmholtz Resources for Helmholtz Scientists and external partners, finely controllable by access lists

What Is It About?

HIFIS built, maintains and continuously expands a technical and procedural infrastructure that allows users from all Helmholtz Centers as well as external collaboration partners to access distributed resources — for example cloud services — in a seamless way.

To enable this, HIFIS implemented the Helmholtz Authentication and Authorisation Infrastructure (AAI), providing Helmholtz ID. This central service allows unified user and group management for Helmholtz and beyond.

The Helmholtz ID / AAI:

Enables seamless login to the Helmholtz Cloud services and other resources for any Helmholtz users and invited partners from external institutions, by using only the home institution’s username and passphrase.
Allows cross-institutional group management and fine-grained resource sharing via so-called Virtual Organisations (VO) Management.
Maintains compatibility with international initiatives, such as the European Open Science Cloud EOSC by using frameworks such as the AARC blueprint.
Allows for easy connection of new institutions and new services.
Transfers and processes only minimal sets of personal data; for example, passwords do not leave your home institution.
Strongly facilitates parallel usage and even interconnection of multiple services by Single-Sign On (SSO).
Understands different identity qualities via Levels of Assurance.

How to Use It?

Login and user account information: After first login, accepting all terms and conditions, you are already a member of Helmholtz ID / AAI. Congratulations!
Manage a group (VO): To do this, you need to be a manager of such group, for example after being invited by another manager or registering your own VO beforehand. And you need to have a second authentication factor registered for security reasons.
Helmholtz Cloud services: Check out our service portfolio that can be used with the Helmholtz ID login, if you are a Helmholtz member or part of a collaboration group. Don’t forget to read the service descriptions, as some are usable under preconditions.
For technical details, refer to our documentation.

How Does This Work?

From user perspective, the connected Helmholtz Cloud services can be logged in by clicking “Helmholtz ID” (or “Helmholtz AAI”). This ultimately allows the users to select their home institution and log in via the home institution’s credentials.

Have a look at our illustrated tutorial on this to see more of it!

If you happen to run into any issues, check our FAQ and never hesitate to contact our integrated helpdesk at support@hifis.net.

The Technical View

All details on the technical and procedural implementation can be found in the documentation.

Spoken on a very high level, there are at least three instances exchanging data with each other:

the service,
the central community AAI (login.helmholtz.de), and
the user institution’s Identity Provider (IdP).

The first station itself can consist of multiple sub-instances, for example involving an Infrastructure Proxy, to streamline multiple service connections of one institution to the whole infrastructure.

As a user, you are basically following the route downwards and then up again when logging in to a service.

Compliance

All participants, including end users, need to comply to the Helmholtz AAI policies, and possibly additional policies related to specific groups (VOs). Further, you are informed about and need to agree to every transfer and processing of personal data. Sorry for bothering you on all of these steps, but it’s mandated by GDPR. But it’s handy that you can save your preferences and not be bothered again on this when you log in the next time.

Furthermore, a Helmholtz-wide rule set is currently being set up by HIFIS in order to facilitate cross-centre sharing of Helmholtz Cloud resources in the future.

Comments? Suggestions? Questions?

Check our FAQ
Contact us at support@hifis.net.