A worldwide e-Infrastructure for NMR and structural biology

WeNMR releases its Drupal module for Single Sign On for eXternal Services (SSOXS)

Managing authentication and authorization for virtual communities with a distributed service infrastructure

In the spirit of “unite and conquer”, professionals are more often organizing themselves in virtual communities. Such communities link likeminded individuals together, enabling a common knowledgebase, professional interaction and exposure to services valuable to the community. The latter are often web-based tools organized through a common gateway or offered by the community’s users on their own infrastructure using their own implementation.

The WeNMR project is an example of such a virtual community, which aims at bringing together complementary research teams in the structural biology and life science area into a virtual research community at a worldwide level and provide them with a platform integrating and streamlining many web-based computational services necessary for NMR and SAXS data analysis and structural modelling. The project is both a three years project funded under the European Commission’s 7th Framework Programme (e-Infrastructure RI-261571) and a Virtual Research Community (www.wenmr.eu) supported by EGI. It is the largest one within the life science area.

To enable easy access to the external services hosted by the project partners, WeNMR offers a Single Sign On solution to its Virtual Research Community users. To this end, a custom solution integrated into the Drupal content management system was developed for the Virtual Research Community gateway. This “Single Sign On for eXternal Services” module, or SSOXS for short, extends Drupal to serve as a single-sign-on authentication, central user management and accounting portal for the external web servers or services of the project.

The module offers a “My Services” page on the Drupal users profile page allowing them to easily ‘subscribe’ to their selection of external services.

The offered services are registered by an administrator through an administration interface. Its rich features allow the service administrator to fine-tune who may subscribe to a service and what are the additional subscription requirements to fulfill (e.g. a valid X509 certificate). It also supports the use of Token-based access (e.g. for pay-per-use services) and more. Registered services are allowed access to the modules API using the flexible XML-RPC communication standard. The extendable API enables secure communication between the external service and the SSOXS module enabling not only user authentication and authorization but also user management and accounting.

The service administration pages allow the service administrators to manage subscribed users, query the accounting information provided by the service through the API and get an overview of service usage and performance by beautiful reports with interactive graphs.

Finally, the module is designed to be a good “Drupal citizen” extending the core functionality with new features like many other excellent open source modules. It can therefore directly benefit from the many modules that extend Drupal with additional functionality such as authentication and authorization mechanisms like Social media credentials, Shibboleth, OAuth and OpenID. The module even hosts it’s own federate login functionality via the versatile simpleSAMLphp library allowing Drupal users to login using federate identity out of the box.

The combination between the online SSOXS administration interface and the flexible API provides a closed and self-contained solution for everything related to authentication, authorization and accounting for a service, without any need for additional modules or external services. The combination of these features makes this module unique. The service administrator is in control and the user is best served!

The module is freely available from the Drupal module repository:

http://drupal.org/node/2123977

Support in implementation and consulting can be requested via StickyBits (www.stickybits.nl), a company founded by the WeNMR developer of the module, Dr. Marc van Dijk.

 


SSOXS features, a detailed view

 

One-time authentication

Allow users to register for the external services using their Drupal account credentials. The SSOXS module integrates with Drupal’s core user management system. It directly benefits from the many excellent modules that extend Drupal with additional authentication and authorization mechanisms like Social media credentials, SAML, Shibboleth, OAuth and OpenID.

Federate login enabled

SSOXS offers its own federated login facility, using the powerful simpleSAMLphp library. Identity providers configured in simpleSAMLphp are directly available in the module and can be offered on the Drupal login page. Federated login account management is fully configurable with support for account persistence, privacy settings and mapping of attributes provided by the identity providers with support for the Profile module.

Subscription-based access

Access to external services is managed using a subscription mechanism. Drupal users can subscribe to services through a “My Services” page on their account profile.

Tailored subscription procedures

No single service is the same. The SSOXS module respects this, offering service administrators with a rich toolset to fine-tune the subscription procedure to their service. Access to a service can be restricted by Drupal role; the subscription procedure supports requirements such as: a valid X509 certificate, agreement to license terms, manual subscription approval and the availability of user profile information.

Token-based access

The SSOXS module offers token-based access to control the access of the services use by a subscriber. Tokens enable a user to first try a service for free for limited number of access and allows for example for implementation of pay-for-use model.

Up on security

The SSOXS module handles potentially sensitive data and does so with care by: offering detailed permission settings, support for external SQL databases and BlowFish encrypted API communications. The module even comes with a built-in database backup functionality.

Easy service management

Enabling single sign-on for an external service is as easy as filling out a form by an authorized Drupal user. The form defines the basic service description, the Drupal users who can serve as administrators, the roles (user categories), which can subscribe to a given service, any signup requirements and the API key to enable secure XML-RPC communication between the service and the Drupal site.

Once a service has been registered, its administration interface created by the SSOXS module allows administrators to easily administrate subscribed users, monitor accounting logs and view statistics of the service use through formatted reports with interactive graphs.

Easy user management

The service administration pages offer a convenient interface for user management, allowing editing a user’s subscription, subscribing new users, querying the user base with powerful filter options and contacting the registered users through an email messaging interface.

XML-RPC API

The registered services communicate with the SSOXS module for authentication, authorization and accounting using a dedicated API using the XML-RPC protocol. XML-RPC implementations are available for every major programming language and the module offers ready-made program classes in Python and PHP.

Tracking of services usage

The XML-RPC API offers functions for service accounting. The accounting information is stored in the SSOXS database and made available through the accounting and statistics interfaces. Track access to your service by user, job status or start/finish time. The accounting interface offers a rich logging facility for live logs.

Overall statistics for a service for any give time period are available on the ‘Service statistics’ interface. Service access statistics including access count, user access and user demographics are displayed as interactive graphs.

Service specific attributes

Services often define specific attributes for a user such as a result URL or an internal id. The SSOXS module allows administrators to define variable data fields of the type ‘integer’, ‘selections’ or ‘text’ that are stored as part of the user subscription. These attributes can be managed via the user management interface and are available via the XML-RPC API.

 

Cite WeNMR/WestLife

 
Usage of the WeNMR/WestLife portals should be acknowledged in any publication:
 
"The FP7 WeNMR (project# 261572) and H2020 West-Life (project# 675858) European e-Infrastructure projects are acknowledged for the use of their web portals, which make use of the EGI infrastructure and DIRAC4EGI service with the dedicated support of CESNET-MetaCloud, INFN-PADOVA, NCG-INGRID-PT, RAL-LCG2, TW-NCHC, SURFsara and NIKHEF, and the additional support of the national GRID Initiatives of Belgium, France, Italy, Germany, the Netherlands, Poland, Portugal, Spain, UK, South Africa, Malaysia, Taiwan and the US Open Science Grid."
 
And the following article describing the WeNMR portals should be cited:
Wassenaar et al. (2012). WeNMR: Structural Biology on the Grid.J. Grid. Comp., 10:743-767.

EGI-approved

The WeNMR Virtual Research Community has been the first to be officially recognized by the EGI.

European Union

WeNMR is an e-Infrastructure project funded under the 7th framework of the EU. Contract no. 261572

WestLife, the follow up project of WeNMR is a Virtual Research Environment e-Infrastructure project funded under Horizon 2020. Contract no. 675858

West-Life