Before authorisation is granted to use information technology (IT) services, users need to be authenticated. This may sound trivial, but it is not if one considers that in an ideal world every user should have only one username and one (very secure) password. We are far from such an ideal world because we are all using a multitude of accounts with different credentials (username and password). Identity management, or the lack of, has a real impact when it comes to accessing IT services that are decentralised or when persistent identification is required to be able to access resources over a very long period of time. This is why federated identity management was identified several years ago as a stepping stone for future decentralised IT applications between large scale research infrastructures, leading to the development of the Umbrella system.

Umbrella is a federated identity system designed by the European photon and neutron source facilities (PaNs) supported by the FP7 projects EuroFEL, PaNdata, and CRISP. It aims at making life easier and science more productive for the facilities and their users. First of all Umbrella provides any PaN user –and effectively anyone interested in scientific discovery- with a unique identity, the Umbrella ID. Equipped with such an ID, a user can visit facilities with a single sign-on. Since the same identity is known at each of the facilities, users can access distributed data more easily, manage administrative processes or make use of the services and resources provided by the facilities (Figure 156).

Umbrella topology

Fig. 156: Umbrella topology.

An UmbrellaID can easily be obtained by registering at The only requirement is a valid e-mail address to confirm the registration. In the registration process one chooses a unique username and a secure password. Behind the scenes Umbrella creates a unique and persistent ID which will never change. A user can use the same UmbrellaID throughout their entire scientific career (and beyond).

Umbrella is based on a fairly complex and federated infrastructure. Several facilities operate an instance of the Identity Provider (IdP) and an instance of a Directory Service (DS). The DS holds the user database. The individual DS instances are synchronised through a mechanism called master-master replication. Each IdP is continuously monitored for availability, and all available IdP’s are registered at a GeoDNS location service. The system is designed for the highest availability and stability.

A user creating an account on one of the Service Providers (SP) is redirected to the nearest available IdP through the GeoDNS. The IdP validates the account information and returns a set of credentials which are stored in the web-browser. These credentials then allow access to all Web-based User Offices in the Umbrella Federation and to a rapidly increasing set of IT services of the facilities.

The Umbrella system is based on Shibboleth, a well established and widely used open-source implementation of federated identity standards, namely the OASIS Security Assertion Markup Language (SAML). This guarantees that not only the personal data stored at or at the facilities but the entire communication process is conform to the highest standards. The complexity of the process is entirely invisible to the user who will just see a single window asking for a username and password – once.

Users of our facilities are affiliated to a company or public institution. The affiliation corresponds to the professional address of a user and is important information for user offices in the workflow of processing research proposals - usage statistics are based on the affiliation. At present each facility maintains a local affiliation database. Sharing the same affiliation database will avoid users having to provide identical information several times, and user offices having to invest time and effort in the maintenance of individual and largely overlapping databases. ESRF has developed an affiliation management application for a federated central database as an integral component of the Umbrella system (Figure 157). The system has been presented to User Office representatives in an ESRF-hosted workshop in November during which implementation and operational issues were addressed.

Graphical user interface - affiliation database

Fig. 157: Graphical user interface - affiliation database.

The deployment of Umbrella and the implementation of new services are work in progress. The User Offices of PSI, ILL, and ESRF are already accepting the UmbrellaIDs and others will follow in the months ahead. “Umbrella enabled” data catalogues to access, share, manage or cite scientific data are currently under development. Another goal of the collaboration is to enable remote login to actual compute resources – which could be seen as a single virtual machine or a powerful high-performance cluster. In the long-run it is expected that Umbrella will become the entry point for the user community of the European Photon and Neutron facilities for authentication in view of a rich ecosystem of decentralised services.


D. Porte (a), F. Schlünzen (b), J. Savoyet (a) and R. Dimper (a).

(a) ESRF

(b) DESY