CTA Authentication and Authorization Infrastructure

As analyses in astronomy, astrophysics and particle astrophysics tend to increase in complexity with the abilities available on modern computer systems, the basic requirement of (short and long term) reproducibility is becoming harder to achieve.
The high number of dependencies on other software packages, which have implicitly been used to obtain a result, are non-trivial to be reproduced exactly and sometimes not all dependencies are recognized explicitly.
Techniques like Docker can help not only to achieve this reproducibility, but also in situations where checks or changes are desired after the know-how is not fully available anymore, e.g. when the original creator has left a collaboration, or when a new person is to become involved in a workflow.

The INAF CTA Authentication and Authorization Infrastructure (INAF CTA AAI) provides functionalities enforcing the protection of CTA resources and digital assets by means of a role based authorization. It offers a federated authentication, based on eduGAIN inter-federation, or a centralized CTA SAML authentication service. An attribute authority (based on Grouper) is provided in order to allow a role-based authorization thanks to a set of attributes managed and agreed at consortium level.


The current implementation of the INAF CTA AAI provisions more than 1000 CTA consortium SAML identities and it is releasing a persistent and non-reassignable ID as requested by the CTA user requirements. The INAF CTA Science Gateway has been successfully connected to the AAI and properly tested with beta users. Other CTA applications have been connected to the INAF CTA AAI such as the Proposal Handling System which manages submissions of Guest Observer proposals from compilation and transmission to their valuation and scheduling. In this case, the role-based authorization is extensively used to identify e.g. Observers (astronomers that can submit proposals to perform observations) or Reviewers (members of the time allocation committee who will review the submitted proposals).

Video Tutorial/Demo

  • A.Costa, E. Sciacca: 1st ASTERICS – OBELICS Workshop on Data Management in Astronomy and Astroparticle PhysicsRome, December 2016 “Tutorial: A&A in CTA: from User Requirements towards a Research Infrastructure”
  • “INAF CTA Authentication & Authorization Infrastructure v1.0”: https://youtu.be/c_8fSzrh1C4


  • Costa, et al. “An Innovative Workspace for the Cherenkov Telescope Array”. ceur-ws.org vol. 1871 (2016)



Regarding the AAI for CTA, apart from the one discussed in this paper, a UNITY management prototype has been tested. The Grouper-based AAI has been preferred because it has been considered more reliable (solidly developed and supported), powerful and flexible. This is demonstrated by the fact that it is deployed and exploited by many Universities and other organizations on four continents. Furthermore, it provides features not currently available in UNITY such as the connection with the System for Cross-domain Identity Management (SCIM) or VOOT (an extensible protocol for dynamic exchange of group and authorization data), bulk user import/export and user data (memberships) expiration.

The INAF CTA AAI has been developed strictly following the CTA A&A User Requirements. The main Use Cases are grouped in pre-defined criteria/categories such as “Authentication capabilities”, “Account Management Capabilities”, or “Authorization capabilities”. A sample of the implemented characteristics include:

  • Authentication capabilities:
    • Authenticate an already registered CTA Observatory user associated with a local account.
    • Authenticate an already registered CTA Consortium user.
    • Authenticate a user based on his/her institute/laboratory account.
  • Account Management Capabilities
    • Create a CTA Observatory account
    • Lost password management
    • Deactivate or delete an account
  • Authorization capabilities
    • Roles management
    • Group management
    • Request to join a role/group or resign from it

Contacts Persons

  • Alessandro Costa, INAF-OACT
  • Eva Sciacca, INAF-OACT
  • Fabio Vitello, INAF-OACT