2.1) Account Creation and Authentication
Preliminary: Users, Roles, Privileges
Authorization to use the AERPAW testbed resource is managed by AERPAW Roles. Anybody who has registered with the AERPAW Platform's Web Portal is considered a User. Each User can have one or more additional Roles as described below. Each Role carries with it privileges specific to that Role. A privilege is the authorization to perform certain actions on the Portal.
User Roles in AERPAW
The Roles in AERPAW are modeled after common real-world organization of research groups and individual responsibilities.
At the top is the PI Role, which represents the leader or director of a research group and an associated overall research mission - in academia, this role is often played by a faculty member, the Principal Investigator of some research group or funded project. In industrial or national research labs, this may be the Research Director, or Team Lead of a research group or lab. This person is expected to have long-term continuity, and overall responsibility (including financial responsibility) for all the activities of all members that work in their group.
All members of a group led by a PI are expected to perform various research tasks toward the overall goals of the group. AERPAW reflects this with the Experimenter Role. In academia, such roles are often played by student researchers, graduate or post-graduate research assistants; in industry or other labs, these are the individual research professionals in a research group.
When you first register with the AERPAW Web Portal (details of registration process follows below), you become a basic AERPAW User (one with no additional Roles) is only authorized to view your own profile information. You need to request to become an Experimenter first before you can join a project or create your own experiments. An AERPAW Experimenter can further request to become a PI; you must have this Role before you can create a project.
Privileges Associated with Roles
AERPAW Experiments are organized via the "Project-Experiment" hierarchy, i.e, a Project has to be created first in order to create Experiments in it. This reflects the common real-world situation that a Team Leader or a professor often has multiple students or other research workers engaged in multiple different tasks, requiring different research experiments. In AERPAW, the Project represents the overall research mission of the PI, whereas each Experiment in a Project represents specific (experimental) research tasks.
Each AERPAW Project has a Project Creator - the User who created this Project. Only Users with the PI Role can create Projects. In addition, it may have one or more Project Members or Project Owners. Any Experimenter may become Members or Owners of a Project.
From a Project perspective, each Project forms a "Role Group". Every project is created by a PI User (a User who has the PI Role) who can delegate one or more Project Members to become the Project Owner. (The Project Creator always remains a Project Owner.) The Project PI and Owners can add or remove AERPAW Experimenters to or from the project.
As shown in the figure below: A PI (who can create a Project) User is authorized to create new Projects, and becomes Owners of the Projects they Create. An Experimenter can become a Project Member (by requesting to join, and upon approval by the PI or a Project Owner). A PI can delegate a Project Member to become a Project Owner. In real-world terms, this is like a faculty member (PI) designating a post-doctoral fellow or research associate to be able to administer the Project on the PI's behalf.
Summary of Privileged Actions
Details of creating, defining, and managing Projects and Experiments are in later sections of this User Manual; here, we summarize the availability of those actions as a function of the status of an User.
Only an AERPAW User with a PI Role can create a Project.
A Project Creator can add any AERPAW User with an Experimenter Role to be a Member of a Project they have created, or approve of a request on the part of an Experimenter to join the Project as a Member. They can also designate any Member of the Project to be a Project Owner. They can reverse any of these actions: remove ownership or membership from a User for their Project. Finally, they can delete the Project itself.
A Project Owner can perform all actions that a Project Creator can for a given Project, except add or remove Project Ownership from other Project Members, and delete the Project.
Any Project Member (including Owners and Creators) may create an Experiment within the Project, and add other Project Members (of the same Project) as Experiment Members to an Experiment they have created. They can also remove Experiment Members.
Any Experiment Member may define the Experiment (identify the target Testbed resources), and perform Session-related activities (start, save, exit, submit to testbed, etc.) on the Experiment, or log into the AVNs of a session of the Experiment executing in the Virtual Environment.
Delegated Identity Management
AERPAW uses a delegated authentication approach; rather than providing you with an identity specific to AERPAW, we ask you to use the identity provided to you by your professional organization as part of which you are planning to use AERPAW (typically: the university, industry lab, or commercial business that you are employed by). We use a single-sign-on system by which you sign-on using your own organization's authentication system, at which point an User ID is automatically created for you in AERPAW, and you become an AERPAW User.
Thus, the first login is itself the way to register as an AERPAW User for the first time; there is no separate Account Creation or Registration process to follow.
AERPAW uses the CILogon system as its single-sign-on system. More information regarding CILogon can be found at https://www.cilogon.org/home .
Finding your institution or organization in CILogon: CILogon lists supported identity providers in a pulldown menu (see screenshots below) in alphabetical order. If your employer organization is not in this list, please understand that we at AERPAW cannot do anything to get it included. You (or your organization's IT Department) must get in touch with CILogon directly in order to request support for new identity providers.
Conversely, not all organizations in the list are valid identity providers with respect to AERPAW access and use. Thus, depending on the organization you choose to authenticate yourself with, you might not be able to proceed any further; this is described in detail in the next section (2.2: Account Authorization and Roles).
Therefore, please consider your organization choice carefully.
Briefly, we offer the following basic guidelines:
Prospective AERPAW Users should use their professional affiliations from the academic organization, or the business, that they are primarily employed by. Do NOT use any other affiliation; registrations using other organizations, even if listed in CILogon, will not necessarily result in successful AERPAW authorization and use.
A few points to consider:
The reason for the above policy is that delegated authentication is fundamentally based on transfer of trust - by accepting the authentication of your home organization, we are trusting that that organization is able to vouch for the authenticity of your identity, and an authorized representative of that organization (AOR, SRO, etc.) will be able to trace the login ID back to an actual person in case that need arises (related to billing, issues of inappropriate use, etc.).
Organizations like GMail or IEEE (that provide email addresses and identities to anybody that requests one) do not stand in that relationship of responsibility with whoever they issue identities to; in fact the ID identifies the email account itself, rather than an actual person.
(If you are an employee of IEEE or Google, then please get in touch with us directly; we can specify how you should proceed.)
Organizations like ORCID have an additional problem - ORCID is not actually an identity provider, but uses identities provided by other institutions for account creation (exactly like AERPAW itself does). Again, ORCID does not stand in the necessary relationship of responsibility.
(It is a legitimate question why the AERPAW login page provides that option if it will not work with AERPAW. The answer is that that page comes straight from CILogon, and we don’t have the ability to pick and choose what entities to list. We apologize for any inconvenience.)
First Login - Account Creation
A user needs to Login (Upper Right Corner) to the Portal with any browser for any new session. Click on the “AERPAW Login” button, as shown in the screenshot below, to find your home organization's login page.
(Cannot find Login button ?! Expand this section)
The AERPAW Web Portal is designed to fit into your browsers. If you shrink your browser window below a certain size, the navigation bar at the top will be automatically converted to a “pull-down” menu at the top right corner. This appears as an icon of three closely spaced horizontal lines, which you can click to pull down the full menu. However, it appears from experience that this pull-down action does not work correctly on some browsers. If you do not see the Navigation Menu (initially it includes only a single "Login" item), please try maximizing your browser window.
Clicking the Login button will bring up the next screen, with an "AERPAW Login" button on it, informing you that you will be sent to CILogon :
Clicking that button will take you to CILogon :
We recommend NOT checking the "Remember this selection" checkbox that CILogon provides unless you are sure that this will be the only organization as part of which you will ever attempt to access AERPAW.
Find your employer organization in the pull-down list and select it, then click the "Log On" button; this should take you to the sign-on page of your own organization, where you can login. For most AERPAW Users in academia (whether you are a student or a faculty member), this will be your university. For industry researchers, it should be whichever organization takes financial responsibility for your AERPAW usage.
After you have done so, you should be returned to the AERPAW front page - with the "Login" button replaced by a "Logout" button. Also, a Navigation Bar with other items appear across the top of the Portal window:
Known Issue - First Login
Because browsers can cache identity-related information, and embed assumptions about when/how to supply cached identity information to requesting websites, and different browsers embed different assumptions, it is impossible for us to completely predict this interaction. We have observed that with many browsers, after coming back from CILogon, you are again faced with the "Login" button, and have to go through the same sequence as above (this time you may not actually have to go through the CILogon step), and it is only after completing the second sequence that you are logged in.
This is explicitly noted in the screen that sends you to CILogon:
Upon successfully completing your first login to AERPAW (and therefore Account Creation), you should receive an email with a Subject line that starts with “[AERPAW] Welcome...". (If you do not see this email, please check your Spam/Junk folder, and mark it as "Not Spam/Junk" so as to ensure receiving future email notifications from AERPAW Operations.
Remember, after the first successful login, you still do not have any Roles, and can only view basic informational portions of the site. The next section of this User Manual provides information about requesting Roles.
Reminder: Join the Users' Group
Right after your first login is the ideal time to subscribe to the AERPAW Users Group; see Section 2.7 for instructions.
Subsequent Logins
Subsequent login attempts should go exactly the same way, except that you will not receive a welcome email. Also, if you selected the checkbox "Remember this Selection" on the CILogon screen during a previous login attempt, then you will be unable to change that selection this time. (If you previously did check the box, but now need to change your identity provider, please see the "Logout" section below.)
Logout
The Portal and CILogon use Cookie technology to keep track of User login sessions; as such, it is up to the browsers that the users use locally to "completely" logout a session, if you want to remove this context from your browser.
The best practice is to close your current browser tab before you leave the Portal.
You can always use the "Private" or "Incognito" browsing mode in your browser. After you log out, you have to re-login.
If you use the normal mode, after "logout", you can go to the setting of your browser to delete/clear cookie history, which is browser dependent:
For Chrome, Firefox and Internet Explorer, clearing the "Cookies and site data" will do after you "Logout".
For Safari, you have to close your current Tab or Window.
On OSs that distinguish between a window and its application (such as MacOS), you may need to close not only all the windows, but "Quit" the Chrome or Safari application itself.
Auto-Logout
The login has an expiry period. If you come back to the browser window in which you left yourself logged in after a significant period of inactivity, you may find that you have been automatically logged out. To continue working, simply log in again.