Federated Single Sign-On and Zero Trust Co-design for AI and HPC Digital Research Infrastructures

TL;DR

This paper presents a federated IAM solution with multi-layered security for AI and HPC research infrastructures, enhancing seamless access while maintaining security and compliance.

Contribution

It introduces a co-designed federated IAM system with security controls, multi-factor authentication, and role-based access for AI and HPC infrastructures.

Findings

Successful deployment on UK Isambard-AI and HPC supercomputing DRIs.

Enhanced security with multi-factor authentication and role-based access.

Demonstrated IAM workflows for diverse user roles.

Abstract

Scientific workflows have become highly heterogenous, leveraging distributed facilities such as High Performance Computing (HPC), Artificial Intelligence (AI), Machine Learning (ML), scientific instruments (data-driven pipelines) and edge computing. As a result, Identity and Access Management (IAM) and Cybersecurity challenges across the diverse hardware and software stacks are growing. Nevertheless, scientific productivity relies on lowering access barriers via seamless, single sign-on (SSO) and federated login while ensuring access controls and compliance. We present an implementation of a federated IAM solution, which is coupled with multiple layers of security controls, multi-factor authentication, cloud-native protocols, and time-limited role-based access controls (RBAC) that has been co-designed and deployed for the Isambard-AI and HPC supercomputing Digital Research Infrastructures (DRIs) in the UK. Isambard DRIs as a national research resource are expected to comply with regulatory frameworks. Implementation details for monitoring, alerting and controls are outlined in the paper alongside selected user stories for demonstrating IAM workflows for different roles.