Method details

The procedures listed are designed to determine if Passport Brokers, such as the ELIXIR Broker, are able to collect visas from systems like REMS and convey them to a Passport Clearinghouse, here represented as a Passport inspection service known as the “ELIXIR echo test service.” These are publicly deployed infrastructure services and the procedure will check that general user accounts, whether at a supported research institution or more common public identity providers, may participate in the Passport visa collection and distribution process.

To prevent accidental use of existing authorization or account state maintained by the browser, you are advised to use an “incognito window” in the web browser when executing these steps.

1. Prerequisite: An account in an enabled research organization (e.g., Sanger Institute, Masaryk University) or the creation of a test gmail (Google), LinkedIn, or ORCID account.

2. Visit the ELIXIR registration service (https://elixir-europe.org/register).

a. Use the sign-in service and account established in the previous step.

b. You must agree to the acceptable use policy to proceed.

c. Complete the registration process.

d. You may ensure your account is active by visiting the ELIXIR profile page (https://profile.aai.elixir-czech.org).

3. Visit the ELIXIR sensitive data access management test system (https://sd-apply.csc.fi/%20 (beta)) instance of REMS.

a. Login using your ELIXIR account from the previous step.

b. Locate the “ELIXIR Beacon Network - Test Dataset” and click the “Add to Cart” button. It may help if you search for this dataset first.

c. Click the “Apply” button near the top of the page. The Application page will appear with information about the applicant (you) and resource (ELIXIR Beacon Network - Test Dataset).

i. Click the “Accept the terms of use” (assuming you agree to the terms in a test context).

ii. In the “Description” field, add the text “Testing the Passport visa system within ELIXIR.”

iii. Under the “Actions” section, click the “Send application” button.

iv. At the top of the page, verify that the “state” shows green arrows with checkmarks for all three parts: “apply,” “approval,” and “approved.” You are ready for the next step when the “approved” label receives the green checkmark.

4. Visit the ELIXIR echo test service (https://echo.aai.elixir-czech.org/).

a. Sign in using the ELIXIR account created in step #2 above.

b. View the Passport summary contents - this is the “basic view.”

c. Click the “Switch to expert view” button.

d. Observe any visas the Passport has in the tables provided.

e. In the “ControlledAccessGrants Visas” section, click the “Display raw decoded JWT” button for the visa shown. For example, it should look something like this with different timestamp numbers (seconds since unix epoch) in the “iat,” “exp,” and “asserted” fields:

f. To verify that your Passport complies with the GA4GH Passport Standard v1.0 (https://bit.ly/ga4gh-passport-v1) and GA4GH AAI Profile Standard v1.0 (https://bit.ly/ga4gh-aai-profile), follow the links from the Key resources table. Note that conformance of the output from the previous sub-step is specified by the GA4GH Passport Visa Format v1.0 (https://bit.ly/ga4gh-visa-format-v1) section. Fields may appear in any order within their designated block.

Implementations like ELIXIR and its related partners have:

1. Implemented visa generation in compliance with the GA4GH Passport standard.

2. Are able to use identities from a wide variety of research and general public infrastructure providers that already exist.

3. Are able to encode the visas into Passports and deliver them between systems while leveraging existing standards, such as OIDC that is used during this procedure.

4. Visas that are delivered to a Passport Clearinghouse retain digitally verifiable permissions from the original source of authority (i.e., the DAC approver in this case).