Umbrella is an identity management system (IdM) for the users of the (European) large neutron and photon facilities. It is designed to build on top of the existing and long established web user offices (hence the name). The basic idea is to provide users with a unique identity, which can be used at each at the participating labs. It then permits to use the same username and password to access any of the user offices, to access and manage research data, and maybe even to execute data analysis jobs on dedicated compute resources..

On top of the services aiming at scientists doing actual experiments at the neutron or light sources, we intend to provide services (like for example open access databases) to anyone interested in such research like for example journalists, curators, teachers, students or school kids. So is likewise open to anyone interested. .

For the participating research infrastructures, uniqueness and persistence of the identities is very important for a number of reasons. For example, facilities archive research data for several years or even decades. Only unique and persistent identities permit to create a link between the data and the person responsible for the data during the entire lifecycle. Achieving this within a federation of identity providers (IdP) is at least extremely complicated. Umbrella is hence based on a single IdP embracing a federation of service providers. To guarantee high availability of the services, the federation is based on a network of distributed IdP's and Directory Services (DS). Requests to an IdP are distributed through a geoDNS services, which selects the geographically nearest available IdP instance and availability of the individual IdP's is continuously monitored..

The user data like username, password or email addresses are securely stored as one-time encrypted, salted hashes in a user directory served by appropriate DS. The DS is also based on a distributed system, where the user data are kept synchronized through master-master replication mechanisms. is the selected name of the identity management system. It's primary role is to provide the unique and persistent Umbrella identity, and also to provide a number of common services. Users with valid umbrellaID credentials are authorized to use services centrally provided by UmbrellaID. Selected users can obtain roles for specific services like for example management rights. For those services UmbrellaID acts as an authentication and authorization infrastructure (AAI).

The web user offices (WUO) are at each facility the entry point to submit proposals, apply for beamtime and things alike. Each WUO needs to comply with the national safety regulations and hence require a local registration regardless of the existence of an Umbrella ID, but through a sophisticated account matching mechanism, the Umbrella ID can be used to login at each WUO a user has registered. Roles and authorization are in this case handled by the local WUO rather than UmbrellaID, in which case UmbrellaID acts as a pure authentication provider. Most recently, the Umbrella team and GN3+ agreed to develop an Umbrella extension, which would permit to offer Umbrella services inside the edugain federation. Selected services would then become available to a much broader user community effectively making a geant-federated AAI.

Umbrella developments

There are a number of developments done within the PaNdata ODI project; some independent developments are done as part of the CRISP projects and most recently also in co-operation with GN3+. The different developments are coordinated by the Umbrella management teams and in the PaNdata and CRISP harmonization meetings.

Umbrella developments fork into four different development branches:
  • Conceptional development of the Umbrella topology
  • Development of the Shibbolleth IdP
  • Development of the UmbrellaID frontend and central services
  • Development of authentication bridges to embed X.509
  • Development of edugain federation bridges and moonshot extension.

The first two of these developments and the deployment are done within the PaNdata ODI projects, whereas the latter two are mostly work done by CRISP and partially in co-operation with GN3+.


All developments are open source and available from github repositories.
  • IdP repository: contains the complete configuration and deployment for the UmbrellaID IdP. The IdP is generally composed of an Apache httpd web-server built on top of a Apache tomcat (a standard configuration) and an OpenDJ directory service holding the user data. The IdP repository provides the IdP deployment in form of a tomcat war-file, as well as the OpenDJ configuration. The administrative details (decryption keys etc) are only available on request to prevent unauthorized parties entering the Umbrella federation.
  • Frontend repository: this repository contains a complete configuration of the Apache httpd frontend and SP.
  • Challenge response: Umbrella offers means for a user to update his personal data at all facilities, where he is registered as a local user, with a single click. To guarantee that only sites, where the user is known with his UmbrellaID, are able to decrypt the message, a challenge response mechanism has been developed. The implementation is available from this repository.
  • Bridging extensions:
  • The edugain bridging developments have just been started and will be made available at a later stage.


Umbrella provides quite comprehensive documentation for administrators, service providers and users. The documentation is directly available from the website under "About the umbrella". This includes also a papers and presentations around the Umbrella. Detailed instructions for service providers can be found in forms of an Umbrella cookbook. The Umbrella Flyer - Umbrella at a glance - gives an overview for current and future Umbrella users.