Umbrella at a glance

What is the Umbrella?

The Umbrella is an identity system designed by the European Neutron and Photon source facilities (PaNs’). It aims to make life easier and science more productive both for the facilities and their users.

The Umbrella first of all provides any PaN-user (and effectively anyone interested in scientific discovery) with a unique identity, the UmbrellaID. Equipped with such an ID a user can go on a virtual journey around the facilities with a single sign-on. Since the same Identity is known at each of the facilities, a user can more simply access or share data, manage administrative processes or make use of federated services and infrastructures provided by the PaNs’.

The Umbrella is a joint project of the PaNs’ and other facilities with similar needs for an Identity Management System. The joint nature of this undertaking is the major benefit for the facilities. It permits to share the efforts developing and maintaining the Umbrella system. Services offered by one of the facilities can be used by any of the users, which permits to provide a service only once within the Umbrella federation rather than by each single facility, which not only reduces the efforts but also leads to a richer eco-system of services for the user communities.


How do I get an UmbrellaID?

Simply register for an account under The only requirement is a valid email address to confirm the registration.

In the registration process one chooses a unique username and a secure password. Under the hood, Umbrella creates a unique and persistent ID which will never change. Hence changing the username or the email-address won’t have any effect on the UmbrellaID; a user can use the same UmbrellaID throughout his entire scientific career (and beyond), which is what makes the UmbrellaID unique and persistent.


What happens to old accounts?

Many users have registered earlier at one of the facilities Web-based User Offices (WUO) and have there an account, experiment related documents or scientific data. The Umbrella will affect none of these and old accounts remain perfectly valid. However, the Umbrella nicely integrates with the WUOs, which provide a simple mechanism to create a link between a local WUO account and the UmbrellaID.

A number of users will have WUO accounts at several facilities. Creation of the links has to been done for each WUO individually, which might appear inconvenient, but could not have been avoided since each facility requires a local registration for safety and legal reasons. With the creation of the links, all actions possible with the WUO account can afterwards be performed with the very same UmbrellaID and just a single-sign on – at each WUO a user is known to.


Are my data safe?

Yes. First of all, stores only a minimal set of information, a username, a password, the ID itself and the email-address. The information is stored in form of (salted) one-time hashes to ensure maximum security.

The entire Umbrella is based on Shibboleth, a well-established and widely used open-source implementation of federated identity standards namely the OASIS Security Assertion Markup Language (SAML). This guarantees that not only the personal data stored at or the local WUOs but the entire communication process is conforming to highest security standards.


What services can I use?

The services supporting the UmbrellaID are published on the website. So far the Umbrella offers access to a few WUOs, Open Access Software and Data catalogues. The number of services is slowly, but steadily growing. It is expected to cover (almost) all WUOs and a significant number of related services in Spring 2014.


What’s next?

The deployment of the Umbrella and the implementation of new services are on-going efforts. The Umbrella collaboration is intensively working on Umbrella enabled data catalogues to allow users to access, share, manage or cite their scientific data.

In collaboration with the Geant3+ project options to expand the scope of the Umbrella are currently being worked on. One aim is enabling Umbrella to provide services within the edugain super-federation, which connects the GÉANT (GN3plus) Partners' federations, thereby substantially extending the outreach of the UmbrellaID. Another goal of the collaboration is the implementation of non-web services, enabling the login to an actual compute resource - which could be a single virtual machine or a powerful high-performance cluster - based on the project moonshot implementation.


How does it actually work?

The Umbrella is based on a fairly complex distributed and federated infrastructure. Several facilities are operating an instance of the Identity Provider (IdP) and an instance of a Directory Service (DS). The DS holds the user database. The individual DS instances are synchronized through a mechanism called master-master replication. Each IdP is continuously monitored for availability, and all available IdP’s are registered at a GeoDNS location service. The system is designed to provide a maximum level of availability and stability.

A user trying to create an account or login to one of the Service Providers (SP) – a WUO is just a SP in this context – is redirected to the nearest available IdP through the GeoDNS. The IdP validates the login-information and returns a set of credentials which are stored in the web-browser. These credentials allow then access not only to a single WUO but to all SPs in the Umbrella collaboration. The complexity of the process is fully transparent for the user, who will just see a single window asking for a username and password – once.


Who is behind the Umbrella?

The Umbrella is a joint project of the European Photon and Neutron sources, the PaNdata project, the CRISP project and EuroFEL. The work is supported by the European Commission under the 7th Framework programme Grant Agreement RI-283556 and 283745.


Want to know more?

More information can be found under Information about the participating projects can be found on the respective project pages. Technical problems and questions about the Umbrella please send to