Overall goals and approach of
...
Pilots in AARC
Aims
The Pilots
...
Work Package Leader: SURFnet, user-e06a9
The SA1 activity aims at facilitating researchers by providing the access management tools and framework to support collaborative research in a distributed environment. To this end, in SA1 this activity we will demonstrate through (pre-) production services that:
existing AAIs and authentication sources can be leveraged to enable (SSO) access with appropriate level of assurance for any natural person (academia and non-academia) to shared resources offered by different e-Infrastructure providers and communities. (task 1)
authoritative decisions and user/group context can be based on distributed group managers and attribute providers. (task 2)
access to non-web and commercial e-infrastructure services can be enabled. This requires the bridging of SAML (NREN world) and token/certificate based (e-infra world). (task 3)
Approach
The approach consists of deploying existing components as discussed with and identified by JRA1 and to integrate a selection of these components according to a common architecture that will be drafted in JRA1 as well (by October). To this purpose we will establish a stable pilot environment with solutions to be tried and assessed by representatives of the research communities affiliated with the project.
- Analysis of user- community requirements
- Existing AAI and available technologies for federated access
- First Draft of the blueprint architecture (still work in progress, but preliminary work available here)
Pilots started (status January 2016)
Based on the guiding documents of the AARC architecture (JRA1) and the AARC policy harmonisation (NA3) activities we commenced a first cycle of pilots:
- In task 1 "Guest Access" we started a pilot to involve Libraries in the identification and hands-on implementation of relevant solutions to support their migration from IP-based authentication against publishers' online resources to a SAML/federated bases approach
- In task 2 "Attribute Management" a pilot aiming at testing the usability of SAML based attribute authorities to regulate service access authorization has started. In the specific case of this pilot the services to be approached are Cloud services. The Attributes Authority used in this context is PERUN developed by CESNET
- In task 3 "Access to Resources" quite some progress has been made in establishing token translation pilot services. One pilot focuses on the application of CI-Logon components + add-ons to bridge the gap between the world of SAML based authentication (NRENs) and that of certificate based authentication (GRID and e-infrastructure providers). In a second pilot we assess the feasibility to enable non-web single sign-on based on LDAP Facade, developed by the Karlsruhe Institute of Technology.
With these efforts we already identified interesting clues, challenges and future paths for development to bridge different research infrastructures and communities. By performing these pilots we will be able to assess suitability of the chosen components in practice and how well they match with user and security requirements. Further details and updates will follow soon.
Guest Access (TSA1.1)
Task Leader: GARR, Mario Reale
This task deals with the pilot activities to be set up for AARC in the domain of Guest Identities; It will mostly liaise with JRA1 and NA3 of AARC in order to effectively demonstrate the validity of the selected components and architecture designed in JRA1 and the best practices and recommendations identified in NA3.
Attribute Management (TSA1.2)
Task Leader: EGI, Peter Solagna
This task deals with piloting of solutions to manage attributes on a central and cross application level. An integrated framework of identity providers, attribute and group providers, attribute aggregation platforms and shared e-infrastructure services that are able to consume attributes will be demonstrated and tested.
Access to resources (TSA1.3)
Task Leader: PSNC Maciej Brzeźniak
This task aims at improving access to relevant research and education non-web resources located outside the home organization of the user. The main improvement is making use of existing AAI that provide user credentials and authorization attributes instead of local user management. While many implementations exist already for web portals, the technology for non-web scenarios is still immature.
A number of pilots is going to be setup in order to investigate emerging non web SSO solutions and workarounds. The selection of software to be piloted is going to be discussed with JRA1 in order to focus on tools that fit with the requirements of the research community and the blueprint architecture (JRA1.3 and JRA1.4). Also the requirements gathered by JRA1.1. will be used as input material for the assessment of technologies used in the pilots. Finally, the experience gathered while running the pilots and the performed analyses will be used as feedback for the final shaping of the blueprint architecture in JRA1 and best practices recommendations in NA3.
Compatibility between the technologies piloted within this task and technologies used for collecting attributes within task SA1.2 will be checked. Attribute requirements for non-web SSO, authorization and provisioning will be investigated and defined. Usage of user credentials and attributes coming from different AAIs, including guest IdPs proposed by SA1.1 will be analyzed as well.