Versions Compared

Old Version 1

changes.mady.by.user Hannah Short

Saved on

compared with

New Version Current

changes.mady.by.user Sally Chambers

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Status
colourYellow
titleAudience: AAI Implementors and Operators 

Building an AARC-compliant AAI is achieved through the principles of the AARC Blueprint Architecture (BPA) and by following the guidelines formally approved by AEGIS. These guidelines provide the reference set for achieving interoperability across infrastructures. AEGIS approval ensures that specifications have been reviewed for operational feasibility and community consensus, making them key enablers of interoperability for research collaboration. The following requirements are presented thematically, reflecting the main technical functions needed to support interoperability.

...


AARC-G056 – Attribute Profile(in development)

Defines a harmonised AARC attribute profile consolidating subject identifiers, names, email, affiliation, assurance, groups memberships and roles, and resource capabilities. Once approved, it will provide a single reference profile for attribute release across AARC-compliant infrastructures.

...

  • Format: <NAMESPACE>:res:<RESOURCE>[:act:<ACTION>[,<ACTION>]...]#<AUTHORITY>
  • Supports hierarchical resource structures and explicit action scopes, enabling fine-grained, interoperable expression of access rights.

 

AARC-G052 – Proxied Token Introspection(under final consultation)

Extends OAuth 2.0 Token Introspection (RFC 7662) to multi-proxy environments.

...

  • The Community AAI, operated by or on behalf of a research community, which manages user enrolment, group membership, roles, and other community-managed attributes
  • The Infrastructure Proxy, operated at the infrastructure level, which acts as the single integration point for services. It connects to different Community AAIs and enforces infrastructure policies
  • Layered model allows communities to manage their users and authorisation independently, while infrastructures provide the trusted integration point for services
  • Services connect only to the Infrastructure Proxy, reducing integration complexity for service providers
  • Together, Community AAIs and the Infrastructure Proxy provide a scalable and interoperable foundation for connecting communities, infrastructures, and services


AARC-G080 – Blueprint Architecture 2025(in development)

Updates the BPA to reflect current practices and introduces a capability-based view

...

  • Identity Management – covers authentication, identity lifecycle, and integration with external IdPs
  • Collaboration Management – enables management of groups, roles, and collaboration-driven authorisation
  • Infrastructure Integration –  enriches identities with infrastructure-specific attributes (e.g. resource capabilities, infrastructure roles)
  • Site-local Integration – connects federated identities to local services and enforcing site-specific policies


AARC-G081 – Token Lifetime Recommendations(under final consultation)

Provides recommendations for operational lifetimes of access tokens and refresh tokens. Consistent practices are essential for reducing the risk of misuse while supporting cross-infrastructure interoperability.

...

  • Access tokens verified online (revocable):
    • Default: 1 hour – consistent with SAML session lifetimes.
    • Max: 25 hours – allows for running short jobs and next-day result checks.
  • Refresh tokens:
    • Default: 30 days – chosen as roughly the geometric mean between a day and a year, balancing usability and security
    • Max: 400 days – ensures periodic proof of user involvement.


AARC-G100 – Establishing Trust with OpenID Federation (in development)

Defines how AARC-compliant AAI services –such as Infrastructure Proxies and Community AAIs– establish trust using the OpenID Federation 1.0 specification.

...

These guidelines improve the usability of federated login by helping users find their Identity Provider and understand which services are available, reducing login friction and confusion, and supporting smoother end-user journeys. Additionally, the accessibility of federated logins needs to be considered in line, for example, with the latest ​​W3C Accessibility Guidelines (WCAG).


AARC-G061 – Identity Provider Hinting

Defines

...

the aarc_idp_hint parameter, allowing services or proxies to guide users to the correct authenticating IdP or upstream proxy.

  • Supports nested hints for complex routing


AARC-G062 – Discovery Service Selection

Defines

...

the aarc_ds_hint parameter for suggesting which Discovery Service to use.

  • Enables community- or infrastructure-specific discovery experiences


AARC-G063 – End Service Information

Introduces

...

the aarc_service_hint parameter to signal to a Discovery Service which end-service the user is accessing.

  • Allows Discovery Services to present context-specific IdPs (e.g. filtering based on assurance requirements)

  • Improves clarity in multi-proxy login flows