Status colour Blue title Audience: All
The AARC Blueprint Architecture (BPA) is a reference framework designed to address the complex identity and access management challenges faced by international research collaborations. Developed through the AARC (Authentication and Authorisation for Research and Collaboration) project series, the BPA provides a set of interoperable architectural building blocks that enable access to research resources across different organisations and infrastructures.
The architecture exists to address the fragmentation of the research ecosystem. As scientific collaboration becomes more international and interdisciplinary, researchers need access to resources provided by multiple institutions, e-infrastructures, and research facilities. Traditional identity management approaches, where each service provider manages its own user accounts and access policies, create significant barriers to collaboration. Researchers face the burden of multiple registrations, inconsistent access procedures, and complex credential management across different platforms.The AARC BPA addresses these challenges by introducing a "community-first" approach to identity and access management. Rather than forcing researchers to navigate multiple institutional boundaries, the architecture enables research communities collaborations to use federated identities while managing their own access policies and rights. This approach maintains encourages interoperability with institutional identity providers and infrastructure services. See https://aarc-community.org/architecture/
The latest version of the AARC BPA (2025) included the following layers:
Authentication
- Manages authentication via trusted Identity Providers (IdPs) using e.g. SAML (Security Assertion Markup Language) & OIDC (OpenID Connect)
- May include proxies
Attribute Services
- Manages user attributes
Access Protocol Translation
- Includes Service Provider (SP)-IdP-Proxy and Discovery Service
- Manages notice presentation for privacy policies, Acceptable Use Policies
Authorisation
- Controls access to Services
- Centralises complex authorisation decisions
- Reduces complexity for services
Services
- Protected services (e.g. wikis, APIs, compute resources)
- Supports web-based and non-web-based resources
- May include proxies for cross-infrastructure access
For further details about the AARC BPA, see: https://aarc-community.org/architecture/
Status colour Green title Audience: Funding Agencies
An Authentication and Authorisation Infrastructure (AAI) manages digital identities, authenticates users, and controls access to protected resources. However, implementing and operating an AAI goes far beyond technical components.
From an organisational perspective, establishing an AAI requires substantial coordination across multiple stakeholders. Institutions must align their identity management policies, agree on common attribute schemas, and establish trust relationships with partner organisations. This process often involves lengthy negotiations between legal, privacy, and technical teams to ensure compliance with various regulatory frameworks whilst maintaining operational flexibility.
The organisational overhead of AAI management includes ongoing responsibilities for user lifecycle management, policy enforcement, incident response, and compliance monitoring. Organisations must establish clear governance structures to manage identity federation relationships, handle disputes, and adapt to changing community and legislative requirements. The complexity increases significantly in international collaborations where different cultural norms, legal frameworks, privacy regulations, and institutional policies must be negotiated.
Furthermore, AAIs require ongoing investment in staff training, system maintenance, and security monitoring. Organisations must maintain expertise in identity federation protocols, security best practices, and regulatory compliance whilst managing the operational burden of supporting diverse user communities with varying technical capabilities and access requirements.