Status colour Blue title Audience: All
The AARC Blueprint Architecture (BPA) is a reference framework designed to address the complex identity and access management challenges faced by international research collaborations. Developed through the AARC (Authentication and Authorisation for Research and Collaboration) project series, the BPA provides a set of interoperable architectural building blocks that enable access to research resources across different organisations and infrastructures.
The AARC BPA addresses these challenges by introducing a "community-first" approach to identity and access management. Rather than forcing researchers to navigate multiple institutional boundaries, the architecture enables research collaborations to use federated identities while managing their own access policies and rights. This approach maintains encourages interoperability with institutional identity providers and infrastructure services. See https://aarc-community.org/architecture/
The latest version of the AARC BPA (2025) included the following layers:
Authentication
- Manages authentication via trusted Identity Providers (IdPs) using e.g. SAML (Security Assertion Markup Language) & OIDC (OpenID Connect)
- May include proxies
Attribute Services
- Manages user attributes
Access Protocol Translation
- Includes Service Provider (SP)-IdP-Proxy and Discovery Service
- Manages notice presentation for privacy policies, Acceptable Use Policies
Authorisation
- Controls access to Services
- Centralises complex authorisation decisions
- Reduces complexity for services
Services
- Protected services (e.g. wikis, APIs, compute resources)
- Supports web-based and non-web-based resources
- May include proxies for cross-infrastructure access
For further details about the AARC BPA, see: https://aarc-community.org/architecture/
Status colour Green title Audience: Funding Agencies
NOTE: This seems to be in the wrong place and is somehow repetitive. Consider where it should live...
An Authentication and Authorisation Infrastructure (AAI) manages digital identities, authenticates users, and controls access to protected resources. However, implementing and operating an AAI goes far beyond technical components.
From an organisational perspective, establishing an AAI requires substantial coordination across multiple stakeholders. Institutions must align their identity management policies, agree on common attribute schemas, and establish trust relationships with partner organisations. This process often involves lengthy negotiations between legal, privacy, and technical teams to ensure compliance with various regulatory frameworks whilst maintaining operational flexibility.
The organisational overhead of AAI management includes ongoing responsibilities for user lifecycle management, policy enforcement, incident response, and compliance monitoring. Organisations must establish clear governance structures to manage identity federation relationships, handle disputes, and adapt to changing community and legislative requirements. The complexity increases significantly in international collaborations where different cultural norms, legal frameworks, privacy regulations, and institutional policies must be negotiated.
Furthermore, AAIs require ongoing investment in staff training, system maintenance, and security monitoring. Organisations must maintain expertise in identity federation protocols, security best practices, and regulatory compliance whilst managing the operational burden of supporting diverse user communities with varying technical capabilities and access requirements.