First draft version of the AARC Blueprint Architecture
The first version of the draft AARC Blueprint Architecture has been released. The working document of the ‘AARC Blueprint Architecture’ is available on Google Docs and we would like to encourage the technical architects and implementers in the various research and e-infrastructure and scientific communities to review it, and provide their feedback either in the document itself or via the public AARC Connect mailing list.
JRA1: Architectures for an integrated and interoperable AAI
Work Package Leader: GRNET, Christos Kanellopoulos (grnet)
Structure of the Architecture activity
The high-level objectives of this activity are:
analyse how much has been developed to leverage federated access with other authentication systems used in the R&E communities, in the eGov space and in the commercial sector;
research a possible solution to link identities in the contest of higher levels of assurance, attribute providers and guest identities;
assess existing technologies to provide SSO for non-Web applications (cloud, storage and so on) and offer recommendations for their usage;
develop a risk-based model for existing AAI solutions;
propose models for supporting guest identities (NRENs’ in-house solutions vs commercially-offered solutions should be explored);
define a blueprint architecture to enable web and non-web SSO capabilities across different infrastructures, integrating attribute providers/group management tools operated by user-communities;
provide models for federated authorisation: how to integrate attributes and permissions from diverse communities, making them available at the federation level in a consistent and secure way.
The activity is structured in four tasks:
Task ID | Task | Leader |
---|---|---|
Task 1 (JRA1.1) | Requirements Gathering | Peter Solagna (EGI.eu) |
Task 2 (JRA1.2) | Blueprint Architectures | Marcus Hardt (KIT) |
Task 3 (JRA1.3) | Guest Identities | Jens Jensen - STFC UKRI (STFC) |
Task 4 (JRA1.4) | Models for implementing Attribute Providers and Token Translation Services | Davide Vaghetti (GARR) |
JRA1.1 Requirements gathering
Task Leader: EGI.eu, Peter Solagna
Goals of the task:
- Describe the authentication and authorisation technologies used by the different e-Infrastructures, including research communities, libraries and educational service providers and identify the existing gaps that prevent their interoperability. Explore how the current e-Infrastructures can support broader cross-domain collaboration, for instance when dealing with commercial services and or with e-Government initiatives.
- Prioritise the work to undertake on the basis of the community requirements, results of pilots carried out by the GN3plus project and FIM4R group and on the technical analysis of existing pilots to support groups, token translation and SSO for non-web.
- Explore how the current e-Infrastructures can support broader cross-domain collaboration, for instance when dealing with commercial services and or with e-Government initiatives.
- Gather information on the penetration of AAIs and eduGAIN in R&E sector, libraries and e-Government.
- Gather information on the interoperation experiments between R&E federations (including eduGAIN) and eGOV in the different European countries. Determine the maturity level and portability of the solutions enabling non-Web SSO, which is important when access to computing and storage services in several e-Infrastructures and cloud is considered.
- Document relevant standards bodies and other interoperation activities and their role in supporting AAI
Actions and activities of the task
First action of the task has been to prepare and circulate a questionnaire among the relevant communities (circulated on the 1st of July 2015) to gather requirements both on the technical architecture and the dissemination/training activities.
The questionnaire can be downloaded here: AARC Requirements questionnaire
The first round of requirements will be collected until July 10th 2015
JRA1.2 - Blueprint Archtectures
Task Leader: KIT, Marcus Hardt
First action was to start the discussion about the points raised at the JRA1 presentation in the kickoff.
Please read and comment in the Report from the kickoff meeting.
JRA1.3 - Guest identities
Task Leader: STFC, Jens Jensen - STFC UKRI
Guest identities are about making use of external IdPs. The basic idea is to accept social media logins:
- Assign a suitable Level of Assurance (LoA) to them
- Allow users to build reputation
- Allow reputation to be communicated - e.g. from one community to another
- Investigate a "web of trust" - whether users can vouch for each other, say.
- Within AARC, links to NA3 (policy and LoA for guest identities) and SA1 (piloting guest identities)
JRA1.3
- Accommodating "guest identities" - please find the deliverable-in-progress AARC MJRA1.2 (everyone with the link can comment; if you need write access please request it.)
JRA1.4 - Models for implementing Attribute Providers and Token Translation Services
Task Leader: GARR, Andrea Biancini.
Within this task we will evaluate how Attribute Providers and Token Translation services could be used to extend the current scope of existing identity federations to existing communities of users and projects.
The overall goal of this task is twofold:
integrate different AAIs with existing federations (already interfederated in eduGAIN); in this respect the main communities considered will be:
NRENs, with SSO for web applications
libraries, using IP-based access
PRACE and EGI, using x509 certs
government spaces (for instance using STORK)
provide a model for implementing pilots:
on Attribute Authorities, and
on Token Translation Services.
Documents and deliverables:
The project activities, so far, produced the following relevant documentation:
Flows for AAs [JRA1.4-1 Information flows for AAs]
This is a working document which will intend to describe the possible flows and high level use cases of user interactions involving Attribute Authorities. It is intended to be an outline/draft for people to work on and will provide input to a one pager describing the main terms and concepts regarding AAs to be shared among all participants.- Terms and definitions for AAs [link on Google Drive]
This is a working document which will intend to describe some common terms and definitions of AAI processes involving Attribute Authorities. It is intended to be simple and direct to describe the main terms and concepts regarding AAs to be shared among all participants.