The AARC Engagement Group for Infrastructures (AEGIS) is the approval body that reviews and endorses AARC guidelines, giving them official status within the research infrastructure community. It serves as the governance mechanism that ensures AARC specifications meet the practical needs of infrastructure operators and maintains quality standards for the guidelines that become part of the AARC framework. AEGIS has adopted several AARC guidelines (see full list here), which are mandatory for interoperable infrastructures. Support for AARC guidelines that are not required by AEGIS is optional, but their adoption will improve interoperability.
An AAI becomes AARC compliant when it implements the architectural principles and technical specifications defined in the AARC Blueprint Architecture (BPA) and adopts the AARC Guidelines that have been approved by AEGIS. AARC compliance is characterised by several key features:
Layered Architecture: AARC-compliant AAIs implement a layered architectural model comprising of: User Identity, Community Attribute Services, Access Protocol Translation, Authorisation and Service layers. In most implementations, some of these layers blend together rather than being discrete. The separation of responsibility boundaries, however, supports a clearer description and implementation of the architecture.
Proxy-Based Design: Central to AARC compliance is the implementation of Service Provider-Identity Provider Proxies (SP-IdP-Proxies) that serve as intermediary services between identity providers and service providers. These proxies handle protocol translation, attribute aggregation and policy enforcement, whilst presenting a unified interface to both users and services.
Community Identity Support: AARC-compliant systems must support community identities - user identities enriched with community-specific attributes such as group memberships and project roles. This enables fine-grained access control based on community participation rather than solely institutional affiliation.
Interoperability Standards: Compliance requires adherence to established standards for several topics crucial for interoperability (e.g. attribute expression, assurance frameworks, federation protocols, etc.).
Trust Framework Integration: AARC-compliant AAIs must integrate with established trust frameworks and support mechanisms for expressing and evaluating identity assurance levels, enabling risk-appropriate access decisions.
To be considered AARC Compliant, AAIs must support the following AEGIS endorsed guidelines. Please see the sections on Technical Requirements and Policy Requirements for further information.
AEGIS Endorsed Guidelines for AARC Compliance | Guideline | |||
|---|---|---|---|---|
✅ | Proxy-Based Design | AARC Blueprint Architecture 2019, My AAI includes a SP-IdP-Proxy that presents a unified interface to users and services. | ||
✅ | Community Identity Support | ✅ | Expressing group and role information | |
✅ | Inferring and constructing voPersonExternalAffiliation | |||
✅ | Guidelines for expressing affiliation information | |||
✅ | Guidelines for expressing community user identifiers | |||
✅ | Interoperability Standards | ✅ | Specification for expressing resource capabilities | |
✅ | Exchange of specific assurance information between Infrastructure | |||
✅ | A specification for IdP hinting | |||
✅ | Specification for hinting an IdP which discovery service to use | |||
✅ | A specification for providing information about an end service | |||
✅ | (Under approval) Proxied Token Introspection | AARC-G052 | ||
✅ | Trust Framework Integration | ✅ | Guidelines for Secure Operation of Attribute Authorities | |
✅ | Guidelines for evaluating the combined assurance of linked identities | |||
✅ | (Under approval) Recommendations for Token Lifetimes | |||
✅ | (Under approval) Trust framework for proxies and Snctfi research services | |||