EOSC-hub AAI architecture (EOSC hub week, Malaga, 16 - 20 April 2018)

1. eosc-hub.eu
@EOSC_eu
EOSC-hub receives funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 777536.
Nicolas Liampotis (GRNET)
EOSC-hub AAI

2. 2
EOSC-hub AAI overall architecture (45’)
Initial EOSC-hub AAI building blocks (45’)
- B2ACCESS
- Check-in
- INDIGO IAM
- Perun
- MasterPortal
- WaTTS
- RCauth
17/04/2018
Outline

3. 3
EOSC-hub AAI will:
Contribute to the EOSC infrastructure implementation roadmap
by enabling seamless access to a system of research data and
services provided across nations and disciplines
Build on existing interoperable AAI solutions from EGI Federation,
EUDAT CDI, and INDIGO-DataCloud that have successfully
delivered a portfolio of operational services in this field over the
last years
Leverage eduGAIN identity providers and other institutional or
social media credentials to expand the access to researchers,
high-education, and business organisations
17/04/2018
In a nutshell

4. 4
Several initiatives, including the AARC project, have explored the
requirements for federated identity and access management
AARC Analysis of user community and service provider
requirements  https://aarc-project.eu/wp-
content/uploads/2015/10/AARC-DJRA1.1.pdf
- TERENA AAA Study 
https://www.terena.org/publications/files/2012-AAA-Study-report-
final.pdf
- FIMR4 paper  https://cdsweb.cern.ch/record/1442597/files/CERN-
OPEN-2012-006.pdf
FIM4R version 2  https://fim4r.org/wp-
content/uploads/2018/03/FIM4R-Requirements-FROZEN-March-
1st-TIIME-2018.pdf
17/04/2018
General AAI Requirements

5. 517/04/2018
Requirements Summary - AARC
Non-web-
browser
Guest
users
Persistent
Unique Id
Credential
translation
Attribute
Aggregation
Levels of
Assurance
Community
based AuthZ
Social & e-
Gov IDs
Step-up
AuthN
User Managed
Information
User
Friendliness
Incident
Response
Best
Practices
Credential
Delegation
SP
Friendliness
Attribute
Release

6. 617/04/2018
Requirements Summary – FIM4R
Version 2
Onboarding &
support
Security Research
eInfratructure
Discovery &
Usability
Beyond Web Collateral
Infrastructure
Authorization
Assurance
Attribute
Release
Identity
Lifecycle
Usability

7. 74/18/2018
AARC Blueprint Architecture
approach
A set of interoperable architectural building blocks on
top of eduGAIN for international Research Collaboration

8. 84/18/2018
AARC Blueprint Architecture
approach
Adopted by e-Infrastructures providers and research
infrastructures, e.g.
EUDAT B2ACCESS EGI Check-in INDIGO IAM

9. The EOSC-hub AAI comprises
different AARC BPA-compliant AAIs
- Each of these AAIs acts as a service
gateway. It may also act as a
community AAI (see next slide)
Researchers sign in with their
community identity via their
Research Community AAI
Community-specific services are
connected to a single Research
Community AAI
E-Infra services are connected to a
single e-infra AAI service gateway,
e.g. B2ACCESS, Check-in, IAM, etc
Generic services (e.g. RCauth.eu
Online CA) may be connected to
more than one AAI proxies
917/04/2018
EOSC-hub AAI: Multi-BPA approach

10. EOSC-hub AAI proxies may serve a
dual purpose:
- Service gateway
- Community identity management
Examples: EUDAT B2ACCESS, EGI
Check-in, INDIGO IAM
1017/04/2018
EOSC-hub AAI: Dual-purpose proxies

11. 1117/04/2018
EOSC-hub AAI: An example

12. 12
Adopt upcoming AARC architecture & policy
recommendations on
- Attribute harmonisation (e.g. affiliation information)
- AUP alignment
Complete integration activities between EOSC-hub AAI
services
Investigate usability, authorization, delegation and user
(de)provisioning aspects in complex multi-domain
scenarios
Investigate EOSC-hub catch-all community AAI for
communities that don’t operate their own AAI solution
17/04/2018
Next steps

13. If you want to collaborate, or want more
information, please send your comments, questions
or suggestions about the EOSC-hub AAI at aai-
int@mailman.eosc-hub.eu
Get in touch!

14. eosc-hub.eu @EOSC_eu
nliam@grnet.gr