1. eosc-hub.eu
@EOSC_eu
EOSC-hub receives funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 777536.
Nicolas Liampotis (GRNET)
EOSC-hub AAI
2. 2
EOSC-hub AAI overall architecture (45’)
Initial EOSC-hub AAI building blocks (45’)
- B2ACCESS
- Check-in
- INDIGO IAM
- Perun
- MasterPortal
- WaTTS
- RCauth
17/04/2018
Outline
3. 3
EOSC-hub AAI will:
Contribute to the EOSC infrastructure implementation roadmap
by enabling seamless access to a system of research data and
services provided across nations and disciplines
Build on existing interoperable AAI solutions from EGI Federation,
EUDAT CDI, and INDIGO-DataCloud that have successfully
delivered a portfolio of operational services in this field over the
last years
Leverage eduGAIN identity providers and other institutional or
social media credentials to expand the access to researchers,
high-education, and business organisations
17/04/2018
In a nutshell
4. 4
Several initiatives, including the AARC project, have explored the
requirements for federated identity and access management
AARC Analysis of user community and service provider
requirements https://aarc-project.eu/wp-
content/uploads/2015/10/AARC-DJRA1.1.pdf
- TERENA AAA Study
https://www.terena.org/publications/files/2012-AAA-Study-report-
final.pdf
- FIMR4 paper https://cdsweb.cern.ch/record/1442597/files/CERN-
OPEN-2012-006.pdf
FIM4R version 2 https://fim4r.org/wp-
content/uploads/2018/03/FIM4R-Requirements-FROZEN-March-
1st-TIIME-2018.pdf
17/04/2018
General AAI Requirements
5. 517/04/2018
Requirements Summary - AARC
Non-web-
browser
Guest
users
Persistent
Unique Id
Credential
translation
Attribute
Aggregation
Levels of
Assurance
Community
based AuthZ
Social & e-
Gov IDs
Step-up
AuthN
User Managed
Information
User
Friendliness
Incident
Response
Best
Practices
Credential
Delegation
SP
Friendliness
Attribute
Release
6. 617/04/2018
Requirements Summary – FIM4R
Version 2
Onboarding &
support
Security Research
eInfratructure
Discovery &
Usability
Beyond Web Collateral
Infrastructure
Authorization
Assurance
Attribute
Release
Identity
Lifecycle
Usability
9. The EOSC-hub AAI comprises
different AARC BPA-compliant AAIs
- Each of these AAIs acts as a service
gateway. It may also act as a
community AAI (see next slide)
Researchers sign in with their
community identity via their
Research Community AAI
Community-specific services are
connected to a single Research
Community AAI
E-Infra services are connected to a
single e-infra AAI service gateway,
e.g. B2ACCESS, Check-in, IAM, etc
Generic services (e.g. RCauth.eu
Online CA) may be connected to
more than one AAI proxies
917/04/2018
EOSC-hub AAI: Multi-BPA approach
10. EOSC-hub AAI proxies may serve a
dual purpose:
- Service gateway
- Community identity management
Examples: EUDAT B2ACCESS, EGI
Check-in, INDIGO IAM
1017/04/2018
EOSC-hub AAI: Dual-purpose proxies
12. 12
Adopt upcoming AARC architecture & policy
recommendations on
- Attribute harmonisation (e.g. affiliation information)
- AUP alignment
Complete integration activities between EOSC-hub AAI
services
Investigate usability, authorization, delegation and user
(de)provisioning aspects in complex multi-domain
scenarios
Investigate EOSC-hub catch-all community AAI for
communities that don’t operate their own AAI solution
17/04/2018
Next steps
13. If you want to collaborate, or want more
information, please send your comments, questions
or suggestions about the EOSC-hub AAI at aai-
int@mailman.eosc-hub.eu
Get in touch!
https://fim4r.org/documents/
Number of groups 11
Number of requirements 39
Identity Lifecycle: Linking & ORCID
Discovery & Usability: Service Catalogues, IdP Logos & Smart Discovery
Authorization: Realtime, deprovisioning, bona fide & resource allocation
Attribute Release & Adoption: Attributes across borders & Entity Attributes
Security: Suspension & Incident Response Channels
Research eInfrastructure: Federation support & proxy framework
Assurance: Step-up & framework adoption
Usability: Metadata handling & user experience
Beyond Web: Alternative to ECP, translation & delegation
Onboarding & Support: Federation dev environment, interfederation support & documentation
Critical Collateral Infrastructure: IdP of last resort for all, sustainable operation
The purpose of the AARC Blueprint Architecture (BPA) is to provide set of interoperable architectural building blocks for software architects and technical decision makers, who are designing and implementing access management solutions for international research collaborations.