Contacts: Christos Kanellopoulos (GÉANT), Nicolas Liampotis (GRNET)
The main objectives of this work package are the following:
- Produce guidelines for harmonising the expression of community user attributes to reduce inconsistencies and improve interoperability and end-user usability across different research community communities and infrastructures
- Produce authorisation guidelines and best practises to enable more efficient and effective sharing of federated resources
- Provide guidance on the use of decentralised identities and digital identity wallets
- Extend AARC Blueprint Architecture deployment model to improve scalability in multilateral federations using existing and emerging standards like the OpenID Connect Federation
- Produce an updated version of the AARC Blueprint Architecture that incorporates new technologies, standards, and best practices, and promotes better interoperability and collaboration
Please note that work on this WP continues in the existing channels
Tasks
Task 1: Evolution of the AARC Blueprint Architecture
The task will provide Research Infrastructures with up-to-date guidance on implementing the architecture of their authentication and authorisation infrastructure, incorporating new technologies, standards, and best practices, informed by lessons learned from previous implementations. Specifically, the task will create a revised version of the AARC Blueprint Architecture leveraging the results from the other tasks in this work package that target specific topics such as OpenID Connect Federations, advanced federated authorisation mechanisms and decentralised identity management. The updated version of the AARC BPA will promote better interoperability between Research Infrastructures, and foster community engagement and collaboration.In boarder terms, the adoption of the new AARC BPA includes increased efficiency and productivity in research collaborations, improved security and privacy for research data, and reduced costs associated with designing and implementing user identity management and access.
Task 2: Harmonisation of community user attributes
The lack of standards and uniform approach for expressing certain community user attributes leads to inconsistencies in how these attributes are communicated across different infrastructures. This can hinder the seamless flow of information between them, causing errors and other operational inefficiencies that can negatively impact user experience and overall interoperability. To this end, the task will develop guideline documents for standardising how to express community attributes in commonly used protocols, including OpenID Connect and SAML. These guidelines will cover topics such as expressing authenticating authority information, service account information, and identity assurance information.
Task 3: OpenID Connect Federations
Currently, services and authentication providers which are based on OpenId Connect (i.e. OpenID Connect relying parties and OpenID Providers) are required to use an OpenID Connect to SAML2 proxy layer in order to participate in Identity Federations (e.g. EOSC AAI Federation). The task will develop a deployment profile for OpenID Connect Federation that will allow entities based on OpenId Connect to participate in Identity Federations without the need for protocol translation. The profile will cover topics such as expressing compliance with entity categories (e.g. REFEDS Personalized) and security frameworks (e.g. Sirtfi), best practices for managing OAuth2 Resource Servers, and guidelines for incorporating OpenID Providers in Identity Provider discovery services. The results would be communicated and exploited through AARC Technical Guidelines and AEGIS adoption, and the target groups include research communities, operators of AAI services, federation operators, and resource providers. The results are expected to enable the extension of identity federations such as the EOSC AAI Federation to AARC-compliant proxies, simplify the integration of OpenID Connect/OAuth2 services, and enable compatibility with OpenID Connect/OAuth2 services from the industry. This will facilitate interoperability between identity providers, proxies, and service providers, making it easier for users to access services across different infrastructures and reducing operational complexity and costs by removing the need for protocol translation.
Task 4: Authorisation for Federated Resources
Different research communities and infrastructures may have different authorisation policies that govern how access to resources (including sensitive data) is granted. Mapping group memberships and roles managed by the community to capabilities required for accessing infrastructure resources can be a complex task. Furthermore, the lack of standardised mechanisms for requesting specific identity claims or claim values can lead to inconsistencies and confusion for users when accessing resources across different infrastructures. These challenges can create barriers to efficient and effective sharing of resources, hindering collaboration and cooperation across scientific disciplines. This task will address these challenges by developing common procedures and guidelines for authorisation, which will greatly benefit various thematic communities and Research Infrastructures.