eduTEAMS enables researchers, students and other members of the research and education community to create and manage virtual teams and securely access and share common resources and services using federated identities from eduGAIN and trusted Identity Providers.
Background
International collaboration has always been at the heart of academic research. Accessing and sharing scientific resources, may them be scientific instruments, collaborative tools or research data, has always been a challenge.
During the last decade, eduGAIN has enabled millions of researchers to access federated services using the very same accounts that they use at their home organizations. The success of eduGAIN has led many groups to investigate how researchers can use their federated identities and the eduGAIN foundation in order to collaborate across organizational and national boundaries. Initiatives like the TERENA AAA Study, the FIM4R working group and the AARC project series have been investigating various aspects of the challenges involved in using federated identities for the authentication and authorization in research collaborations. The AARC Blueprint Architecture is a design pattern that has emerged as the best practice for implementing interoperable authentication and authorization solutions for accessing and sharing resources in international research collaborations and infrastructures. eduTEAMS is full implementation of the AARC Blueprint Architecture.
The eduTEAMS Offerings
The eduTEAMS service enables research communities to securely access and share common resources and services. Leveraging the ubiquitous presence of eduGAIN federated identities, eduTEAMS enables communities to securely authenticate and identify their users, organize them in groups, assign them roles and centrally manage access rights for using community resources. As research is not confined only in the research institutes and universities, eduTEAMS caters also for users coming from the industry or citizen scientists who may not have access to eduGAIN. It does so by supporting external (non-eduGAIN) identity providers, such as social networks providing federated identities, community identity providers and other platforms that can provided federated users identities.
GÉANT offers eduTEAMS in three ways: shared, dedicated and bespoke. The core technology in all versions is the same and conforms to the AARC2 Blueprint Architecture (BPA) and emerging and future EOSC design requirements. An Overview of three eduTEAMS offerings follows:
- eduTEAMS Service: The eduTEAMS Service is a multi-tenant service offering provided by GÉANT to small and medium sized communities who want to get started with their virtual collaborations and take full advantage of the federated access without having to deal with the complexity of operating and supporting their own AAI. Supports multiple communities on the same platform. Provides everything required in order to securely collaborate and use services available to the GÉANT community and European Open Science Cloud.
- eduTEAMS Dedicated: GÉANT can host and operate a dedicated instance of the eduTEAMS platform on behalf of a community. The eduTEAMS Dedicated service offering will still be operated and maintained by GÉANT, but with the flexibility to have policies, configuration and branding tailored to each community.
- eduTEAMS Bespoke: We understand that many communities have requirements that go beyond what a packaged offering can provide. For communities who require tailor-made functionality that is not available in any of the other offerings, such as integration with custom back-office and front-office systems, GÉANT can provide bespoke solutions based on eduTEAMS, which can include a combination of consultancy, development and hosting of the service.
How eduTEAMS works
eduTEAMS follows a proxied model architecture that implements the AARC Blueprint Architecture.
It is comprised by four components:
eduTEAMS Proxy & Identity Hub
The eduTEAMS Proxy is an SP-IdP Proxy with first-class support for the OIDC and SAML protocols. It can connect SAML Identity Providers, OIDC Providers, SAML Service Providers, OIDC Resource Providers enabling teams to use their preferred identity sources and services regardless of the authentication protocol used. The eduTEAMS Proxy is responsible for aggregating the user attributes from various identity sources, enforce community and platform wide policies and provide one persistent user identifier and a harmonised set of attributes to the connected services.
eduTEAMS Discovery Service (DS)
The eduTEAMS Discovery service provides a web interface for users to search and select their preferred identity provider. It is an essential component of the platform, directly connected with the eduTEAMS Proxy.
eduTEAMS Metadata Service (MDS)
The eduTEAMS Metadata Service aggregates the metadata of all the SAML Identity and Service providers that are connected on the platform. It does so by aggregating the metadata feed of eduGAIN, while allowing the platform administrators to configure also other local or remote metadata sources. The eduTEAMS MDS is an essential component of the platform directly connected to the eduTEAMS Proxy.
eduTEAMS Membership Management Services (MMS)
The eduTEAMS MMS provide the ability to users to create virtual organisations (VO), manage these VOs, invite users to collaborate, manage registration flows, organise user to groups and assign them roles and resource entitlements as needed within the collaborations.