In AARC, partners from many organisations and countries meet regularly on all kinds of occasions, but there is seldom an opportunity to do hands-on work together. This, while deploying components, testing and gluing them together, is at the heart of the AARC pilots work. For this reason we met at SURFnet in Utrecht to join forces in a plugfest and work for two full days on several Authentication and Authorisation Infrastructure (AAI) integration pilots.
The plugfest started with a short pitch of five topics that had been pre-cooked online in the weeks before the meeting. After explaining the aims, required components and approaches, five interdisciplinary teams were created and the real work could start.
Two groups focused on cross-infrastructure integration, a top priority in the first AARC project, which will be even more relevant in the second AARC project – starting soon. By bridging the AAIs of EGI, EUDAT and PRACE, current and future collaboration scenarios can be better supported. How nice would it be if users of these e-infrastructures could transparently access the resources provided by the other e-infrastructures with a single institutional account?
EGI and EUDAT
The technical integration of the EGI and EUDAT AAIs was less complicated than expected, but we concluded that additional effort is needed to harmonise attributes and Level of Assurance (LoA) definitions. The team therefore continued to work on an earlier started joint proposal by AARC, EGI and EUDAT to harmonise the LoA of their identities for consumption by their internal services. Furthermore, social media identities are essential for the e-infrastructures – particularly for the support of guest identities and the long-tail of science – but they are not covered by the levels of assurance published by the REFEDS community (Cappuccino and Espresso). As a result, two new levels of assurance (LoAs) were introduced and will be submitted back to REFEDS. Identities that do not meet any of these two new LoAs, will not be assigned any LoA by EGI and EUDAT.
EUDAT and PRACE
The high-level goal of this pilot was to achieve AAI interoperability between EUDAT and PRACE and to examine how Unity technology may be used to accomplish this task.
The solution consists of two components. The first one automatically provisions accounts for selected PRACE users who authenticate with x.509 certificates. EUDAT accepts these certificates and PRACE users become registered users in the EUDAT authentication and authorisation service. This gives PRACE users access to non-x.509-based EUDAT services. The second component synchronises these accounts with EUDAT data services using certificate credentials. The developed integration was accepted as a suitable approach by EUDAT representatives attending the plugfest. This work will be further evaluated by EUDAT staff and possibly deployed in the production infrastructure.
In addition to these two cross-infrastructure pilots, three groups worked on extensions of existing AARC pilots.
COmanage has already been used in pilots to provide researchers with SSH-key-based access to servers and to link ORCID identities to a participant’s VO identity record. Work on two additional pilots was progressed during the plugfest:
1) The use of Application Specific Passwords (also known as Service Tokens) to provide ‘hidden’ or ‘random’ credentials to authenticate to services that do not support externalised authentication (such as federated identity, certificates, or SSH keys). The researcher logs into COmanage, generates a new ASP (which is then provisioned to LDAP for use by the application), and copies the ASP to their client. The initial use case targeted is iRODS.
2) Provisioning of COmanage-based identities to VOMS, allowing simplified access to certificate based services without requiring an additional enrolment process. Technical analysis has been completed to identify the preferred approach for integration, with further work on the pilot to be completed soon.
With these additions, COmanage fulfills even more of the requirements that had been identified earlier in the AARC project.
Guest access – Social IDs pilot and LoA enhancement
During the plugfest, we continued to work on the Social ID pilot to address the issue of LoA enhancement for identities that are processed by the EGI check in service. The linking of identities through ORCID ID has been assessed and analysed. We discovered that the public ORCID API provides the affiliation of users (given that users approve the release of this information). As the affiliation is not self-asserted, we see interesting opportunities to use this source to enhance the LoA of users. This work will be further explored and will be part of the proposed pilot architecture.
Attribute aggregation in a multi-VO scenario
In this effort we worked on attribute aggregation in a multi-Virtual Organisation (VO) scenario. Often, service providers (SPs) serve only a subset of the communities using the infrastructure. Therefore the proxy should limit queries only to those attribute authorities that are relevant for the communities supported by a specific SP. This feature is not available in off-the-shelf solutions for identity provider (IdP) proxies, but recent developments, for example in OpenConext, provide some clues. The AARC plugfest was a good opportunity to deploy an OpenConext instance and to integrate this component in the AARC-EGI pilot set-up.
To be repeated
With these five successful pilots finalised, the plugfest proved to be a a very effective format for collaboration in AARC. Having experts from different domains, partners and infrastructures in one room and assigning one clear target, significantly speeds up the deployment and testing of components. We had a lot of fun, created tangible results and all agreed that we should definitely repeat this in the second AARC project. A complete overview of all pilots performed in AARC is available here.