AARC research communities share experiences at FIM4R

Research communities participating in AARC pilots presented their work to the FIM4R (Federated Identity Management for Research) community at a workshop on 11 February. FIM4R and AARC have a close relationship, with many participants in common.

AARC has proved a useful forum for research communities and e-infrastructures to make contact and address the increasing need for federated access to their online services and resources. They could also ‘safely’ try out specific authentication and authorisation infrastructure (AAI) solutions for their infrastructures.

All of the solutions that have been tried in AARC use the AARC blueprint architecture (BPA) and could provide useful shortcuts to future research communities. The first half of the FIM4R meeting was taken up with presentations of AARC pilots, as many of the meeting participants had not taken part in AARC.

“These communities can also benefit from the AARC results, so it was a great opportunity for research communities to learn from others what an actual implementation trajectory of the AARC BPA would look like, how to approach this and what which possible hurdles one would encounter.” Arnout Terpstra of SURFnet, leader of the AARC pilots work.

Diverse communities and solutions

Representatives from the Worldwide LHC Computing Grid, LIGO, LifeWatch, DARIAH and EGI, and EISCAT 3D showed their initial challenges, how authentication and authorisation infrastructure (AAI) could benefit them, how AARC helped them and the solutions they piloted, based on the AARC blueprint architecture and AARC policy guidelines.

As an example of the challenges, David Hübner of DAASI International describes his AARC work on behalf of DARIAH:

“We basically invented our own infrastructure, which worked for us but then we faced some scaling issues. There were more and more services in the DARIAH community that all needed to connect to the various Identity Providers in the federations and we had no possibility to centrally manage policy issues, for example. With the AARC blueprint architecture you have a central component, the proxy, which makes it very easy for the service operators in the community to connect to the AAI, so that’s one of the things we wanted to achieve. The second point was interoperability with other communities and infrastructures.” David Hübner, DAASI International

At FIM4R, David presented the solution that allows interoperability between DARIAH and EGI, so their researchers can access a wider range of resources, tools and data.

AARC is documenting the pilots work in case studies detailing the initial requirements, relevant policies and training materials as well as the technical solutions. These will be found on the ‘AARC in action’ webpage alongside other useful materials.

Other topics

The second half of the FIM4R workshop covered developments in the REFEDS (Research and Education Federations) Assurance Framework as well as in its Sirtfi working group, and in WISE (Wise Information Security for Collaborating e-Infrastructures) which is now taking forward the AARC policy development, especially a new baseline AUP (Acceptable Use Policy). SURFnet presented UI/UX findings after piloting an AARC BPA solution where COmanage is used.

Discussion arose about Keycloak, which one of the communities participating at the FIM4R event is using as its proxy and role-management system. It was reported that Keycloak appears not to work well with eduGAIN as it cannot handle dynamic metadata, but a script has been devised to circumvent this issue. Another challenge could be the need to pay for a support contract if running Keycloak in high-availability mode. Further investigation of this topic may prove a useful addition to future meeting agendas.

The workshop participants also heard about three important activities in the USA, namely updates on: InCommon’s Baseline Expectations program; Trusted CI’s approach to supporting security for open science projects; and on work in 2018 by the Internet2 CACTI (Community Architecture Committee for Trust and Identity) on a gap analysis following the publication of the FIM4R version 2.0 white paper.

FIM4R for communities

The workshop ended with a discussion of possible steps in 2019-20 to track the solutions and improvements aimed at addressing the 9 recommendations and 40 requirements that were expressed in the FIM4R version 2.0 white paper. These discussions were continued later in the week in a session during the TIIME 2019 conference, where it was agreed that the FIM4R community should initiate a survey of the stakeholders to whom the 9 recommendations were aimed. This should be launched soon after REFEDS meets at the TNC19 conference on Sunday 16 June, and the answers will be analysed in the form of a short status report (a version 2.1 paper) early in 2020.

With AARC coming to the end of its life at the end of April, FIM4R will continue to be a key place for research communities to go to for information and expert support, says Hannah Short of CERN and the WLCG AARC pilot.

“Even after AARC has stopped, it’s somewhere where the same people will be able to keep sharing best practices.” Hannah Short, CERN

Further information

Around 40 people participated in the 13th meeting of FIM4R, which was held in Vienna in conjunction with TIIME (Trust and Internet Identity Meeting in Europe). The FIM4R agenda and slides are available and the FIM4R website has more information about the group and its activities. You can also view the FIM4R White paper.