AARC is now entering its second year. And as all little toddlers do, it has taken the first steps to finally walk on its own! On 27-28 June the achievements of the AARC (Authentication and Authorisation for Research and Collaboration) project were presented to the European Commission’s reviewers, who recognised AARC’s strategic value and were very supportive of the work achieved so far.
A year ago AARC was born with the vision to design an integrated architecture for authentication and authorisation infrastructures (AAIs) and a set of harmonised policies to facilitate the sharing of research results across disciplines. AARC’s work will avoid a future where different e-infrastructures and research collaborations develop and operate independent, non-interoperable AAIs.
A lot of work was done during this first year, with the key achievements being:
- the design of a blueprint architecture to facilitate the creation of interoperable AAIs;
- contributing to the definition of accepted practices and standards for dealing with security incidents when using federated access;
- the development of three training modules;
- the piloting of policy frameworks and critical components of the proposed integrated AAI in existing infrastructures.
AARC celebrates its first year of life and looks forward to the coming year, when even more steps will be taken towards that vision of independent and interoperable AAIs. With the follow-up project AARC2 having been approved to start in May 2017, it looks like AARC should have a long and productive life.
The key achievements in a little more depth:
- Design an AARC blueprint architecture to facilitate the creation of interoperable AAIs
During the first year of the project, the AARC team worked with e-infrastructures, research infrastructures (RIs), research communities, AAI architects, and implementers to get a better understanding of their experiences and needs in sharing and accessing resources within research collaborations.
The list of requirements gathered via these interviews and prior to AARC provided the starting point for one of the project’s very important achievements; AARC designed a high-level (blueprint) AAI architecture, as described in the initial document: ‘AARC Blueprint Architecture’.
The goal is to help e-infrastructure operators and technical architects and implementers in the various research communities to enable secure, scalable, and interoperable federated access to their resources by using proven technical solutions and / or implementation patterns.
A blog post highlighting the components and the layers identified in the blueprint architecture was published in June.
- Harmonise procedures and policies to ease cross-discipline collaboration and to facilitate the integration of services deemed critical for the R&E community
One of the main requirements is to define a common approach to deal with security incidents when using federated access. Although security incident response procedures often exist at a local level or at federation level, there has been no best practice approach for security incidents involving several federations, in the case of an incident spreading across multiple administrative domains.
The AARC project has contributed to the definition of a range of accepted practices and standards outlined in The Security Incident Response Trust Framework for Federated Identity (Sirtfi). The global Sirtfi Working Group is hosted in REFEDS (Research and Education Federations), which ensures participation and adoption by the global community.
Sirtfi enables the coordination of incident response across federated organisations. This assurance framework comprises a list of assertions which an organisation can attest in order to be declared Sirtfi compliant. Its practices can determine whether an organisation can be effective in incident response.
- Develop training modules for different user-communities and resource providers
For organisations that provide resources and services (e.g. research data and its processing) for scientific research and education in various fields and would like to protect their assets from unauthorised access by using an AAI, AARC has developed three main training modules:
- Federation 101 to provide an overview on federated access and its benefits;
- A training module aimed at service providers that want to deploy federated access;
- A module to support federations operators to aid their institutions in releasing attributes.
The AARC members organised a training event, ‘AAI Workshop for Service and Resource Providers’, at the University of Manchester, UK, on 15-16 March. It was dedicated to organisations that provide resources and services for the ELIXIR (life sciences) and DARIAH (art and humanities) RIs. The main objective was to help service providers make their resources and services available to the users of the RIs.
- Pilot policy frameworks and critical components of the proposed integrated AAI in existing infrastructures
One task in this area deals with pilot solutions for libraries, with the aim to improve the adoption of federated access for libraries’ digital resources (represented by LIBER and MKZ).
AARC established a pilot to implement a proxy (based on a commercial solution called EZ-proxy) to support both IP-based authentication and federated access. This is non-invasive and enables federated access without disrupting current services.
A further pilot, done in collaboration between the policy and the pilot teams, implemented the CILogon for Europe. This is a token translation system that enables federated access to e-science portals that normally require a digital certificate. A blog post describes the details, the benefits and the sustainability plans.