About AARC
The Authentication and Authorisation for Research and Collaboration (AARC) initiative was first launched in May 2015 to address the increased need for federated access and for authentication and authorisation mechanisms by research and e-infrastructures.
A second phase of the project (AARC2) started in May 2017 to continue to develop and pilot an integrated cross-discipline authentication and authorisation framework, building on existing authentication and authorisation infrastructures (AAIs).
Although the second AARC project formally ended in 2019, work on AARC results continued over the years.
As of March 2024, the AARC TREE (AARC Technical Revision to Enhance Effectiveness) project will help the AARC Community to boost new work.
Get in touch
Email: aarc-contacts@lists.geant.org
Follow us
Twitter: @AARC_Project
Linkedin: aarc-project
Interoperability, sustainability, integration and compatibility: AARC – a set of turn-key solutions bringing research collaborations closer together.
Researchers must be able to easily access and share resources in order to collaborate. The growth of national identity federations has proved to be a successful model to efficiently increase scientific collaboration and to improve the user’s experience.
Thanks to the eduGAIN, individual researchers can use their institutional credentials to access thousands of resources available to their own organisation. However, this does not provide everything that members of research collaborations need. After all, they need to manage, access and share resources based on their roles within these collaborations: research collaborations need their own authentication and authorisation infrastructure (AAI) – one that allows researchers to seamlessly access all the online resources they need.
While the authentication of users takes place at the users’ home organisation, the authorisation takes place at the resources, based on the information about the users provided to the resources after the authentication. In some cases the resources may require additional information. A very common scenario is about users within the same project or scientific collaboration that need to access resources provided by different infrastructures. In many cases this means that users will go through different AAIs and different policies.
And this is where the AARC project comes in. The AARC Blueprint Architecture and the accompaning set of policies ensure interoperability among AAIs, streamline
researchers’ access to resources and offer a single integration point to resource providers.
AARC: Understanding the needs of communities
The first EU-funded AARC project (2015-2017) gathered requirements from e-infrastructures on federated authentication and authorisation. These requirements pointed to an integrated AAI, easy to use and able to provide users with a single digital identity to access all services using only their institutional credentials. This infrastructure must also provide a secure integration of identity solutions for guests, advanced authentication mechanisms, and allow users to access services on the basis of their role inside the scientific collaboration project. The design of the AARC BPA was driven by the requirements collected.
AARC TREE continues to follow this inclusive model to capture and analyse the AAI interoperability requirements and service gaps for more research infrastructures, to enhance the AARC BPA to support more effectively RIs.
From requirement analysis to the ‘prototype’ design
The AARC Blueprint Architecture (BPA) was created to support infrastructures to build interoperable, scalable and secure AAI whilst still retaining some freedom in choosing the most suitable technology. The BPA defines the functional building blocks for interoperation with the national identity federations and with eduGAIN. The BPA defines the key components that can be mixed and matched according to specific needs. This flexibility gives software architects and technical decision makers a head start in building a customised solution for their research collaboration.
Over the years the BPA has evolved and under AARC TREE more enhancement are planned.
Harmonising rules for a common infrastructure: the policies
Harmonising the rules that organisations apply to identity management is essential for achieving an integrated AAI framework. Since its inception AARC focused on sharing recommendations and common best practices that adhere to two fundamental principles: scalability and sustainability.
The main aspects to be harmonised are the reliability of identities, identifiers, attributes of users from different organisations and user experience.
Another important point was the definition of a common framework for federations to deal with security incidents: ‘Sirtfi‘, the Security Incident Response Trust Framework for Federated Identity. AARC community was one of the main contributors to the creation and adoption of Sirtfi.
It’s a matter of proxy
The AARC blueprint model proposes the introduction of a proxy, operated by research infrastructures, which connects to eduGAIN. To ensure that security is preserved, AARC defined a specific framework called Snctfi (Scalable Negotiator for a Community Trust Framework in Federated Infrastructures). Snctfi ensures, among other things, that the entity connected to the proxy adopts Sirtfi and research and scholarship entity categories. AARC also looked at the protection of (mostly personal) data generated by the use of infrastructures and the procedures (accounting) needed for security and accountability of resources.
AARC produced different guidelines to ensure that the proxy is securely operated.
Involving more research communities: AARC TREE
The first AARC project aimed to define an integrated architecture as a reference for all AAIs; the second AARC project (2017-2019) took steps towards implementing the BPA and the common policies, with a greater and more active involvement of the research communities, spanning from Earth sciences and life sciences, to astronomy and high-energy physics, and to arts and humanities. This led to a new BPA ‘community-first’ approach.
The AARC TREE Project (2024-2026) engages several e-infrastrcutures (EGI, EUDAT and GÉANT) as well as most of the ESFRI clusters. The AARC TREE project will start a technical revision to enable better integration across all thematic areas, to streamline access to federated data and to bring the Reserach Infrastructures together to align strategies and liaise with the broad stakeholder community and relevant initiatives, such as GAIA-X, EU DataSpaces, the European Digital Identity Wallet, and eIDAS.
The communities that are already deploying an AARC-BPA compliant AAI and that are interested in adopting and extending these outcomes gather in the AARC Engagement Group for Infrastructures, AEGIS, established in 2019.
AEGIS will grow its remit to better support the RIs that are already deploying an AARC BPA and can more easily become earlier adopters for new AARC TREE guidelines, but also to empower emerging RIs that will be established to cope with new scientific challenges and ensure leadership of Europe.
Keeping expanding the AARC framework that will benefit all research collaborations
Thanks to the committtment of the AARC community, the AARC Blueprint Architecture has become a de-facto standards for the research communities.
The AARC Policy Development Kit (PDK) has provided a good base to support the deployment of the BPA. With the feedback of the communities that used it, AARC TREE will enhance and simplify the PDK.
© members of the AARC Community.
The work leading to these results has received funding from the European Union (GAP 101131237) and other sources. The contents of this publication is the sole responsibility of AARC and does not necessarily reflect the opinion of the European Union.