AARC Blueprint Architecture
The AARC Blueprint Architecture (BPA) is a set of software building blocks that can be used to implement federated access management solutions for international research collaborations. The Blueprint Architecture lets software architects and technical decision makers mix and match tried and tested components to build customised solutions for their requirements.
The final version consists of five component layers grouped by functional roles:
- User Identity: services which provide electronic identities that can be used by users participating in international research collaborations.
- Community Attribute Services: components related to managing and providing information (attributes) about users, such as community group memberships and roles, on top of the information that might be provided directly by the identity providers from the User Identity Layer.
- Access Protocol Translation: defines an administrative, policy and technical boundary between the internal/external services and resources.
- Authorisation: contains elements to control the many ways users can access services and resources.
- End-services: where the external services interact with the other elements of the AAI.
Not sure how to begin with the AARC Blueprint Architecture? There are plenty of guidelines available but it can be a minefield at first. You probably want to start by designing the high level approach of your infrastructure based on the AARC Blueprint Architecture. There are several general topics you should consider, such as Data Protection (AARC-G042) and Federated Security Incident Response (AARC-I051). Here you can find common questions matched to the relevant Blueprint Architecture component, along with links to guidelines that can help.
Community Attribute Services:
- How should attributes from multiple sources be aggregated? AARC-G003
- How should I express the home institute of a user? AARC-G025
- How should I express the identifier of a user AARC-G026
- What are the best practices for running my Attribute Authorities securely? AARC-G048
- Which Acceptable Use Policy should I use to facilitate interoperability? AARC-I044
- How should I infer the affiliation of a user? AARC-G057
End Services:
- My service needs to act on behalf of the user – how should I handle credential delegation and impersonation? AARC-G005
- My services are not web based, how can I use identities from the proxy? AARC-G007
- How should Services hint which IdP they would like users to use? AARC-G049
- Which Security practices should I follow? AARC-G014
User Identity:
- How should I integrate Social Media Identity Providers? AARC-G008
- How should users link accounts, and how does that affect Assurance? AARC-G009
- How should services indicate that they would like users to authenticate with multifactor authentication, and how should my proxy forward that information? AARC-G029
Assurance:
- How should assurance information of external identities be calculated? AARC-G031
- What can I say about assurance of identities from social media accounts? AARC-G041
- How is assurance impacted by account linking? AARC-G009
- How should assurance information be shared with other infrastructures? AARC-G021
- Which Assurance Profiles should I use, there are so many! AARC-I050
Proxies:
- How can I ensure that my proxy is able to accurately claim that it supports best practices in Identity Federation? AARC-G015
- How should I express the home institute of a user? AARC-G025
- How should I express the identifier of a user AARC-G026
- How should I express assurance information for users when interacting with another proxy? AARC-G021
- How can my proxy simplify the discovery process for end-users? AARC-G061
- How can my proxy route the user to the correct discovery service? AARC-G062
What next? Are you looking for a kick start with your policies? Take a look at the Policy Development Toolkit which provides a set of templates.
Certain guidelines are being adopted by the AEGIS community to support interoperability between infrastructures – consider prioritising these best practices.

Guidelines
AARC has guidelines and best practice recommendations to support the implementation of the Blueprint Architecture.

Infoshares
- Final AARC BPA webinar 18 Apr 2019 webinar video & slides with notes.
- Introduction to the AARC BPA webinar 31 Jan 2017 webinar video.

AARC in Action
Case studies showing how the Blueprint Architecture is helping research communities to find AAI solutions.
Start with AARC – Blueprint Architecture video
Get in touch!
We welcome your feedback – send your comments, questions or suggestions about the blueprint architecture at aarc-connect@lists.geant.org
News and articles
How AARC Blueprint Architecture supports research collaborations A new blueprint architecture, policy toolkit and other developments for the final year of AARC (blog post, April 2018)