AARC Blueprint Architecture

The AARC Blueprint Architecture (BPA) is a set of software building blocks that can be used to implement federated access management solutions for international research collaborations. The Blueprint Architecture lets software architects and technical decision makers mix and match tried and tested components to build customised solutions for their requirements.

The final version consists of five component layers grouped by functional roles:

  • User Identity: services which provide electronic identities that can be used by users participating in international research collaborations.
  • Community Attribute Services: components related to managing and providing information (attributes) about users, such as community group memberships and roles, on top of the information that might be provided directly by the identity providers from the User Identity Layer.
  • Access Protocol Translation: defines an administrative, policy and technical boundary between the internal/external services and resources.
  • Authorisation: contains elements to control the many ways users can access services and resources.
  • End-services: where the external services interact with the other elements of the AAI.

Not sure how to begin with the AARC Blueprint Architecture? There are plenty of guidelines available but it can be a minefield at first. You probably want to start by designing the high level approach of your infrastructure based on the AARC Blueprint Architecture. There are several general topics you should consider, such as Data Protection (AARC-G042) and Federated Security Incident Response (AARC-I051). Here you can find common questions matched to the relevant Blueprint Architecture component, along with links to guidelines that can help.

Community Attribute Services:

  • How should attributes from multiple sources be aggregated? AARC-G003
  • How should I express the home institute of a user? AARC-G025
  • How should I express the identifier of a user AARC-G026
  • What are the best practices for running my Attribute Authorities securely? AARC-G071
  • Which Acceptable Use Policy should I use to facilitate interoperability? AARC-I044
  • How should I infer the affiliation of a user? AARC-G057

 

Authorisation:

  • How should I manage authorisation information from multiple sources? AARC-G006
  • How should group and role information be expressed to facilitate interoperability? AARC-G002
  • How should resource capabilities be expressed? AARC-G027

End Services:

  • My service needs to act on behalf of the user – how should I handle credential delegation and impersonation? AARC-G005
  • My services are not web based, how can I use identities from the proxy? AARC-G007
  • How should Services hint which IdP they would like users to use? AARC-G049
  • Which Security practices should I follow? AARC-G014

User Identity:

  • How should I integrate Social Media Identity Providers? AARC-G008
  • How should users link accounts, and how does that affect Assurance? AARC-G009
  • How should services indicate that they would like users to authenticate with multifactor authentication, and how should my proxy forward that information? AARC-G029

Assurance:

  • How should assurance information of external identities be calculated? AARC-G031
  • What can I say about assurance of identities from social media accounts? AARC-G041
  • How is assurance impacted by account linking? AARC-G009
  • How should assurance information be shared with other infrastructures? AARC-G021
  • Which Assurance Profiles should I use, there are so many! AARC-I050

Access Protocol Translation:

  • Which best practices should I follow for my Token Translation Services? AARC-G004
  • How should I translate from Identity Federation information to X.509 certificates? AARC-G010

Proxies:

  • How can I ensure that my proxy is able to accurately claim that it supports best practices in Identity Federation? AARC-G015
  • How should I express the home institute of a user? AARC-G025
  • How should I express the identifier of a user AARC-G026
  • How should I express assurance information for users when interacting with another proxy? AARC-G021
  • How can my proxy simplify the discovery process for end-users? AARC-G061
  • How can my proxy route the user to the correct discovery service? AARC-G062

What next? Are you looking for a kick start with your policies? Take a look at the Policy Development Toolkit which provides a set of templates.

Certain guidelines are being adopted by the AEGIS community to support interoperability between infrastructures – consider prioritising these best practices.

Guidelines

AARC has guidelines and best practice recommendations to support the implementation of the Blueprint Architecture.

Infoshares

AARC in Action

Case studies showing how the Blueprint Architecture is helping research communities to find AAI solutions.

Start with AARC – Blueprint Architecture video

Get in touch!

We welcome your feedback – send your comments, questions or suggestions about the blueprint architecture at aarc-connect@lists.geant.org