Software architects and technical decision makers looking for an authentication and authorisation infrastructure (AAI) solution for their research collaboration can #StartWithAARC. The final AARC Blueprint Architecture (BPA) uses a ‘community first’ approach and gives a head start in building a customised solution that supports federated access via eduGAIN.
The AARC BPA is a reference architecture that provides a set of ‘building blocks’ – key components that can be mixed and matched according to specific needs to build an AAI in a scalable and secure way.
The final version of the BPA focuses on allowing the AAIs of different research- and e-infrastructures to inter-operate. This functionality is needed by research communities requiring access to resources that are offered by other infrastructure providers.
The BPA promotes a ‘community first’ approach, introducing the Community AAI. This element streamlines how researchers can access services – either by using their credentials that are managed by an institution participating in a national identity federation in eduGAIN, or by using credentials issued by other parties such as social media or community-managed identity providers. The Community AAI is therefore responsible for dealing with the complexity of using different identity providers with the required community services.
The Community AAI also enables the addition of attributes to the federated identity, that in turn can enable service providers to control access to their resources, which can range from typical web services to data repositories or scientific instruments. These community-specific services only need to connect to a single identity provider, i.e. their Community AAI IdP Proxy. Apart from the community-specific services, there are generic services, such as the RCauth.eu Online CA, which serve the needs of several communities and are thus connected to more than one Community AAI. Communities may also require access to various services which themselves are behind (another) proxy, as often is the case with resources offered by e-infrastructures or research infrastructures. These Infrastructure Proxies can be connected to different Community AAIs.
It should be noted that the ‘community-first’ approach does not impose a requirement on communities to deploy and operate a Community AAI on their own. There are multi-tenant deployments of AAI services (typically operated by the generic e-infrastructures) that can support different communities. The ‘multi-tenancy’ feature of the deployment means that the Community AAI service appears as a single service to the IdPs, yet serves multiple communities.
Evolution rather than revolution
The first version of the AARC Blueprint Architecture (AARC-BPA-2016) was published in summer 2016. The next version of the AARC Blueprint Architecture (AARC-BPA-2017), built upon the previous one and provided a more detailed layered architecture, while retaining full backwards compatibility.
While the previous versions of the BPA provided a blueprint for implementing an AAI, the final version focuses on the cross-AAI inter-operability aspects and provides a broader view for addressing an increasing number of use cases from research communities requiring access to federated resources offered by different infrastructure providers.
The final AARC BPA is backwards compatible with previous versions which have already been adopted by many e-infrastructure providers, research infrastructures and collaborations.
Want to know more? Check out the April 2019 BPA webinar video and slides with notes (pdf). An older, comprehensive presentation on the previous BPA is also available.