Two key areas of the AARC (Authentication and Authorisation for Research and Collaboration) project made significant progress at an ‘All Hands’ meeting held on 21-23 November. The team responsible for training agreed priorities for activities until the end of year 1 of this, the second AARC project, and the requirements of research collaborations for technical pilots were finalised, so work on pilots can now proceed.
Arnout Terpstra (SURFnet), leader of the pilots work package, reported on the results of interviews that had been conducted with the research communities that are participating in the AARC pilots. Interactive sessions during the All Hands meeting gave an opportunity to scope the various pilots on the basis of these communities’ requirements and the availability of resources both in AARC and on the research communities side. It was agreed to conclude the pilot on interoperability between EUDAT and PRACE and to start pilots to support the following communities:
- CTA (Cherenkov Telescope Array), coordinated by Mario Reale (GARR)
- EPOS (European Plate Observing System), coordinated by Mario Reale (GARR) and Kostas Koumantaros (GRNET)
- Life sciences AAI – coordinated by Kostas Koumantaros (GRNET)
- EISCAT (European Incoherent SCATter Scientific Association), coordinated by Mario Reale (GARR) and Kostas Koumantaros (GRNET)
- DARIAH – EGI interoperability pilot, coordinated by Diego Scardaci (EGI)
The single-community pilots focus on providing support to enable that community to implement their own AAI (authentication and authorisation infrastructure) that follows the AARC blueprint architecture and implements the relevant policies. The cross-infrastructures pilots focus on enabling users to access services offered by different infrastructures.
Andrea Biancini (Reti), leader of the training activity, presented the modular approach being taken to AARC training. Priorities for the next 6 months were defined based on feedback from the meeting participants. The following areas were highlighted as high priorities:
- Training for the life sciences community following the first pilot results expected in January 2018;
- Training for the EPOS community resource providers, explaining how to enable federated access, and a more general training about how EPOS can deploy an AAI based on the AARC blueprint architecture.
- General training on AARC policies;
- Training modules to support service providers in research collaborations.
In parallel the training team will continue to work on a ‘handbook’ for service providers that will be made available via e- and research-infrastructures. This will provide information on how to enable federated access and how to connect to infrastructure proxies.
Other progress – policies and architecture
Nicolas Liampotis (GRNET), leader of the architecture work package, discussed topics related to cross-infrastructure interoperability, step-up authentication, as well as roles, responsibilities and security considerations for VOs (virtual organisations). A focus was put on different aspects of assurance based on the REFEDS Assurance Framework (RAF), led by Mikael Linden (CSC). In this respect, Peter Solagna (EGI Foundation) presented the complementary assurance profiles that AARC is defining to support research and e-infrastructures users that cannot map RAF cappuccino and/or espresso profiles. Davide Vaghetti (GARR) presented approaches to evaluate the combined assurance information in the case of identity linking. This is a complex space and clearly more discussion among research- and e-infrastructures is needed. The architecture team is also investigating requirements for supporting step-up authentication; to this end there are two main activities led by Marcus Hardt (KIT):
- Holistic approach to elevation of identity assurance, that will continue until there is a general consensus to release a first draft;
- Step-up authentication via MFA, which will be finalised (v1) before Christmas.
Furthermore, based on the different VO roles identified in the policy work package, Jens Jensen (STFC) discussed the technical requirements for VO platforms to support these roles. Lastly, Nicolas discussed mechanisms for exchanging affiliation information among research infrastructures.
The policy work package team, led by David Groep (Nikhef), reported on recent progress. David Kelsey (STFC) discussed a plan to define a policy toolkit aimed at research- and e-infrastructures that want to implement an AAI that follows the AARC blueprint. Hannah Short (CERN) described work to define and test an incident response model. During the testing phase it would be useful to have participants from some e-science service providers, some identity providers and some federations. Hannah also reported on plans to use a registry (not linked to federations) as an additional source of authoritative information for those entities that support Sirtifi (Security Incident Response Trust Framework for Federated Identity). The REFEDS draft document about such a registry was discussed at the I2 technology exchange conference in 2017. Hannah will report on developments in this space. Uros Stevanovic (KIT) gave an update on GDPR (General Data Protection Regulations) and potential implications for research- and e-infrastructures. Uros also reported on the community policies engagement done in AARC; he solicited research- and e-infrastructures that are participating in AARC to provide requirements on security policies, on data processing, logging policies and so on.
It was great to see so many people getting together and having so many lively conversations!
The next AARC All Hands meeting is planned for April (date to be confirmed). All project participants and any other interested parties are welcome to join us.