Ensuring that digital credentials issued in the R&E community can be used to access services offered by different e-Infrastructures or research communities is a key goal to achieve the vision of an integrated AAI.
Key focus areas for pilots are:
- Providing access to shared resources for all users, including guests, participating in a virtual collaboration;
- Testing with different levels of trust associated with user credentials;
- Providing scalable mechanisms to handle authorisation at resource level;
- Piloting federated access for specific (commercial) resources and services that are not currently available in the federated portfolio;
- Piloting the introduction of attribute management services.
We established a solid base – a pilot environment that has been created in line with the AARC project’s own blueprint architecture and guidelines.
As of May 2017, we piloted 18 existing AAI solutions to assess to what extend they meet the functional and technical (integration) requirements of research communities and e-infrastructures. While performing these pilots we had the opportunity to mix and match components and at the same time create deployments scripts, identify possible improvements of code and add documentation. Almost all pilots deployed in AARC have been described according to a standard template which includes the aim of the pilot, the software sources used, a functional flow and where possible a live demo. This way we increase the visibility and show the relevancy of the tested AAI solutions for our target communities.
Key focus areas for pilots were:
- Pilots to expand the reach of federated access e.g. AAI for libraries and solutions to include “external identities” like google IDs
- Testing technical and policy components for attribute management and token translation
- Cross infrastructure pilots to enable the shared use resources from two or more e-infrastuctures with a single identity
- Enabling federated access to 3rd party services
Below you will find a short description and the links to more detailed resources on the public AARC wiki space:
|AARC pilots overview|
|Expanding the reach of federated access|
|A proxy to centralize access management for library resources||details|
|An EZproxy based solution to bridge SAML to IP based access for library services||details|
|Enabling and managing access to library resources for walk-by users||details|
|Linking ORCID persistent iD to the user's institutional account with COmanage||details|
|Mechanisms to include Social Identities in the Authentication and Authorization process when accessing shared R&E resources||details|
|Testing technical and policy components|
|Managing group membership attributes or other attributes from multiple sources which can be used in a federated environment to regulate access to EGI services||details|
|Managing group membership attributes or other attributes from multiple sources which can be used in a federated environment to regulate access to BBMRI services||details|
|Enable certificate based access to Elixir and EGI services with VOMS and RCAuth.eu||details|
|Reuse existing issued certificates in order to access services published to eduGAIN (IGTF to eduGAIN proxy)||details|
|Enable access to X.509-based resources without the need for users to understand the intricacies of a Public Key Infrastructure: RCAuth.eu (CILogon-like pilot)||details|
|Enable a researcher to enrol a collaborative organization and to upload an SSH public key for access to non-web resources with COmanage (COmanage SSH pilot)||details|
|Managing credentials for services that do not natively support OpenID Connect with the WaTTS token translation service: testing the SSH-plugin (WaTTS SSH-plugin)||details|
|Using OIDC to generate a session where an RCauth Certificate is stored in WaTTS (WaTTS RCauth-plugin)||details|
|Providing access to non-web resources via SAML and PAM with LDAPfacade||details|
Cross infrastructure pilots
|Allowing end-users to transparently access EGI and EUDAT resources with an institutional account (EUDAT-EGI)||details|
|Enable automatic provisioning of accounts on EUDAT from PRACE (EUDAT-PRACE pilot)||details|
Enabling federated access to (commercial) 3rd party services
|Enable federated access and IdP selection to get access to the SeaFile file syncing and sharing service (Seafile with SAML federation pilot)||details|
|Exploring federated access to the NextCloud web-based document management service and the Collabora Online office suite (CollaboraNextCloudDemos)||details|
This work package is led by SURFnet (Paul van Dijk).