Pilots

Objectives

Ensuring that digital credentials issued in the R&E community can be used to access services offered by different e-Infrastructures or research communities is a key goal to achieve the vision of an integrated AAI.

Key focus areas for pilots are:

  • Providing access to shared resources for all users, including guests, participating in a virtual collaboration;
  • Testing with different levels of trust associated with user credentials;
  • Providing scalable mechanisms to handle authorisation at resource level;
  • Piloting federated access for specific (commercial) resources and services that are not currently available in the federated portfolio;
  • Piloting the introduction of attribute management services.

We established a solid base – a pilot environment that has been created in line with the AARC project’s own blueprint architecture and guidelines.

Outcomes

As of May 2017, we piloted 18 existing AAI solutions to assess to what extend they meet the functional and technical (integration) requirements of research communities and e-infrastructures. While performing these pilots we had the opportunity to mix and match components and at the same time create deployments scripts, identify possible improvements of code and add documentation. Almost all pilots deployed in AARC have been described according to a standard template which includes the aim of the pilot, the software sources used, a functional flow and where possible a live demo. This way we increase the visibility and show the relevancy of the tested AAI solutions for our target communities.

Key focus areas for pilots were:

  • Pilots to expand the reach of federated access e.g. AAI for libraries and solutions to include “external identities” like google IDs
  • Testing technical and policy components for attribute management and token translation
  • Cross infrastructure pilots to enable the shared use resources from two or more e-infrastuctures with a single identity
  • Enabling federated access to 3rd party services

Below you will find a short description and the links to more detailed resources on the public AARC wiki space:

AARC pilots overview 
Expanding the reach of federated access
A proxy to centralize access management for library resourcesdetails
An EZproxy based solution to bridge SAML to IP based access for library servicesdetails
Enabling and managing access to library resources for walk-by usersdetails
Linking ORCID persistent iD to the user's institutional account with COmanagedetails
Mechanisms to include Social Identities in the Authentication and Authorization process when accessing shared R&E resourcesdetails
Testing technical and policy components
Managing group membership attributes or other attributes from multiple sources which can be used in a federated environment to regulate access to EGI servicesdetails
Managing group membership attributes or other attributes from multiple sources which can be used in a federated environment to regulate access to BBMRI servicesdetails
Enable certificate based access to Elixir and EGI services with VOMS and RCAuth.eudetails
Reuse existing issued certificates in order to access services published to eduGAIN (IGTF to eduGAIN proxy)details
Enable access to X.509-based resources without the need for users to understand the intricacies of a Public Key Infrastructure: RCAuth.eu (CILogon-like pilot)details
Enable a researcher to enrol a collaborative organization and to upload an SSH public key for access to non-web resources with COmanage (COmanage SSH pilot)details
Managing credentials for services that do not natively support OpenID Connect with the WaTTS token translation service: testing the SSH-plugin (WaTTS SSH-plugin)details
Using OIDC to generate a session where an RCauth Certificate is stored in WaTTS (WaTTS RCauth-plugin) details
Providing access to non-web resources via SAML and PAM with LDAPfacadedetails

Cross infrastructure pilots
Allowing end-users to transparently access EGI and EUDAT resources with an institutional account (EUDAT-EGI)details
Enable automatic provisioning of accounts on EUDAT from PRACE (EUDAT-PRACE pilot)details

Enabling federated access to (commercial) 3rd party services
Enable federated access and IdP selection to get access to the SeaFile file syncing and sharing service (Seafile with SAML federation pilot)details
Exploring federated access to the NextCloud web-based document management service and the Collabora Online office suite (CollaboraNextCloudDemos)details

This work package is led by SURFnet (Paul van Dijk).