AARC reviews progress and strategy at CERN meeting

AARC reviews progress and strategy at CERN meeting

The iconic globe building outside CERN’s main entrance.

Passionate and fruitful discussions during the AARC project’s final meeting of 2016 showed the value of face-to-face gatherings. Kindly hosted by CERN on 29 November to 1 December, the meeting agenda was packed with sessions reviewing the project’s strategic direction and its policy, pilots, architecture and training activities.

During the past 1,5 years, AARC has produced concrete results in the technical, policy and pilot activities. In this meeting, we reviewed progress and reflected on key aspects to focus on for the remainder of the project.

With results maturing, it is important to ensure that everybody in the project is aware of them, and to promote them outside the project. So more attention will be given to internal and external communications. A revision of the project website has started, to make material easier to find, and will continue until the end of the project. And AARC will enhance the materials it has collected about basic federated identity management (FIM), ensuring that it is more effective as training material to support scientific service providers to enable federated access. There will also be a focus on creating training modules about key AARC results, such as the blueprint architecture and policy developments – in synergy with other groups where possible.

Uros Stevanovic presenting at the November 2016 general meeting of the AARC project.

The AARC remit and strategy had been agreed by the team at the start of the project, with the strategy implemented in two phases. In year one, effort was devoted to working with libraries and to defining the general AARC blueprint architecture (BPA). In year two, more effort is being invested in working closely with research collaborations, in finalising policy guidelines in specific areas, and in testing policy and components of the BPA with interested research- and e-infrastructures. In order to ensure everyone is aware of where we stand and where the project is heading, the AARC strategy document has been made publicly available.

The meeting actions list is available on the wrap up slides.


In more detail:

Significant progress has been made in the policy area:

  • The deliverable “Recommendations and Template Policies for the Processing of Personal Data” led by Uros Stevanovic (KIT) is ready and has been submitted to the EC. The document was shared with the REFEDS list for feedback. The document’s purpose is to provide recommendations and template policies to resource providers and user communities that establish and operate infrastructures. These recommendations will facilitate their ability to collect, transfer, provide access to, and/or publish data related to the accounting, monitoring, logging, or any kind of processing of personal user data needed for the operation of their services. The team will get legal advice before promoting the document widely. Thanks to the whole team and also to Andrew Cormack (JISC) for reviewing it.
  • Hannah Short (CERN) presented the first draft of the “Security Incident Response Procedure” deliverable. This triggered a lot of discussion regarding its focus in the context of AARC. It is clear that while AARC needs to define procedures that work for its main use cases (that is service providers in research and/or e-infrastructures), any procedure to be adopted by research and education (R&E) identity federations should be discussed in a broader forum.
  • “Snctfi”, the work led by Dave Kelsey (STFC) to define a trust model for the proxy which is a core part of the BPA, prompted a very lively breakout session. This work is very critical as, on the one hand, the proxy makes it easy to provide federated access to multiple internal services operated by a research/e-infrastructure, but, on the other hand, poses some security challenges. A small editorial group was appointed to review the first draft document; an updated version is expected in January 2017.

Regarding the architecture work:

  • Nicolas Liampotis (GRNET) presented the current status of work on the recommendations document for expressiong group memberships using eduPersonEntitlements. There was fruitful discussion on a few open topics.
  • Peter Solagna (EGI Foundation) presented the current status of the guidelines document for attribute translation from SAML to X.509. He led discussion on best practices for expressing SAML attributes in X.509v3 proxy certificates.
  • Nicolas Liampotis (GRNET) presented an updated proposal for attribute translation from SAML to OIDC. Using as a starting point the work that had been done in the past in the GN4 context, this took into account his experiences in implementing a SAML to OIDC translation bridge that is already used in production.
  • Mikal Jankowski (PSNC) and Christos Kanellopoulos (GRNET) prompted a discussion about the plan for delivering an initial set of guidelines for federated access to non-browser services (e.g. HTTP APIs). The aim is to provide an initial set of guidelines about technologies that are already widespread and in demand by the research communities.

A number of pilots were demonstrated during the meeting. It is clear that this is a challenging area, particularly regarding the necessary engagement with different research and e-infrastructures, not all of which are equally represented in AARC. The following updates are worth noting:

  • The deliverable Pilots to support guest users’ solutions led by Mario Reale (GARR), has been concluded and submitted. See more more information on this topic on the wiki page.
  • The deliverable on First report on the Pilots led by Paul van Dijk (SURFnet) was undergoing proofreading at time of the meeting; the document has been finalised and submitted.
  • An IGTF-eduGAIN bridge pilot was proposed – the aim being to take as input digital certificates issued by a certification authority that is accredited by the Interoperable Global Trust Federation (IGTF), and to generate a proper SAML assertion based on the certificate type. This approach would offer an additional way to link accounts; the use-case would foresee a special identity provider (IdP) operated by the IGTF community that takes as input IGTF certificates. Such an IdP would also support both RS entity categories and Sirtfi.
  • eIDAS potential pilot – a discussion is ongoing with eIDAS to start a pilot that involves AARC, eduGAIN and some eIDAS member states (UK, Germany, possibly Greece and Italy). This pilot would address two use-cases: accessing services available via eduGAIN using eIDAS eID, and eIDAS eID’s use of eIDAS as a means to access services that require higher level of assurance.

The November meeting also heard reports on relevant work in other projects:

  • Indigo-datacloud TTS pilot – the Indigo-datacloud project aims to develop an open-source platform for computing and data for the R&E community. One of the service components developed in that project is the Token Translation Service, INDIGO TTS. Uros Stevanovic demonstrated a pilot integration of INDIGO TTS with the EGI CheckIn service, in which he was able to access virtual machines available to a hypothetical project.
  • eduTEAMS is the platform being built by the GN4 project to support the need of research groups for an additional specialised infrastructure built on top of eduGAIN, to manage group and authorisation information. The platform is being built to integrate with services provided by any e-infrastructure. An update was provided.