AARC: Why and How?
Interoperability, sustainability, integration and compatibility: AARC – a set of turn-key solutions bringing research collaborations closer together.
Researchers must be able to easily access and share resources in order to collaborate. The growth of identity federations at the national and international level has proved to be a successful model to efficiently increase scientific collaboration.
Thanks to the eduGAIN service, individual researchers can use their institutional credentials to access thousands of resources available to their own organisation. However, this does not provide everything that members of research collaborations need. After all, they need to manage, access and share resources based on their roles within these collaborations. So research collaborations need their own authentication and authorisation infrastructure (AAI) – one that allows researchers to seamlessly access all the online resources they need.
However, this also raises new challenges: while it is possible to access research infrastructures, horizontal authorisation across different research and e-infrastructures remains difficult, and particularly when within the same project, an individual researcher needs to access resources provided by different infrastructures. Moreover, having different AAIs can create compatibility issues, let alone the time spent in creating something new.
So, the challenge is finding the way to integrate identity services across different infrastructures, and providing research communities with the support they need to securely share data and resources. How to do it? To address this issue, it is necessary to gather requirements for federated identity management, which are specific for each scientific community, research infrastructure and e-infrastructure, without forgetting possible technology constraints, with the aim to adopt solutions that are sustainable both in economic and technology terms.
And this is where the AARC project comes in.
AARC: Understanding the needs of communities
The first EU-funded AARC project (2015-2017) gathered requirements from e-infrastructures on federated authentication and authorisation. 20 partners joined the project, including NRENs, GÉANT, e-infrastructures such as EGI, PRACE and EUDAT, and important user communities like ELIXIR and DARIAH.
These requirements pointed to an integrated AAI, easy to use and able to provide users with a single digital identity to access all services using only their institutional credentials. This infrastructure must also provide a secure integration of identity solutions for guests, advanced authentication mechanisms, and allow users to access services on the basis of their role inside the scientific collaboration project.
From requirement analysis to the ‘prototype’ design
To address these issues, AARC devised an approach to build such an infrastructure in a scalable and secure way by creating a blueprint architecture (BPA). The BPA defines the functional building blocks for interoperation with the national identity federations and with eduGAIN. This blueprint defines the key components that can be mixed and matched according to specific needs. This flexibility gives software architects and technical decision makers a head start in building a customised solution for their research collaboration.
Harmonising rules for a common infrastructure: the policies
Harmonising the rules that organisations apply to identity management is essential for achieving an integrated AAI framework. AARC focused on sharing recommendations and common best practices that adhere to two fundamental principles: scalability and sustainability.
The main aspects to be harmonised are the reliability of identities, identifiers, and attributes of users from different organisations. This feature is related to the so-called Levels of Assurance (LoA) associated with identities, and these are important because interactions between infrastructures involve the need to integrate attributes from various sources.
Another important point was the definition of a common framework for federations to deal with security incidents: ‘Sirtfi‘, the Security Incident Response Trust Framework for Federated Identity.
It’s a matter of proxy
The AARC blueprint model proposes the introduction of a proxy, operated by research infrastructures, which connects to eduGAIN. To ensure that security is preserved, AARC defined a specific framework called Snctfi (Scalable Negotiator for a Community Trust Framework in Federated Infrastructures). Snctfi ensures, among other things, that the entity connected to the proxy adopts Sirtfi and research and scholarship entity categories. AARC also looked at the protection of (mostly personal) data generated by the use of infrastructures and the procedures (accounting) needed for security and accountability of resources.
Testing: the pilots
Alongside the architecture design and the guidelines, a number of pilots were launched, in which 18 solutions were trialled, to evaluate the adequacy of the functional and technical requirements of research communities and e-infrastructures.
These pilots focused on 3 main areas:
- extending the reach of federated access to more communities, such as libraries for instance, also including the use of ‘external’ identities such as Google ID;
- then testing the technical components and the policies in a production environment;
- and ultimately, trialling resource-sharing scenarios between different e-infrastructures using the same credentials.
Involving research communities: AARC phase 2
Whilst the first AARC project aimed to define an integrated architecture as a reference for all AAIs, the second AARC project (2017-2019) took steps towards implementing the BPA and the common policies, with a greater and more active involvement of the research communities, spanning from Earth sciences and life sciences, to astronomy and high-energy physics, and to arts and humanities. This led to a new BPA ‘community-first’ approach.
During this second phase, AARC built on the work done with the objective to extend the results to the largest possible number of users. To this extent, 8 research infrastructures joined as partners, with the goal to understand and adopt the AARC architecture and policy recommendations – ELIXIR, CORBEL, CTA, EPOS, LIGO, Helix-Nebula, WCLG, EISCAT-3d and LifeWatch. For this reason, new pilots became core activities, to verify requirements amongst the new communities and to implement solutions for each of them. Training activities played a central role in this second phase of the project, with the creation of a range of courses to meet the needs of all user types, from the technical expert to the manager who must choose how to manage access for the community services.
AARC established two forums to facilitate dialogue with research communities. The Community Engagement Forum (CEF) made information accessible, encouraged research community feedback on various pilots, and gave communities the opportunity to present their specific case, sharing solutions to problems that could be common or presenting unsolved issues. The AARC Engagement Group for Infrastructures (AEGIS) is for e-infrastructures that operate an AAI that is compliant with the BPA and is used to present results, promote a shared and coherent vision of federated access and facilitate activities so that different infrastructures can adopt interoperable solutions.
AARC: a framework that will benefit all research collaborations
Thanks to the efforts of all the partners and pilots involved, AARC has created a legacy that will remain available to research collaborations worldwide:
- A secure and scalable Blueprint Architecture
- A Policy Development Kit (PDK) that provides introductory information, training materials, template documents, and detailed guidelines on policy for AAIs.
- A set of AARC in Action case studies, that provide examples and a reference to help organisations understand what solution could best fits their needs.
– – – – –
This text is based on an Italian-language article by Elis Bertazzon (Consortium GARR – GARR News, N. 16 July 2017) translated by Valentino Cavalli (then at LIBER Europe).
Leaflet: AARC & eduGAIN: expanding access to online resources for students, teachers and researchers
Final AARC Blueprint Architecture