Authentication and Authorisation Infrastructure controls access to online resources and user management. But with so many different systems, how do we enable collaboration? One project has come up with an answer that gives researchers secure access across systems.

Digital Economy

Society

Research spans many systems, platforms and geographical boundaries. The Authentication and Authorisation Infrastructures (AAIs) that manage trusted access to research services were typically developed independently, resulting in a lack of interoperation between them. The EU-supported AARC2 project addressed this challenge by delivering an AAI framework to facilitate interoperability. The project capitalised on the interest of major research infrastructures to collectively solve the outstanding challenges preventing wider adoption of federated access. AARC2 created the AARC Blueprint Architecture (AARC BPA), providing a technology-neutral blueprint that standardises the implementation of an AAI for research collaborations; accompanied by a set of policy documents and guidelines for its deployment.

The pan-European federated access solution

The AARC BPA is a suite of customisable software modules enabling federated access management for international research collaborations. Federated access enables users to log in to a variety of services securely – while preserving privacy – with one set of credentials issued by their own organisation, typically a university or research centre (the Identity Provider). “About 5 years ago, it became clear that federated access was the way forward, as it reduces the number of credentials for the users and minimises the personal information shared with services,” says project coordinator Licia Florio. After a needs analysis amongst the research communities, AARC2 chose eduGAIN as the underlying technological foundation to manage users’ identities. “While eduGAIN was already a global infrastructure, tried and tested by R&E communities, we wanted to move its adoption to the next level,” recalls Florio. The team engaged with all the communities of the European Strategy Forum on Research Infrastructures ESFRI. This enabled the project to run 8 use-case pilots, testing the solution’s ability to meet integration (accessing services offered by multiple e-infrastructures) and data-rich requirements. Some research communities already had a production AAI in place so were interested in enhancing it by adopting the AARC BPA; others explored what it takes to deploy a BPA-compliant AAI. “The pilots showed what worked and what needed adjustment; we also developed and delivered guidelines and training modules,” explains Florio. As security and integrity were a key priority in such a federated environment, the AARC community advanced the Security Incident Response Trust Framework for Federated Identity (Sirtfi) to maturity. AARC also built the Scalable Negotiator for a Community Trust Framework in Federated Infrastructures (Snctfi framework) to ensure that the AARC BPA could be deployed in a secure manner.

Already being adopted

Currently, AARC2’s work is being adopted by several research collaborations – including EU-funded projects – to shape their AAI, including: LifeWatch (for biodiversity and ecosystem citizen scientists), EOSC-Life (aimed at the life science community) and LIGO (supporting gravitational waves observation). The AARC BPA is also being deployed by the HPC community and the EOSC-Hub project and it is the reference model for the European Open Science Cloud (EOSC). “AARC2’s results will help researchers and students to collaborate more easily, getting access to online resources, facilitating the secure exchange of data needed for their day-to-day work,” says Florio. AARC2’s material and training are currently available under a Creative Commons Attribution 4.0 licence to anyone operating research and education services or responsible for designing their AAI. The AARC community continues to evolve the AARC results via AEGIS and other existing groups.

Keywords

AARC2, authentication, authorisation, interoperation, security, private, federated access