Collaborating online and the ability to share research facilities like data storage and compute resources are important basic conditions for the success of collaborative research efforts. On May 1st, a two-year Horizon2020 project entitled ‘Authentication and Authorisation for Research and Collaboration (AARC)’ started. This project aims to connect various research communities and to integrate their infrastructures by applying existing authentication and authorisation building blocks for access management. SURFnet takes the lead in one of the work packages in AARC.
SAML, SURFconext and eduGAIN
The availability of a simple and secure method for access management is important prerequisite for the sharing of research facilities across research communities across countries. Today, there are many SAML-based identity federations worldwide that successfully support this requirement. For example, in The Netherlands the SURFconext identity federation enables Single Sign-On access to more than 300 services for almost 100% of the Dutch academic community. To extend the success of national identity federations across country borders, eduGAIN offers a Pan-European SAML-based trust framework. This way, users in one country can access services in another country using their verified institutional account.
Despite the existence of well functioning national identity federations and the availability of a Pan-European trust framework, considerable gains can still be made in this area. For example, we often encounter time-consuming organisational and technical problems when we try to establish SAML connections with identity providers from abroad. Due to privacy legislation and due to the fact that many identity management operators at institutions are not yet familiar with the eduGAIN framework, it may be difficult to get the required permission for attribute release. Once permission for the release of attributes has been granted, a lack of standardization of attributes between countries may be the next showstopper. Harmonising policies across infrastructures is therefore one of the main aims in AARC.
Access to non-web-based facilities
A second topic is the still existing gap between the web-based SAML world and non-web based services. The majority of the services shared by e-infra providers like EGI, PRACE, various ESFRI projects and SURFsara are not web based. Users typically access such resources with an SSH client or via WebDAV. A suitable federation protocol and implementations of clients supporting federation protocol(s) are simply lacking which means that authentication for these resources is often based on (not so user-friendly) X.509 certificates, rather than SAML. Uniting these two worlds into one integrated infrastructure is a major challenge, but it will dramatically improve the user experience and reduce the administrative burden of administrators of e-infrastructures.
Access for ‘guests’
A third need is that for solutions that provide access to shared facilities for users not belonging to the academic community and users working at institutions that are not (yet) part of an identity federation. Several ad-hoc solutions exist but are sub-optimal according to the quality and security policies of identity federation operators and the requirements of research communities.
Thanks to the on-going efforts of several NRENs, solutions to manage attributes are emerging. By providing attribute management and workflow tools, we can offer research communities an elegant way to manage authorisations and groups on a central and cross application level. Today, many research communities are not aware of the existence of these solutions and the added value for their collaboration work. Moreover, the use of such solutions is only worthwhile if services are also able to consume attributes and to make authoritative decisions upon these attributes. An integrated framework of identity providers, attribute and group providers, attribute aggregation platforms (like OpenConext!) and services that are able to consume attributes, can provide many administrative advantages for researchers and administrators of shared research facilities. With this in mind SURFnet recently launched eduTEAMs, a service that facilitates international collaboration based on groups.
Connecting different worlds
The goal of the AARC consortium is to promote integration between the various
e-infrastructures and existing components based on the wishes of the research community (e.g. Elixir, EUDAT, DARIAH). Given the topics that have been addressed above, it will be clear that the focus of AARC is to harmonise standards and policies, connect the web and non-web world (e.g. through token translation services), arrange guest access and expand the current federated authentication infrastructure with suitable solutions for (federated) authorisation. Creating a test bed and integrating the various (mostly existing) components in the form of pilots is an important activity within the programme. The consortium aims to complement current initiatives like those of NRENs, GN3+, GN4 and various AAI task forces within consortia such as EUDAT, DARIAH and Elixir.
The GÉANT association leads the AARC consortium that consists of representatives from 19 different NRENs and e-infrastructure providers (e.g. Nikhef, EGI, PRACE, ESFRIs) in Europe. SURFnet is responsible for implementing and managing the pilot programme. For more information, see the AARC project website.