The goal of the AARC project is to guide research communities, cloud providers or commercial service providers to navigate their way through the galaxy of complex technologies that are used for Authentication and Authorisation (AAI). The project is an opportunity for communities to work together, to harmonise AAI approaches and to find suitable components to manage access to shared resources.
During the lifetime of AARC, we started a comparative analysis among the AAI components used in the e-infrastructures in Europe, we looked at the assurance aspects among these e-infrastructures, and then drafted a blueprint AAI architecture and piloted the integration of several AAI components in production infrastructures. All with the aim of gluing AAI components together and providing a stepping stone for research communities and e-infrastructures to manage access to their shared resources in a scalable way.
One AARC pilot task is led by EGI and focuses on the deployment of components for attribute management and consumption in a federated environment. The use case for this pilot applies to the needs of e-infrastructures (like EGI and EUDAT), and to research infrastructures supporting multiple communities to manage access in a federated setting. And why federated? Because components such as identity providers (IdPs), service providers (SP) and attribute authorities (AA) are typically operated by separate entities.
The picture below provides a simplified view on the attribute management pilot setup where the e-infrastructure or research community can use externally managed attribute authorities (such as COmanage and PERUN), aggregate these attributes from different sources in a central proxy (SimpleSAMLphp), and forward the enriched set of attributes in such a way that they can easily be consumed by service providers (such as OpenStack Liberty) to make authorisation decisions.