AEGIS group endorses AARC guidelines on membership information exchange

Licia Florio writes about the group’s first achievement

The AARC Engagement Group for Infrastructures (AEGIS) brings together representatives from research and e-infrastructures, operators of AAI services and the AARC team to bridge communication gaps and make the most of common synergies. The group was set up during the summer and has recently endorsed the AARC guidelines on expressing group membership and role information. By agreeing to these guidelines, AEGIS has taken its first step in providing practical support towards the wider uptake of AARC’s interoperable federated access solutions.

The current members of AEGIS who endorsed the guidelines are from five e-infrastructures (EGI, EUDAT, GÉANT, PRACE and XSEDE) and two domain-specific research infrastructures (ELIXIR and DARIAH).

Why do we need guidelines for group membership?

Information about group membership is commonly used by Service Providers (SP) to authorise user access to protected resources. Apart from the group information that is managed by the user’s home Identity Provider (IdP), research communities usually operate their own group managment services. Such services often act as Attribute Authorities (AA) , maintaining additional information about the users, including VO membership, group membership within VOs, as well as user roles. It is therefore necessary that all involved SPs and IdPs/AAs can interpret this information in a uniform way. Specifically, the following challenges need to be addressed:

  • Standardising the way group membership information is expressed:
    • Syntactically: uniform formatting; for example, representing group membership as URNs within a specific namespace and a set of rules for the NSS portion
    • Semantically: common representation of equivalent concepts; for instance, “admin” and “manager” should be communicated to end SPs as “manager”
  • Indicating the entity that is authoritative for each piece of group membership information
  • Expressing VO membership and role information
  • Supporting group hierarchies in group membership information

The guidelines document endorsed by AEGIS agrees on a common way to exchange group information across different infrastructures, ensuring that everyone uses the same concepts and formats.

The recommendations were defined based on experiences from multiple parties in the AARC project and have subsequently been discussed and tested through the Service Activity 1 Pilots (SA1) attribute management pilot AARC-SA1-AMP. Furthermore, it should be noted that a group membership representation scheme following these recommendations has already been adopted to enable cross-infrastructure exchange of group information between the EGI and the ELIXIR AAI.

Bi-directional channel

AEGIS provides a bi-directional channel so that AARC and the research- and e-infrastructures communities can advise each other on developments and implementation aspects of the project. AEGIS in practice provides a mechanism to ensure that AARC results are fit for purpose and are known to those that will need to deploy them. AEGIS helps participating infrastructures to understand the importance of adopting AARC frameworks, and helps to uncover issues that may otherwise emerge during the deployment phase.

More information

Licia Florio is the coordinator of the AARC2 project.

AARC website