AAI Research Engineer at
GRNET – Greek Research and Technology Network

Introduction
Research collaborations increasingly rely on seamless, secure access to services and data across institutional and national boundaries. To meet these evolving needs, the AARC TREE project is modernising the foundational framework for Authentication and Authorisation Infrastructures (AAIs) used by research collaborations. By refining both the AARC Blueprint Architecture (AARC BPA) and the Policy Development Kit (PDK), AARC TREE empowers infrastructures of all sizes to adopt interoperable, scalable, and policy-aligned AAI models.
The project’s name - AARC TREE (Technical Revision to Enhance Effectiveness) - reflects its ambition to enable a sustainable ecosystem for trusted collaboration.
Modernising the AAI Architecture
The AARC Blueprint Architecture has served as a reference model for enabling federated access for research collaboration since its original release. The initial revision of AARC-BPA-2025 (AARC-G080) is the result of extensive community input, including in-depth interviews with Research Infrastructures (RIs). With AARC-BPA-2025, AARC TREE introduces an evolution of this model—one that reflects real-world deployments and enables a more flexible, layered approach to identity and access management.
While the five architectural layers remain unchanged (see Figure 1), the initial revision of AARC-BPA-2025 introduces targeted refinements to improve clarity and reflect current practices. Component names have been generalised—such as renaming the Community Attribute Services Layer to Attribute Services Layer and the Community Authorisation Policy Repository to Authorisation Policy Repository—to better reflect their broader applicability. Protocol support has been streamlined: whereas earlier versions supported both SAML2 and OIDC at the proxy interface, AARC-BPA-2025 now focuses on OpenID Connect and OAuth 2.0 to align with emerging standards for token-based access.

Figure 1: Component layers of the AARC Blueprint Architecture (AARC-BPA-2025 – Initial Revision)
The updated architecture also introduces capabilities (see Figure 2), including the Identity capability, which encompasses functions such as identifier management, identity assurance, and identity linking. This shift reflects the growing prominence of national systems like EDU-ID and anticipated developments such as the EU Digital Identity Wallet (EUDI), which contribute foundational identity services in the evolving ecosystem. The Collaboration Management capability replaces the older notion of a “Community AAI.” This change clarifies architectural roles by distinguishing between identity services and collaboration functions—such as group enrollment and role management—accommodating both structured and more agile, project-based collaborations.

Figure 2: Functional Capabilities of the AARC Blueprint Architecture 2025 (AARC-BPA-2025 – Initial Revision)
Lastly, the authorisation model continues to rely on group- and role-based entitlements, with support for token-based access control across infrastructures. This includes the emerging OAuth 2.0 Proxied Token Introspection mechanism (AARC-G052), which extends standard introspection to support secure validation of tokens issued by different trusted infrastructures.
These refinements make AARC-BPA-2025 more applicable across diverse research environments, while preserving continuity with previous implementations.
A Trust Framework for Real-World Operations
A modular trust framework that serves as the foundation for the forthcoming Policy Development Kit version 2 (PDK v2) is defined in AARC-I082. This framework clarifies how responsibilities and trust relationships can be structured across diverse organisations and roles. At the heart of the framework is a clear distinction between policies and the procedures that implement them. Policies describe high-level, stable commitments, such as who may access services or how data protection is ensured, that typically require formal approval. They are intentionally independent of specific technologies and tend to remain stable over time. Procedures, on the other hand, are more adaptable, evolving in response to operational changes, emerging risks, or new requirements.
The framework introduces five key stakeholder audiences—Research Governance, Users, Authentication Sources, Collaboration Management, and Service and Infrastructure Providers—and maps their responsibilities across various protection domains. This structure is illustrated in Figure 3, which highlights how different roles contribute to protecting collaboration participants, infrastructure services, and (sensitive) research data.

Figure 3: Trust Framework and structure of the AARC Policy Development Kit (PDK) version 2.0
Within this structure, Snctfi version 2 defines a focused and assessable trust baseline specifically for proxy operators. It brings together requirements around operational security, data protection, incident response, attribute authority management, and privacy notice handling. These draw on widely adopted community practices, including Sirtfi, the REFEDS Data Protection Code of Conduct v2, Guidelines for Secure Operation of Attribute Authorities (AARC-G071), Guidance for Notice Management (AARC-G083), and the Security Operational Baseline (AARC-G084).
By offering a common baseline, Snctfi v2 enables proxy operators to assert their conformance with clearly defined expectations. This helps relying parties identify trustworthy providers—especially important in ecosystems where most communities depend on external proxies rather than running their own. The Snctfi profile, together with the structure provided by AARC-I082, will guide the development of reusable policies and procedures in PDK v2, making it easier for infrastructures to implement consistent and interoperable trust frameworks.
Real-World Validation and Tooling
AARC TREE is firmly grounded in practical, real-world validation to ensure that its outputs address the operational needs of research infrastructures. As part of this effort, the project conducted 23 in-depth interviews with Research/e-Infrastructures to capture current practices and key requirements. These insights directly informed the revision of both the architecture and the trust framework. In parallel, pilot implementations are testing core components of the guidance, including the attribute profile defined in AARC-G056 and the layered notice management approach introduced in AARC-G083. To support adoption and self-assessment, an online validation platform is under development, building on the NFDI Attribute COnformity Checker (naco) and the Compliance Assessment Tool (CAT). This platform aims to streamline conformance checks against AARC guidelines. Continuous feedback from the AARC Engagement Group for Infrastructures (AEGIS) and the EOSC AAI Working Group ensures that the evolving specifications remain aligned with community priorities and implementation realities.
What’s Next?
AARC TREE will finalise the updated AARC Blueprint Architecture (AARC-BPA-2025) and the structure of the Policy Development Kit version 2 (PDK v2), laying the foundation for seamless, policy-aligned access across infrastructures. Looking ahead, the project will work toward developing a compendium of best practices to support sustainable adoption, while also exploring synergies with emerging digital identity ecosystems, including eIDAS 2.0, the EU Digital Identity Wallet, and decentralised identity technologies.
EGI Check-in simplifies and strengthens access management for research infrastructures.