EOSC-hub receives funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 777536.

eosc-hub.eu@EOSC_eu

AARC Blueprint Architecture and its evolution – towards the EOSC AAI for research communities

Dissemination level: Public

31/01/2019 2

AARC Blueprint Architecture and its evolution

ESFRI RIs and EOSC Workshop

“Community-first” AARC BPA approach

Researchers sign in using their institutional (eduGAIN), social or community-managed IdP via their Research Community AAI

Community-specific services are connected to a single Community AAI

Generic services (e.g. RCauth.eu Online CA) can be connected to more than one Community AAI proxies

e-Infra services are connected to a single e-infra SP proxy service gateway, e.g. B2ACCESS, Check-in, Identity Hub, etc

31/01/2019 3

AARC Blueprint Architecture and its evolution

ESFRI RIs and EOSC Workshop

Uniform representation of unique user identifiersStandardised way of expressing group membership, role information & resource capabilitiesNon-web-browser-based access (e.g. SSH/SFTP or HTTP APIs via OAuth2 tokens and X.509 certs)Delegation (e.g. via token exchange)Release of mandatory set of user attributes (incl. unique shared id) - REFEDS Research & Scholarship entity categoryOperational security, incident response, and traceability - REFEDS SirtfiPrivacy requirements for processing personal information - GÉANT Data Protection Code of ConductRules and conditions that govern access to and use of service and resources - WISE Baseline Acceptable Use Policy (AUP)Assurance information - REFEDS Assurance Framework, IGTF/AARC assurance profiles

31/01/2019 4ESFRI RIs and EOSC Workshop

EOSC-hub AAI builds on AARC BPA & Policy best practices & recommendations

Communities with an existing Community AAI can connect to the EOSC-hub e-Infra Proxies and gain access to generic e-Infra servicesCommunities that don’t operate their own AAI service can make use of either dedicated or multi-tenant deployments of AAI services operated by EOSC-hub Multi-tenant deployments:

- aimed at medium-to-small research communities/groups or individual researchers.

- community members, groups and authorisation attributes are still managed by community managers.

Dedicated deployments:- customisation of user-facing interfaces: IdP discovery page,

enrolment, group membership UI- customisation of AAI proxy behaviour (e.g. attribute aggregation

rules, service entitlements)- possibility of bespoke AAI Solutions, which might include

individual Components from the GÉANT eduTEAMS, EGI Check-in, INDIGO IAM, EUDAT B2ACCESS, and PERUN

31/01/2019 5ESFRI RIs and EOSC Workshop

How the EOSC-hub AAI services help communities access resources

31/01/2019 6

EOSC-hub Community AAI services

ESFRI RIs and EOSC Workshop

@nliampotis

Thank youfor your attention!

Questions?