Author: Jiří Pavlík (CESNET)
The federated authentication model has become established as an enabler of user-friendly accessing and sharing of resources, while preserving security and user privacy. There are, however, challenges in designing a scalable and sustainable way to integrate existing authentication and authorisation infrastructures (AAIs) without disrupting them.
One of the biggest issues at the moment is the lack of basic user information or ‘attributes’ released by many institutions (e.g. universities). This is a problem that many research collaborations experience when trying to leverage federated access. Related to this point is the aspect of aggregating attributes from various sources using attribute providers. There are many more challenges related to defining shared and harmonised policies, trust frameworks and tools to compare different policies, tools to facilitate and monitor policy adoption, attribute aggregators, level of assurance, persistent identifiers, support for guest users, support for gov-IDs and so on.
The Authentication and Authorisation for Research and Collaboration (AARC) project is here to help. AARC is a European Commission-funded project that brings together 20 different partners from among e-infrastructures, service providers, libraries and national research and education network (NREN) organisations to develop an integrated cross-discipline AAI framework, built on production and existing federated access services. AARC aims to develop and pilot an integrated cross-discipline authentication and authorisation framework using existing AAIs and production federated infrastructures.
The project reaches out with its activities to a number of diverse communities like libraries, arts and humanities, universities, but also EGI, PRACE, FIM4R, and more. The activities that AARC covers range from best practices and policies harmonisation to working on integrated architectures for research and education authentication and authorisation. Everything supported by the implementation of pilots to validate the results of the project. Concrete solutions to many of the aforementioned challenges are being designed; Sirtfi, a mechanism to enable federated security incident response, is one such solution that is now ready for deployment.
Among the other activities one in particular is dedicated to training and outreach. This work package has two main objectives. The first is to offer training on the technical and policy aspects of federated access to address specific challenges both at institutional and resource providers level. The second is to create an outreach package to promote the results coming from the architecture and policy harmonisation work packages, particularly concerning the support attribute providers, scalable guest identity provider solutions, incident response and assurance.
Several training modules have been delivered so far. The first online training module describes the basic concept of federated access. It is called ‘Federation 101’ and answers the basic questions that an audience with limited understanding of federated access might have. The second online module focuses on training for service provider operators. Designed with a hands-on approach in mind, this module is delivered in a presentation format. The slides are there and ready to be used for whoever would like to give such a training. The third module, to be published soon, follows the train-the-trainers model and aims to provide a common approach for identity providers to implement an effective attribute release.
At this year’s networking conference, TNC16, the AARC project team will seek feedback on this third training package, in a workshop: ‘AARC Training: Defining a training module for scalable attribute release in federation and interfederation’. The aim of the workshop is to agree with federation operators on a common approach to promoting existing practices and procedures, that can be used to help identity provider operators to implement effective attribute release in compliance with the data protection law.
All federation operators attending the TNC16 conference are cordially invited!