1 of 16

EOSC-hub-AAI: Update & next steps

WP8 meeting

Dissemination level: Public

EOSC-hub receives funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 777536.

eosc-hub.eu

@EOSC_eu

2 of 16

    • Add description of EOSC-hub AAI features/architecture to parent page in confluence

    • Simplify description of alignment activities so that they can be understood by non AAI experts ?
      • Might be a challenge for technical activities

    • Improve integration matrix

    • Update roadmap timeline

Previous actions

2

3 of 16

Updated description & architecture

3

https://confluence.egi.eu/display/EOSC/Authentication+and+Authorization+Infrastructure+-+AAI

4 of 16

EOSC-hub AAI architecture

Implementation of the AARC Blueprint Architecture 2019

4

2019-11-14

5 of 16

EOSC-hub AAI Architecture

  • Researchers register once with with their Community AAI

  • Researchers always sign in via their Community AAI using their existing academic/social credentials for accessing:
    • Community-specific services
    • Generic services (e.g. RCauth.eu Online CA)
    • General-purpose R/e-Infra services

5

2019-11-14

6 of 16

EOSC-hub AAI Architecture

  • R/e-Infra proxy serves as a single integration point for services

  • No need to run an IdP Discovery Service on each service

  • Services get consistent/harmonised user identifiers and accompanying attribute sets from different IdPs/AAs that can be interpreted in a uniform way for authorisation purposes

6

2019-11-14

7 of 16

EOSC-hub AAI services

7

8 of 16

  • Issue: Users need to register with multiple AAI services and deal with:
    • differences in how some attributes are expressed (e.g. affiliation and assurance)
    • differences in Acceptable Use Policies (AUP)

  • Solution: Improved integration model (Work in Progress):
    • Lightweight registration
      • no email verification (assuming the Community AAI is releasing verified email information)
      • minimum user input/interaction - ideally the user will only need to review the AUP of the infrastructure being accessed

Identified integration gaps:

Multiple user registrations

8

2019-11-14

9 of 16

  • Issue: As users access services protected by different AAIs, they may need to select their identity provider (IdP)
    • But they don’t need to enter their credentials again due to the Single Sign-On session in effect

  • Solution: Investigate adoption of IdP hinting protocol (AARC-G049):
    • Generic browser-based protocol for conveying hints about the IdPs or IdP-SP-proxies that should be used for authenticating the user:
      • can simplify the discovery process for the end-user, by either narrowing down the number of possible/IdPs to choose from or by making the actual selection process fully transparent

Identified integration gaps:

Multiple IdP discovery steps

9

2019-11-14

10 of 16

  • OAuth2 token validation: Existing implementations of OAuth2-based Authorisation Servers do not support the validation of tokens issued by a different Authorisation server.
  • E.g. community service accessing e-Infra service on behalf of user

Identified integration gaps:

OAuth2 token validation

10

2019-11-14

token

valid token?

11 of 16

  • OAuth2 token validation: Existing implementations of OAuth2-based Authorisation Servers do not support the validation of tokens issued by a different Authorisation server.
  • E.g. e-infra A service accessing e-Infra B service on behalf of user

Identified integration gaps:

OAuth2 token validation

11

2019-11-14

token

valid token?

12 of 16

  • Alternative OAuth2 integration: Services can connect to different Authorisation Servers instead of relying on a single SP Proxy

… but

    • Requires additional integration effort from services
    • Scalability issues

Identified integration gaps:

OAuth2 token validation

12

2019-11-14

13 of 16

  • Solution: Extension of OAuth2

Working doc: AARC-G052

Identified integration gaps:

OAuth2 token validation

13

2019-11-14

14 of 16

Updated timeline

14

2019-11-14

EOSC-hub AAI

Alignment of user attribute names

M24

Alignment of VO/group membership and role information

M24

Alignment of resource capabilities information

M24

Alignment of affiliation information

M24

Alignment of assurance information (incl affiliation freshness)

PY3

OAuth 2 token validation across multiple domains (initial implementation)

M24

OAuth 2 token validation across multiple domains (initial implementation)

OAuth 2 token validation across multiple domains

PY3

EOSC-hub AAI

Alignment of privacy statements

M24

Alignment of operational security and incident response policies

Alignment of Acceptable Use Policies (AUPs)

M24

15 of 16

    • Improve description of EOSC-hub AAI features/architecture to parent page in confluence? Feedback please!

    • Simplify description of alignment activities so that they can be understood by non AAI experts
      • Link alignment activities to high-level AAI features?

    • Improve integration matrix

Next actions

15

16 of 16

nliam@grnet.gr

eosc-hub.eu

@EOSC_eu

  • Thank you for your attention!
  • Questions?
  • Contact

This material by Parties of the EOSC-hub Consortium is licensed under a Creative Commons Attribution 4.0 International License.