1. AAI Alignment Nicolas Liampotis (based on the work of Mikael Linden)
Authentication and Authorisation for Research and Collaboration
Nicolas Liampotis (based on the work of Mikael Linden)
JRA1, AARC2
GRNET
AARC2 Kick-off meeting, Bad Herrenalb
7 June 2017

2. AAI alignment Platforms
EGI CheckIn
ELIXIR AAI
EUDAT B2ACCESS
GÉANT eduTEAMS

3. AAI alignment Main areas
Technical architecture
Infrastructure identifier(s) and attributes used
Infrastructure identity’s cardinality and lifecycle
Protocols and external account linking
eduGAIN presence – principles and policies
eduGAIN presence – technical
Levels of Assurance

4. AAI comparative analysis results and suggestions Technical architecture
EGI CheckIn, ELIXIR AAI and EUDAT B2ACCESS based on similar IdP- SP-Proxy model
GÉANT eduTEAMS is a centralised Attribute Provider that IdP-SP- Proxies/Relying Parties can query for extra user attributes
Suggestions
None

5. AAI comparative analysis results and suggestions Infrastructure identifier(s) and attributes used
All AAIs assign a unique, opaque, non-revocable, non-reassignable infrastructure identifier to users and deliver it to the Relying Parties as the primary user ID
Suggestions
align user identifier syntax
investigate possibility to align Home Organisation affiliation attribute
its name and syntax (can proxies assert scope they are not authoritative to?)
how it is assigned if it cannot be retrieved from the home organisation IdP
at least document the per-platform approaches
attribute assurance needed
align mapping of attributes to OIDC claims

6. AAI comparative analysis results and suggestions Infrastructure identity’s cardinality and lifecycle
ELIXIR is the only AAI encouraging users to have only one identity; others let the users create multiple identities if they want to
EGI and EUDAT identities have a single-valued Home Organisation attribute that is decided at the time of registration and presented to the Relying Parties. ELIXIR has a multi-valued Home Organisation attribute.
All AAIs need fresh affiliation information; approaches vary
Suggestions
share approaches on data retention (EUDAT has documented approach)

7. AAI comparative analysis results and suggestions Protocols and external account linking
All AAIs support SAML2 authentication
EGI, ELIXIR and EUDAT support OAuth2/OIDC towards Authentication providers and Relying Parties
eduTEAMS supports attribute queries based on SAML2 and VOOT
EGI and EUDAT support IGTF X.509 certificates and locally managed passwords to authenticate the users
EGI, ELIXIR and EUDAT support credential translation to X.509 certificates.
Suggestions
use common SAML profile (SAML2Int or successor) and OIDC profile towards Relying Parties

8. AAI comparative analysis results and suggestions eduGAIN presence – principles and policies
All AAIs automatically trust IdPs from eduGAIN
In the case of EGI, R&S and/or Sirtfi may affect the authenticating user’s LoA and service entitlements values
eduTEAMS only automatically trusts REFEDS R&S and Sirtfi compliant SPs from eduGIAN
Suggestions
None

9. AAI comparative analysis results and suggestions eduGAIN presence – techincal
All AAIs exposed in eduGAIN as SPs
All AAIs satisfied with an eduGAIN IdP releasing the R&S attribute bundle
ELIXIR requests only user’s unique identifiers and affiliation information from Identity Providers in eduGAIN
EGI and EUDAT B2ACCESS request also their name, address
eduTEAMS requests and supplies attributes in accordance with the R&S entity category
eduTEAMS will also be exposed as Attribute Provider in eduGAIN
Suggestions
harmonisation of requested attributes from IdPs in eduGAIN (R&S attributes)

10. AAI comparative analysis results and suggestions Levels of Assurance
Each AAI following different approach
Suggestions
harmonisation of LoA levels (separating things done internally in an infrastructure and the original IdPs)
how to position social media identities?
how to manage and rank the eduGAIN IdPs?
make use of (endorse together?) REFEDS assurance profiles?
many-to-one mapping in the platform and the related LoA calculus