...
| Activity | B2ACCESS | Check-in | eduTEAMS | INDIGO-IAM |
|---|---|---|---|---|
| Alignment of user attributes | ✓ | ✓ | ✓ | ✓ |
| Alignment of VO/group membership and role information | ✓ | ✓ | ✓ | ✓ |
| Alignment of resource capabilities information | ✓ | ✓ | ✓ | ✓ |
| Alignment of affiliation information | M30 | M28M34 | ✓ | M36 |
| Alignment of assurance information (including freshness of affiliation information) | M36 | M30M35 | ✓ | M36 |
| OAuth2 token validation across multiple domains (multi-proxy connection workaround) | ✓ | ✓ | ✓ | ✓ |
| OAuth2 token validation across multiple domains (interim implementation based on OAuth2 introspection) | M30M36M30 | M36 | M30 | ✓ |
Policy-related integration activities
...
| Activity | B2ACCESS | Check-in | eduTEAMS | INDIGO-IAM |
|---|---|---|---|---|
| Alignment of privacy statements | ✓ | M30M34 | ✓ | ✓ |
| Alignment of operational security and incident response policies | ✓ | ✓ | ✓ | ✓ |
| Alignment of Acceptable Use Policies (AUPs) | M36✓ | M30M34 | ✓ | ✓ |
Integration of EOSC-hub AAI services
...
| EUDAT | EGI | GEANT | INDIGO-IAM | |
|---|---|---|---|---|
| B2ACCESS | ✓ | M36 | M36 | |
| Check-in | ✓ | M36 | ✓ | |
| eduTEAMS | ✓ | ✓ | M36 | |
| INDIGO-IAM | M36 | M28✓ | M36 |
Known issues
- Multiple user registrations: Users are asked to register with different AAI services as they access resources protected by different infrastructure proxies. The identified technical (e.g. alignment of user attributes) and policy (e.g. alignment of AUPs) harmonisation activities will enable seamless access across different domains .
- Multiple IdP discovery steps: The EOSC-hub AAI is based on the AARC BPA “community-first” approach, whereby users often need to go through multiple IdP discovery steps: (a) to select their Community AAI and (b) to select their Home Organisation. During this process, users don’t need to re-enter their login credentials as long as their Single Sign-On session is active, however the IdP selection can be frustrating in some cases. The discovery process needs to be simplified by either narrowing down the number of possible IdPs to choose from or by making the actual selection process fully transparent (see also “IdP hinting” protocol proposed in AARC-G049).
- OAuth2 token validation: The current EOSC-hub AAI architecture works very well when the user is consuming services directly. However, there are use cases requiring a service agent to be able to act autonomously, on behalf of the user, consuming services and resources. If the services consumed by the agent are behind the same proxy, the current architecture works. For those cases, though, where an agent running on Service A needs to access resources on Service B, which might be connected by a different proxy, then there is no straight-forward solution at the moment. So, currently, services need to trust the same proxy to support those use cases. A solution for dynamically establishing trust in a distributed environment will be provided by the OpenID Connect Federation specification v1.0 (draft). The AARC community is working on “AARC-G052: Recommendations for OpenID Connect/OAuth2 token-based access across different infrastructures” that is meant to be a temporary measure until the OIDC Federation Specification is widely available. This interim solution is based on the OAuth2 Token Introspection specification which defines a method for a protected resource to query an OAuth 2.0 authorization server to determine the active state of an OAuth 2.0 token and to determine meta-information about this token.