The EOSC-hub AAI enables seamless access to research data and services in EOSC in a secure and user-friendly way.
Features
- Support for different authentications providers, including institutions from national identity federations in eduGAIN, social media or other external authentication providers such as ORCID or community-operated identity providers
- Access to multiple heterogeneous (web and non-web) service providers using different technologies
- Support for access to non-web-browser based services and resources includes APIs and command line access (e.g. SSH, OAuth2)
- Access to resources using different login credentials (institutional/social) via identity linking
- Expressing the level of trust in the identity assertions using standard mechanisms such as the REFEDS Assurance Framework
- Aggregation and harmonisation of authorisation information (groups, roles) from multiple sources using different protocols
High-level service architecture
The EOSC-hub AAI follows the architectural and policy recommendations defined in the AARC project. As such, it enables interoperability across different SP-IdP-Proxy services, each of which acts as a bridge between the community-managed proxies (termed Community AAIs) managing the researchers' identity and the generic services offered by Research Infrastructure and e-Infrastructures (termed R/e-Infrastructures or Infrastructures). This enables researchers to sign in with their community identity via their Community AAI. A high-level view of the EOSC-hub AAI is provided below.
As shown in the high-level of the architecture, Community-specific services are connected to a single Community AAI, while Infrastructure Services can be connected to a single Infrastructure Proxy. Lastly, generic services are typically connected to more than one Community AAI. Each Community AAI in turn serves as a bridge between external identity providers and the proxies to the e-infrastructure services. Specifically, Community AAIs connect to eduGAIN as service providers but act as identity providers from the services point of view, thereby allowing users to use their credentials from their home organisations. Complementary to this, users without an account on a federated institutional Identity Provider are still able to use social media or other external authentication providers for accessing services.
Research communities can leverage the EOSC-hub AAI services for managing their users and their respective roles and other authorisation-related information. At the same time, the adoption of standards and open technologies, including SAML 2.0, OpenID Connect, OAuth 2.0 and X.509v3, facilitates interoperability and integration with the existing AAIs of other e-Infrastructures and research communities. As shown in Figure 2, communities can allow different authentication options for their members and, at the same time, enable access to all or a subset of the Infrastructures. It should be noted that this model also allows users to access resources as members of their home organisation. Being connected to multiple Community AAIs and the upstream institutional/social IdPs requires the Infra Proxies to properly support discovery for both community- and home organisation-based access scenarios.
