The EOSC-hub AAI enables seamless access to research data and services in EOSC in a secure and user-friendly way. To this end, the EOSC-hub project has built upon existing AAI services to provide a consistent, interoperable system with which researchers and resource providers can integrate.
The EOSC-hub AAI follows the architectural and policy recommendations defined in the AARC project. As such, it enables interoperability across different SP-IdP-Proxy services, each of which acts as a bridge between the community-managed proxies (termed Community AAIs) managing the researchers' identity and the generic services offered by Research Infrastructure and e-Infrastructures (termed R/e-Infrastructures or Infrastructures). This enables researchers to sign in with their community identity via their Community AAI. A high-level view of the EOSC-hub AAI is provided below.
As shown in the high-level of the architecture, Community-specific services are connected to a single Community AAI, while Infrastructure Services can be connected to a single Infrastructure Proxy. Lastly, generic services are typically connected to more than one Community AAI. Each Community AAI in turn serves as a bridge between external identity providers and the proxies to the e-infrastructure services. Specifically, Community AAIs connect to eduGAIN as service providers but act as identity providers from the services point of view, thereby allowing users to use their credentials from their home organisations. Complementary to this, users without an account on a federated institutional Identity Provider are still able to use social media or other external authentication providers for accessing services.
Research communities can leverage the EOSC-hub AAI services for managing their users and their respective roles and other authorisation-related information. At the same time, the adoption of standards and open technologies, including SAML 2.0, OpenID Connect, OAuth 2.0 and X.509v3, facilitates interoperability and integration with the existing AAIs of other e-Infrastructures and research communities. As shown in Figure 2, communities can allow different authentication options for their members and, at the same time, enable access to all or a subset of the Infrastructures. It should be noted that this model also allows users to access resources as members of their home organisation. Being connected to multiple Community AAIs and the upstream institutional/social IdPs requires the Infra Proxies to properly support discovery for both community- and home organisation-based access scenarios.
The EOSC-hub AAI comprises different AAI services, namely B2ACCESS, Check-in, eduTEAMS and INDIGO-IAM. Research communities can leverage these services for managing their users and their respective roles and other authorisation-related information. The suite of EOSC-hub AAI services also includes Perun, which can be used for managing users within organisations and projects, as well as managing access rights to the services. There are also Token Translation Services such as WaTTS and MasterPortal, which provide mechanisms that enable translation between different protocols or technologies. The RCauth.eu service, in particular, is an Online CA that can on-the-fly identify entities based on federated credentials and issue to them PKIX credentials in real-time, focussing on converting SAML-to-PKIX.
Procedure to integrate your service with the EOSC-hub AAI: