Skip to end of metadata
Go to start of metadata
Back-end PKI for the CILogon-like TTS pilot accredited as an IOTA CA by the IGTF. Inclusion foreseen in June "1.75" release of the IGTF trust anchors.

As part of the SA1 'CILogon-like TTS Pilot' the NA3 policy team is developing the associated reference policies and integration with the e-Infrastructures (such as EGI) and the R&E Federations and IdPs (including eduGAIN as well as selected IdPs of last resort).

The AARC project is running a pilot with a bridging AAI solution based on the CILogon model to enable resources that use conventional identity and attribute certificates for access control to be used by researchers using exclusively federated credentials. While certificate-based access is effective for many non-web (command-line) and brokered-access (delegation) use cases, exposing this technology to a wide user base is seen as a significant barrier. In this pilot a set of mutually-interconnected third-party software components is composed to hide the technical details of certificate-based access.

It combines authentication using SAML-based identities such as provided by eduGAIN, public-key authentication certificates (PKIX) such as those coordinated by the IGTF, the use of VOMS community membership management statements, and the OpenID Connect authentication protocol, used by many light-weight web applications (e.g. Globus Online and science gateways).

Block elements of the CILogon-like TTS pilot service

Using the AARC CILogon-like Token Translation Service “TTS” pilot technology, infrastructures such as EGI and ELIXIR can implement AAI controls for their existing resources and services with SAML based credentials in an end-user friendly way.

In order to demonstrate operational feasibility, the following specifications and papers are being developed:

The work also includes the collection of a body of reference documents to support the trust bridge between the generic eduGAIN federations and the RI and eInfra relying parties, leveraging the work of Sirtfi and the baseline assurance levels. It also leverages REFEDS Research and Scholarship (R&S) specifications.

Further to data protection and privacy for the white-label pilot service, an associated privacy policy in line with both the requirements of the hosting federation as well as those from the relying parties (e-Infra) has been developed:

Background presentations:


  • No labels