Niels van Dijk

GN4-3 project team
NielsSURF / IncubatorStakeholder
BrancoAMRES / IncubatorConvener
MihályKIFU / SZTAKI / IncubatorStakeholder
JuleLCZ / IncubatorSCRUM master



Community RepresentativesNRENs, InstitutionsCommunity Expert Group

Activity overview


Investigate the impact, opportunities and challenges of the use of SSI based technology on various parts of the AARC blueprint architecture

Activity goals

The AARC Blueprint Architecture (BPA) describes a ‘Community AAI’ solution, a set of software building blocks that can be used to implement federated access management solutions for (inter)national research collaborations. 

The benefit of the BPA is that its proxy-based architecture provides both a technical integration point for authentication and authorisation, as well as a centralised point for implementing the research communities' policies. The BPA also identifies a ‘membership management service’ which implements community-specific onboarding to help establish the researcher's status and may be used to issue community-specific attributes to establish roles and rights. Implementations of the BPA, like eduTEAMS and SRAM, have greatly improved the capability to use FIM for research communities.

Unfortunately, the BPA model also introduces a few challenges:

  • The BPA proxy acts as an authentication gateway, which impacts the user flow. Depending on the authentication path taken by a user, the user may end up with a different identity and hence different permissions. This is confusing for end-users and leads to challenges for services.
  • A centrally operated infrastructure is required, which is acting as a ’man-in-the-middle’ for all authentication transactions. This impacts data protection and user privacy and hence needs to be considered carefully. 
  • Institutions need to release attributes to all such BPA infrastructures their users want to make use of. Even though this already scales much better as compared to releasing attributes to individual services, this may still impede the ability of users to gain access to relevant services.
  • A centrally operated infrastructure may not be feasible for all communities as it introduces operational costs and a certain level of organisation of the collaboration.

At first glance, a SSI based model may offer similar benefits as the AARC BPA model, while reducing the number of impediments as a wallet model may take away the need to have a proxy as the central authentication gateway.

This activity will further explored the potential use of SSI technology in the context of the AARC BPA. It will describing where SSI technology may be leveraged, explore benefits and challenges and describe how that may be implement. A number of technical pilots will test the assumptions.

Activity Details

Technical details

Self-Sovereign Identity (SSI) provides a new paradigm in trust and identity on how users can engage with, and have control over their personal data. It may also provide new models for institutions and services to engage with users in the context of issuing and receiving (researcher) identity and in dealing with guest or external identities. This will have an impact on how research communities and their services can handle authentication and authorization.

SSI awareness in Europe recently spiked as the revised EU eIDAS legislation puts SSI-based technology at the forefront of the minds of decision-makers and technologists alike. With large-scale pilots with wallet technology being planned and through the technology-driven European Blockchain Services Infrastructure (EBSI) activity, the EU aims to roll out a digital wallet for every European by 2024.

To further explore these questions, an AARC BPA SSI expert working group (Group) will be formed to further explore, investigate and discuss such questions.

Business case

For the European academic trust and identity community, these developments present both challenges: how does this SSI ecosystem relate to Federated Identity and the established practices developed? There may also be opportunities: does this perhaps help us save cost when we enrol researchers, or external identities in our collaborations, can we perhaps build trust in a new way, can we now finally get rid of proxies?


It it unclear how much interest there is to find a SSI based solution at this point in time.

Data protection & Privacy

The activity does not affect any privacy

Definition of Done (DoD)

The activity will launch a series of public meetings with community experts to discuss this topic. Afterwards a report will be created and published.


The goal of this activity is to investigate the topic and create a report about the state of play. It can be the trigger for further investigations in GN5-1 or to establish a community group.

Activity Results


After a series of meetings with an Expert group to discuss SSI and the AARC BPA, a Report on Decentralised identity for GÉANT, NRENs and institutions was created and published.






Introduction and Overview

Branko Marovic
30.09.22Use Cases, Establishment and Governance Branko Marovic
21.10.22Integration PatternsBranko Marovic
15.12.22Final Incubator demoNiels van Dijk

  • No labels