| Tip |
|---|
| Back-end PKI for the CILogon-like TTS pilot accredited as an IOTA CA by the IGTF. Inclusion foreseen in June "1.75" release of the IGTF trust anchors. |
As part of the SA1 'CILogon-like TTS Pilot' the NA3 policy team is developing the associated reference policies and integration with the e-Infrastructures (such as EGI) and the R&E Federations and IdPs (including eduGAIN as well as selected IdPs of last resort).
The AARC project is running a pilot with a bridging AAI solution based on the CILogon model to enable resources that use conventional identity and attribute certificates for access control to be used by researchers using exclusively federated credentials. While certificate-based access is effective for many non-web (command-line) and brokered-access (delegation) use cases, exposing this technology to a wide user base is seen as a significant barrier. In this pilot a set of mutually-interconnected third-party software components is composed to hide the technical details of certificate-based access.
It combines authentication using SAML-based identities such as provided by eduGAIN, public-key authentication certificates (PKIX) such as those coordinated by the IGTF, the use of VOMS community membership management statements, and the OpenID Connect authentication protocol, used by many light-weight web applications (e.g. Globus Online and science gateways).
Using the AARC CILogon-like Token Translation Service “TTS” pilot technology, infrastructures such as EGI and ELIXIR can implement AAI controls for their existing resources and services with SAML based credentials in an end-user friendly way.
In order to demonstrate operational feasibility, the following specifications and papers are being developed:
- Sustainability study on distribution of the Pilot elements among the actors in the e-Infrastructure and Research Infrastructures
- Development of an IGTF-accreditable Policy and Practice Statement to enable trust between the TTS service and major relying parties (EGI, PRACE, EUDAT, XSEDE) globally
- Ensuring integration of the CILogon-like TTS Pilot with the production eduGAIN infrastructure
- ensure integration of the pilot service - as a white-label service - with an existing sustained trust infrastructure
The work also includes the collection of a body of reference documents to support the trust bridge between the generic eduGAIN federations and the RI and eInfra relying parties, leveraging the work of Sirtfi and the baseline assurance levels. It also leverages REFEDS Research and Scholarship (R&S) specifications.
Further to data protection and privacy for the white-label pilot service, an associated privacy policy in line with both the requirements of the hosting federation as well as those from the relying parties (e-Infra) has been developed:
Background presentations:
- The AARC CILogon-like TTS pilot - introduction for the IGTF
- Impact of EGI of the AARC CIlogon-like pilot - an introduction
- A CILogon-like TTS IOTA CA for Europe - presentation to the Asia Pacific trust community