Executive Summary
This document provides an analysis of the requirements the team has collected up to now from scientific communities and project stakeholders. It is an outcome of the "Requirement Analysis" activity in the JRA1 work package, "Architecture for an integrated and interoperable AAI". For the requirement- gathering process, we followed a three-step approach. Section 2 elaborates on the requirement extraction methodology adopted by AARC to ensure that the proposed integrated AAI framework can meet the needs of all stakeholders.
As a first step, we returned to the results of previous activities such as the "TERENA AAA Study" and the FIM4R workshop series and analysed their outcomes in order to produce an initial set of requirements, presented in Section 3.1.
During the second step, this set of requirements was enriched through the results of a survey that was run by AARC during the summer period. The goal of this survey was to identify the barriers communities are currently facing to adopting and using federated access, and to capture their requirements for an interoperable AAI. Α total of 10 scientific communities have responded to this survey and the results are presented in Section 3.2 of the document. In addition, a set of one-to-one discussions were held with key representatives from EGI, ELIXIR, EUDAT and GÉANT, in which we discussed their plans, their successes and the barriers they are facing. The results of these discussions are presented in detail in Section 3.3.
As part of the third and final step, the extracted requirements have been extensively processed, homogenised, merged, filtered, extended and classified to produce a refined set of requirements formulated into tables, shown in Section 4. We have identified 25 distinct requirements, 18 relating to tools and architecture and 7 relevant to policies and best practices. The document's conclusions are drawn in Section 5.
Finally, the questionnaire used for the AARC internal survey is presented in 0, while a brief description of the main AAI use case for each participating user community is provided in Appendix B.
Introduction
Controlling access to research-related resources and collaborative tools is challenging, particularly when dealing with research communities that can be geographically dispersed across Europe and the globe. National identity federations for Research and Education (R&E), whereby the user's identity is verified by the institution that issues the user’s credentials, enable users to access different services with the same credentials, while allowing research e-Infrastructures to offer resources in a more controlled and consolidated way.
While eduGAIN serves as a global interconnection framework for national identity federations, multiple interoperability gaps still exist between the different Authentication and Authorisation Infrastructures (AAIs) that are operated by the national federations and the various research collaborations and e- Infrastructures. Besides interoperability issues, there are also functional aspects that have yet to be addressed, such as identity attribute aggregation from multiple providers, Single Sign On (SSO) support for non-web applications, delegation capabilities, and credential translation services. In addition to addressing these technical aspects, integration of AAIs requires significant efforts to define a common policy framework covering the necessary legal and operational practices for all entities involved in the AAI ecosystem, including identity providers, attribute providers, resource providers and federation operators.
The AARC project aims to build on the developments and deployments that have led to the AAI frameworks used to date to deliver a common framework for authentication and authorisation that will allow research communities to share information resources and services easily and effectively across e-Infrastructures in a secure, well-controlled fashion, while at the same time reducing operational burden. AARC brings together different e-Infrastructure providers, as well as libraries and research communities, in order to capture and analyse the requirements for a Pan-European identity federation for researchers, educators and students. This approach ensures user-community engagement, avoids duplication of efforts by reusing existing AAI frameworks, and creates the conditions to enhance these frameworks to address community requirements.
The goal of this document is to collect the needed requirements to enable the design and pilot of an integrated Federated Authentication and Authorization Architecture for e-Infrastructures.
Methodology
Before AARC, several other initiatives have explored the requirements for federated AAI capabilities. The work presented in this document builds upon these efforts in order to capture and analyse today’s requirements for a Pan-European identity federation for researchers, educators and students.
The findings from previous studies provided an insight into the different user communities involved and the current status with respect to the penetration of federated identity management. AARC researchers then collaborated to devise questions that were circulated to many of these communities. It should be noted that the project used a questionnaire (see 0) as part of its methodology in order to gain access to a larger sample of user communities than could be feasibly achieved through direct contact. However, to gather more detailed information about the requirements described in the survey’s responses, a series of interviews were also conducted with a subset of the participating communities. These were held in the form of informal conversations and semi-structured interviews with key users of the selected communities who have an extensive understanding of the needs and issues of their AAI.
More specifically, the methodology used for this deliverable to analyse requirements comprises the following steps:
gathering of initial requirements from a multitude of external sources, including input from previous activities such as the “TERENA AAA Study” and the documents produced by FIM4R,
evaluation, analysis, filtering and refinement of initial requirements based on collected feedback from AARC internal survey and interviews with selected but broad representation of user communities,
harmonisation, classification and ranking of requirements.
The described methodology will also serve as the basis for extracting use cases in a continuous and iterative process the results of which will be recorded on the project’s wiki1. In addition, the information gathered will allow for an assessment of the authentication and authorisation technologies adopted by the user communities. The latter results will be documented in a different report to be shared among AARC partners (MJRA1.1).
Input from stakeholders
Requirements analysis
Conclusions
In this document requirements were investigated from many sources in different projects, from different disciplines, and using documents written over a period of several years, including the surveys produced and collected in the first 6 months of the project. Out of these requirements, 25 high-level items were identified and categorised using the FURPS+3 method. This classification of requirements is illustrated in Figure 8, where it can be seen that the majority of them are non-functional. This supports our initial assumption that, in addition to functional gaps, federated AAI requires significant efforts towards the definition of common policies covering the necessary legal and operational practices for all entities involved in the AAI ecosystem.
The requirements related to policies and best practices are illustrated in Figure 10, where they are ranked based on the frequency of occurrence in various sources. In the figure, the information is presented in such a way as to highlight the possible areas that should be given the greatest attention within the AARC project. For example, sufficient attribute release and policy harmonization are clearly of interest to most of the communities participating in the requirement gathering process. Similarly, regarding the identified architectural and technical requirements, Figure 11 shows that support for different LoA and community-based authorization are required by the majority of the communities.
AARC will continue the discussion with the project stakeholders in order to understand and evaluate their requirements. Over the next months, until the end of the first project year (April 2016), we are going to work on prioritizing these requirements taking into account actual use cases, their horizontal applicability and their technical feasibility. The outcome of that work along with the information included in this document will be important inputs for the first internal draft version of the high-level AAI blueprint architecture, which is planned for the November 2015.
Complementary to this work, in MJRA1.1 "Existing AAI and available technologies for federated access", we will capture and analyse the tools and technologies which are available today for building federated AAIs, and will identify any technology gaps that might exist. This document will be available at the end of 2015.