Overall goals and approach of Pilots in AARC

Aims

The Pilots activity aims at facilitating researchers by providing the access management tools and framework to support collaborative research in a distributed environment. To this end, in this activity we demonstrate through (pre-) production services that:

• existing AAIs and authentication sources can be leveraged to enable (SSO) access with appropriate level of assurance for any natural person (academia and non-academia) to shared resources offered by different e-Infrastructure providers and communities. (task 1) 

• authoritative decisions and user/group context can be based on distributed group managers and attribute providers. (task 2)

• access to non-web and commercial e-infrastructure services can be enabled. This requires the bridging of SAML (NREN world) and token/certificate based (e-infra world). (task 3)

Approach

The approach consists of deploying existing components as discussed with and identified by JRA1 and to integrate a selection of these components according to a common architecture that has been drafted in JRA1. To this purpose we established a stable pilot environment with solutions to be tried and assessed by stakeholders of the research communities. A more detailed description of the aims and approach of the pilots activity is available here: Specify the work to be undertaken in collaboration with JRA1 and NA3
 
As of June 2016, a number of deliverables and milestones documents from AARC architecture and the AARC policy harmonisation activities are available that guide the pilot work in this activity:

• Analysis of user- community requirements
• Existing AAI and available technologies for federated access
• The blueprint architecture
  

Pilots performed 

As of March 2017, a large number of pilots have been prepared and lined up as part of the AARC SA1 activity. We assessed the suitability of many different components to handle common issues experienced in R&E. Topics range from handling guest users, managing attributes, to performing token translations. A detailed overview of all components piloted is available here: 

Expanding the reach of federated access

Libraries

• Libraries consortium portal and proxy pilot  Portal & Hub for library consortia - tested with Greek Heal link consortium
• Libraries EZproxy access mode switch pilot  Hybrid SAML and IP address based AuthN – tested with IT library community
• Libraries walk-in-user pilot Entry for guest users to access library sources – tested with IT library community

Check this flyer with a general overview of the pilots: <Click library pilots pdf leaflet> and give us feedback via this online survey 

Guest access

• External identity provider pilot Include Social Identities (Facebook/LinkedIn/Google) in the Authentication and Authorization – tested with EGI
• COmanage ORCID pilot  AuthN with ORCID iD and writing it to LDAP for use in collaboration services - tested with Dutch research communities

Testing technical and policy components

Attribute management - <Click attribute management pdf leaflet>

• Attribute management pilot EGI  Attribute management and proxying to manage access to OpenStack – tested with EGI

• Attribute Management pilot BBMRI  Attribute management and proxying to manage access to BBMRI services – tested with BBMRI
• Perun VOMS CILogon pilot X509 access to Elixir and EGI services with Authorisation attributes pushed from Perun to VOMS into the certificate –tested with Elixir

TTS pilots

• IGTF to eduGAIN proxy  X509 to SAML  in order to access Services published to eduGAIN – tested with EGI, now in production with R&S and SIRTFI
• CILogon-like pilot  SAML to certificate – tested with Elixir and EGI community
• COmanage SSH pilot SAML to ssh + workflows and audit trail – tested with NL BBMRI community, EGI....
• WaTTS (SSH-plugin) stand alone p&p TTS using OIDC to generate ssh key – tested with EGI
• WaTTS (RCauth-plugin) using OIDC to generate session inside which an RCauth Certificate is stored – tested with EGI, B2Access, HBP, Indigo
• LDAPfacade    Providing access to non-web resources via SAML and PAM– tested at PSNC

 Enabling access to (commercial) 3rd party 

• Seafile with SAML federation pilot
• Collabora/Nextcloud federation pilot

Cross infrastructure pilots

• PRACE-EUDAT pilot
• EGI-EUDAT pilot - web based and non web based use cases

This presentation provides a high-level overview and some highlights of the results achieved in this activity: