Attribute Management (TSA1.2)
Task Leader: EGI, Peter Solagna
Based on the scenarios for an attribute management framework as described in JRA1 this activity will deploy pilots for the tools and methodology identified by JRA1 for deploying attribute management frameworks for collaborative SSO scenarios. The pilots will focus on maximising the interoperability of the tested solutions. This includes:
- Attribute management. Identify tools and services that better support the registration and management of attributes by the research communities. Based on the requirements, as defined in JRA1, at least two tools will be selected for a pilot. The tools should support standard interfaces to be used by user communities and e-infrastructure service providers.
- Attribute aggregation. Multiple scenarios for attribute aggregation are expected to result from the attribute framework definition. This work item will validate at least two basic models, a hub model and a mesh model. From a protocol perspective the same open standards can be used to engage in attribute distribution. This work item will investigate feasibility, security and privacy implications of at least two protocols.
- Attribute based authorisation. Service providers will base authorisation on a combination of IdP and community provided attributes. This work item validates the investigations done in JRA1 with at least two real service providers as they exist in participating R&E communities. In collaboration with NA3, LoA requirements with regard to authorisation attributes will be considered and tested.
To address the attribute management topic we started two pilots:
- A pilot to test components for attribute management in the context of the EGI community. Access to the various services should be granted based on the VO roles the user have and expressed in attributes. Back-end services should not have to deal with the complexity of multiple IdPs/Federations/Attribute Authorities/technologies.
- A pilot to test components for attribute management in the context of the BBMRI ERIC. Here the aim is to establish a full fledged standardised AAI infrastructuur for the BBMRI ERIC community to enable access and authorisation to shared biomedical resources with appropriate level(s) of assurance
In both pilots the IdP/SP proxy approach has been adopted to handle all complexity.
Status per June 1st 2016
- Deployment of the EGI attribute management frame work is going on. Attribute authorities have been set up (PERUN, GOCDB) and SimpleSAMLphp is in place to manage aggregations. COmanage will be added as a 3rd attribute source and OpenConext will be deployed to handle attribute aggregation. In addition, the CIlogon setup described elsewhere is in place in this context as well.
- For the BBMRI / AARC pilot, a pilot infrastructure has been established, Perun has been deployed and registration processes have been defined
- Preparations are currently being performed to pilot with AuthN and AuthZ LoAs, and persistent identification approaches accross e-infrastructures