This page describes the future plans for the EOSC-hub AAI. These include alignment activities across the EOSC-hub AAI services which can be classified into technical and policy-related activities.
Technical alignment activities
The following technical alignment activities have been identified:
- Alignment of user attributes: The attributes used to express user information should follow the REFEDS R&S attribute bundle, as defined in [REFEDS-R&S]
- Alignment of VO/group membership and role information: VO/group membership and role information, which is typically used by relying parties for authorisation purposes, should be expressed according to [AARC-G002]
- Alignment of resource capabilities information: Capabilities, which define the resources or child-resources a user is allowed to access, should be expressed according to [AARC-G027]
- Alignment of affiliation information: Affiliation information, including (i) the user’s affiliation within their Home Organisation, such as a university, research institution or private company, and (ii) affiliation within the Community, such as cross-organisation collaborations, should be expressed according to [AARC-G025]
- Alignment of assurance information: Assurance information used to express how much relying partins can trust the attribute assertions about the authenticating user should follow:
- REFEDS Assurance framework (RAF) [RAF-version-1.0]
- Guideline on the exchange of specific assurance information [AARC-G021]
- Guideline for evaluating the combined assurance of linked identities [AARC-G031]
- Guideline Expression of REFEDS RAF assurance components for identities derived from social media accounts [AARC-GO41]
- Guidelines for expressing the freshness of affiliation information, as defined in [AARC-G025]
- Oauth2 token validation across multiple domains: OAuth2 Authorisation servers should be able to validate tokens issued by other trusted Authorisaton servers. Extending existing flows, such as the OAuth2 Token Exchange flow [OAuth2-Token-Exchange-draft], will need to be considered for enabling the validation of such externally issued tokens.
The table below lists the identified technical alignment activities and their status. A green checkmark indicates a complete activity, otherwise the expected time of implementation is provided.
Activity | B2ACCESS | Check-in | eduTEAMS | INDIGO-IAM |
---|---|---|---|---|
Alignment of user attributes | ✓ | ✓ | ✓ | M21 |
Alignment of VO/group membership and role information | ✓ | ✓ | ✓ | M21 |
Alignment of resource capabilities information | M18 | M18 | ✓ | M21 |
Alignment of affiliation information | M21 | M21 | M21 | M21 |
Alignment of assurance information (including freshness of affiliation information) | PY3 | PY3 | PY3 | PY3 |
Oauth2 token validation across multiple domains (proof-of-concept implementation) | M24 | M21 | M21 | M24 |
Oauth2 token validation across multiple domains | PY3 | PY3 | PY3 | PY3 |
Policy-related integration activities
The following policy-related alignment activities have been identified:
- Alignment of privacy statements: For the EOSC-hub AAI, compliance with the GÉANT Data Protection Code of Conduct version 1 (DPCoCo-v1) [DPCoCo-v1] is implicit, since it reflects the Data Protection Directive and means compliance with applicable European rules (see [AARC-G040]). To explicitly declare compliance with DPCoCo-v1, the privacy notice of each EOSC-hub AAI service should include a reference to DPCoCo-v1.
- Alignment of operational security and incident response policies: The entities of the EOSC-hub AAI registered with eduGAIN should meet the Sirtfi [Sirtfi-v1.0] requirements and express Sirtfi compliance in their metadata in order to facilitate coordinated response to security incidents across organisational boundaries.
- Alignment of Acceptable Use Policies (AUPs): To reduce the burden on the users and increase the likelihood that they will read the AUP as they access resources from multiple service and resource providers, the EOSC AAI services should adopt the WISE Baseline AUP model [WISE-AUP].
The table below lists the identified policy-related activities and their status. A green checkmark indicates a complete activity, otherwise the expected time of implementation is provided.
Activity | B2ACCESS | Check-in | eduTEAMS | INDIGO-IAM |
---|---|---|---|---|
Alignment of privacy statements | ✓ | M18 | ✓ | ✓ |
Alignment of operational security and incident response policies | ✓ | ✓ | ✓ | ✓ |
Alignment of Acceptable Use Policies (AUPs) | M21 | M21 | ✓ | M21 |
Integration of EOSC-hub AAI services
This section presents the integration roadmap of the EOSC-hub AAI services. The status of each of the required integrations or the expected time of implementation is described in the table below. Integrations which have already been established are marked with a check mark. Note that where integration is not considered complete, an amber checkmark is used to indicate the status.
EUDAT | EGI | GEANT | INDIGO-IAM | |
---|---|---|---|---|
B2ACCESS | ✓ | |||
Check-in | ✓ | ✓ | ||
eduTEAMS | M18 | M18 | PY3 | |
INDIGO-IAM | PY3 | PY3 | PY3 |