AAI Interconnection with an European style Diego R

AAI Interconnection with an European style Diego R. Lopez Red. IRIS

The European way • (Too) many states, languages, national priorities/laws/prides/… • Different systems and/or profiles of existing systems • In different degrees of maturity and deployment • Look for agreements, even when not fully satisfactory • Several initiatives to fill the gaps • • eduroam (already and successfully running!) GN 2 -JRA 5 (defining the architecture of an AAI) TF-EMC 2 (refining the AA-RR and initiating its schema effort, SCHAC) TERENA-EUNIS-EUA (a proposal to enable direct data exchange among European universities through the so-called ECTS) • Import whatever is worth from the other side of the Atlantic • Shibboleth as basic standard • And always with a sense of style and history • Your humble speaker and many colleagues

GÉANT 2 AAI • It is intended to be one of the basic services of the coming pan-European academic network • Common to all services provided by and based on the network • From network access, bandwidth management, etc. • To application access (including Grids) • Not a substitute of existing infrastructures • • Nation- or community-based A superstructure connecting them Based on (con-)federating the federations Allowing different kinds of trust meshes • But able to build new federations where they do not exist • And directly providing Auth. N/Auth. Z services access through specific interfaces

GÉANT 2 AAI components • A local AAI Instance at each federation/domain/realm • Providing the interfaces to the federations or services in it • Common Services • Home Location Service (the WAYF) • Others possible: certificate verification, common diagnostics, … • Only available to the local AAI-I • Connectors • Centralized for a federation (the Local Federation Connector) • Local Connectors for resources allowed to interact directly • Service Access Points • In charge of adapt AAI interfaces to the (isolated) services AA queries/responses • Interfaces and operations • WS and SAML based • As Shibboleth-compatible as possible

An example diagram

Including Shib in the picture

TF-EMC 2 and AA-RR • Able to impersonate any of the following components • Attribute sources (AS): Able to accept queries and respond with attribute information • Attribute requesters (AR): Make requests to AS and process them, possibly using AE • Authorization engines (AE): Responds queries from AR applying their internal rules • Driven by profiles • Entity and protocol aspects • Attributes and values • Protocol agnostic • Applications • GÉANT 2 AAI Connectors • Diagnostic tool • Interoperability assessment

TF-EMC 2 and SCHAC • An extension to edu. Person • Taking into account European idiosyncrasy • Based on a collection of national extensions so far • Finland, France, Norway, Poland, Spain, Sweden, Switzerland • Common requirements have been quickly identified • • Personal (unique) identifiers Other personal attributes (citizenship, languages, …) Privacy definition and entitlements Go beyond edu. Person. Affiliation • Initial proposal submitted and being discussed • The plan is to present version 1. 0 at next TF-EMC 2 meeting next June in Poznan

The ECTS-enabling proposal • ECTS is the European Credit Transfer System • To permit European students to complete their curricula at any university within the EU • Also known as the “Bologna process” • One of the main drives of SCHAC • It has made schema harmonization key to IT practitioners in the European universities • Close cooperation between TERENA/TF-EMC 2 and EUNIS • A proposal on schema harmonization to be submitted to the EC • Also supported by the EUA (European University Association) and several national associations