EOSC AAI Architecture 2022

Relevance

The basis of the EOSC AAI Architecture is the AARC Blueprint Architecture (AARC BPA), which provides a set of building blocks for software architects and technical decision makers who are designing and implementing access management solutions for international research collaborations. It is fundamental to understand how the AARC blueprint and AARC Interoperability Guidelines can be adopted by EOSC.

Scope

This report captures the current status of the EOSC AAI architecture discussions and identifies challenges and the areas that require further work. It is targeted at AAI experts, operators of organisations providing services to the EOSC, organisations operating proxies that aggregate other service providers or enrich identities, and providers of authentication identities whose identities are used by EOSC services or by EOSC proxies. The report provides valuable insights to help these target groups understand, implement, and interoperate within the defined AAI architecture.

Main highlights

The EOSC AAI Architecture 2022 defined in the document expands the AARC BPA deployment model to a federated model in order to enable integration without the need for bilateral agreements. In addition, the document describes how to adopt AARC “hinting” specifications to streamline the discovery process and improve the user experience, discusses both short-term and long-term solutions to support multi-infrastructure workflows, and outlines strategies for expanding access beyond research and education.

The proposed EOSC AAI Architecture addresses security concerns in decentralised environments, such as the EOSC ecosystem, by enabling a wide range of control points, including the research community, the infrastructure proxy and the end-service level. Ultimately, this gives organisations within EOSC the flexibility to adapt to the varying risk profiles and requirements of different use cases and choose and use the control points best suited to their security requirements.

Key recommendations

The next iterations of the EOSC AAI Architecture must address multiple challenges. These include for instance defining a mechanism to support the scalable establishment of trust between the OAuth2 Authorization Servers that participate in the EOSC AAI Federation, guidance for further improving the identity provider discovery process, and addressing the critical aspect of data protection to help EOSC AAI participants to understand and comply with the requirements set by the General Data Protection Regulation (GDPR).