Concepts#
B2ACCESS is organised in Virtual Organisations (VOs), and based on the Proxy Concept introduced by the AARC Blueprint.
The Virtual Organisation (VO) Concept#
Virtual Organisations (i.e. research groups) are the key element of group based authorisation in the EUDAT infrastructure.
The classical Virtual Organisation (VO) concept applies to HPC but also to the grid world:
-
Each VO consists of a number of users.
-
A VO is supported by an arbitrary number of services, that for example can be used for collaboration, grant access to computing infrastructure and much more.
-
VOs are managed by VO administrators (aka Principal Investigators). Administrators of Virtual Organisations are responsible for services in their VO (e.g. by writing proposals for HPC computing time, or by otherwise obtaining quotas on specific pieces of infrastructure).
-
VO administrators are also responsible for managing the VO’s members by means of the Group Management interface of Unity
The SP-Identity Provider Proxy Concept#
According to the AARC Blueprint, an SP-IdP proxy is a software stack which can be used for hierarchical organisation of an Authentication and Authorisation Infrastructure (AAI). The SP-IdP Proxy addresses three common shortcomings in this field:
- With growing numbers of SPs and IdPs it becomes very difficult to maintain a consistent attribute release from each IdP to every SP. The Proxy reduces this n:m mapping to a n:1:m mapping.
- Some authorisation attributes can not be maintained at home IdPs. For example, group membership needs to be managed by the head of a group and not by administrative personnel operating a home IdP.
- Some authentication patterns, in which access to individual datasets is required, may be supported by specialised SP-IdP-Proxy implementations.
- Additionally, a proxy, once in place, allows translation between different AAI protocols. At this moment, proxies can enable smooth interoperation between X.509 certificates, SAML and OpenID Connect.
A typical use case would be, for example, if a service is not able to directly address SAML- or OpenID Connect-federated identity providers. In such case, a so-called SP-IdP proxy can mediate the services native protocol on the one end, and handle the complexity of a federation on the other end. This is achieved by offering the services suitable SSO access points, and by acting as a service provider to the federation, redirecting authentication towards the central login proxy or in some cases forwarding the users to their home IdPs for authentication.
The Identity Assurance Concept#
The REFEDS Assurance Framework (RAF) defines individual assurance components that describe a users identity. This allows for differentiation between the quality of the ID-Vetting, the attribute freshness and the uniqueness of the identifiers used.
Since today none of the existing IdPs support RAF, the idea is to do this on the proxy level. I.e. Unity will convey information about the upstream authentication of the user. This is hard coded configuration that contains a priori knowledge about the upstream IdP and its procedures. For example will this allow us to characterise the upstream authentication and differentiate between ORCID users and those from (for example) KIT.
Currently defined are:
-
ID-Uniqueness:
$PREFIX$/ID/unique
$PREFIX$/ID/no-eppn-reassign
$PREFIX$/ID/eppn-reassign-1y
-
ID-Proofing:
$PREFIX$/IAP/low
$PREFIX$/IAP/medium
$PREFIX$/IAP/high
$PREFIX$/IAP/local-enterprise
-
Attribute freshness:
$PREFIX$/ATP/ePA-1m
$PREFIX$/ATP/ePA-1d
Last update: 09.02.2024