Speaker
Peter Gietz
(DAASI International / DARIAH)
Description
Introduction
The DARIAH research infrastructure offers the DARIAH AAI as one of the core technical services for researchers in arts and humanities. It enables researchers to log in to various DARIAH services, by either using their own campus account or an account registered at the DARIAH homeless IDP. in any case the DARIAH AAI adds information, such as group memberships specific to the DARIAH community as well as approval of general and
optionally service specific terms of use, which can be used by services for authorisation decisions. Version 1 of the DARIAH AAI has been in production for multiple years and required every service to implement several details by themselves, e.g. connection to eduGAIN, attribute query to DARIAH Identity Provider for the additional attributes, validation of policy attributes and blocking and redirecting the user to the DARIAH self service portal if any of the information was missing or out of date.
Integration of a SP-IDP-proxy based on the AARC BPA
In order to improve these limitations, while being in line with the Blueprint Architecture (BPA) by AARC and therefore allow interoperability with other infrastructures, we decided to implement the DARIAH AAI version 2 as part of an AARC2 pilot in late 2017. The scope of this pilot was twofold. Firstly, DARIAH implemented an SP-IDP-proxy based on Shibboleth software, integrated the components into the production AAI and adopted all relevant AARC guidelines. Secondly, a pilot to connect the new DARIAH AAI proxy with EGI in order to allow DARIAH researchers to use EGI services, such as the VM dashboard, was agreed upon.
The implementation of the proxy was completed in mid-2018 and implemented in the production service. Since then all DARIAH services have been moved behind the proxy. As the architecture was designed with backwards compatibility in mind, the transition process did not create any major issues. Using the proxy to connect to federated AAI is now much simpler for service operators, and thus a number of additional services could
be connected to the DARIAH AAI. For the second part of the pilot we've successfully connected the DARIAH proxy with the development instance of EGI check-in. This included attribute and entitlement mapping between DARIAH and EGI, as well as on the fly user provisioning within EGI. For this a number of plugins to the existing EGI check-in infrastructure had been developed.
In the presentation we will present both, the technical implementation of the DARIAH proxy and give an overview of the interoperability endeavour with EGI from the point of view of DARIAH. Furthermore we'll present our experience with the migration process and duscuss future work.
Primary author
David Huebner
(DARIAH)