Choose timezone
Your profile timezone:
Powered by Indico
v3.3.5
AAI Requirements Document:
does it meet the TA's needs?
Document: https://intra.punch4nfdi.de/?md=/docs/TA6/WP2/aai-requirements.md
additional requirement (Markus):
- services may need to support several/multiple AAIs
corresponding authorisation policy is required
agreement between domains how mutally to use resources
cannot be resolved by the AAI interface by itself
more a community based than a technical problem
existing infrastructures should also be considered as login possibility
and should be integrated
if a person is e.g. in CMS and Belle, can the AAI handle which authentication
shall be used ?
service should be available for many users
and it should be transparent for the user via which AAI to log in
maybe this can be done within the PUNCH communities
and then get a technical implementation
but we have edu ID project in Germany
which links them together
they may find a solution
PUNCH AAI can serve customers who do not have their own AAI system
via some redirection method
maybe PUNCH can talk and contribute to the edu ID project
(https://www.dfn.de/eine-fuer-alle-die-edu-id/)
high level comments:
clear distinction between single sign on
(login once and then do my work)
and user identification by distributed infrastructure
(to be discussed with Harry)
==> distinguish between identity providing and authorisation workflows
==> DONE already
bypassing AAI:
responsibility of service and not user
concerning information about leaving users
should an AAI actively inform the service ?
someone leaving a consortium is not necessarily not a PUNCH user anymore
this can be handled with different groups
and is also a policy related issue
there is a clearly defined chain
as an internal punch member, e.g.
if no longer employed, decision by the EB is required
chain of AAIs conveys chain of rights
==> AAI needs to contain the information, so information should be queried from services and resource providers
representatives from various resource providers here
is there something lacking ?
==> none
technical part:
should clarify if we would expect from the NFDI some cross domain
single sign on infrastructure
this should be in the end and not at the start
no comments
round up of the document
then maybe discussion in the MB and EB
time stamp up to end of the year
in one year will be iterated
AI:
time stamp to be added (31.12.22) ==> first EB January 1, 2023
forward to EB mailing list so that people can have a look
ask for feedback, if nobody disagrees than this is fine
and send to MB for information