DataPLANT participates in Base4NFDI IAM workshop on Community AAI solutions

27 Aug 2023

DataPLANT's IAM experts participated in the second workshop which was held on the afternoon of August 24, 2023, as part of the IAM4NFDI Community Events. The purpose of these events is to disseminate fundamental Identity and Access Management (IAM) knowledge related to a the goal of a common NFDI AAI, provide information on the various facets of the Basic Service, and gather valuable feedback. The workshop started with an introduction and Recap to set the context for the workshop's objectives and inform all participating consortia on the state of the considerations and developments. In the Community-AAI (CAAI) Solutions part the workshop delved into the concepts surrounding Community-AAI solutions, specifically focusing on the Architecture of the NFDI-AAI. A further segment discussed the notion of Community-AAI as a service, exploring its implications and benefits within the context of the IAM framework. Four different implementations and frameworks got presented. This was followed by a field report detailing the integration of Research Data Management Organizers (RDMO) into the IAM system. In the second part of the workshop participants were briefed on crucial considerations and awareness points when operating a Community-AAI system. A further segment covered Authorization and Virtual Organization (VO) management within the Community-AAI framework. At the end insights and experiences from operators of Community-AAI systems were shared, providing valuable real-world perspectives.

Up to now the architecture of the system, the attributes that define it, an initial set of policies, and initial documentation are available, all of which can be accessed online.

DataPLANT finds itself positioned in a position in between: It has already implemented authentication and authorization mechanisms through life sciences and ORCID Attribute Authority Interfaces (AAIs), and it also boasts additional modules catering to user self-service functionalities. Several services already make use of these infrastructures. Thus, there are certain points that necessitate clarification in relation to DataPLANT's current state and its alignment within the broader NFDI IAM landscape: A primary concern is how the existing DataPLANT AAI framework can seamlessly integrate with the IAM framework proposed by the NFDI IAM Working Group. The question here is: What adjustments or enhancements are needed to ensure that DataPLANT's AAI framework is directly compatible with the suggested IAM architecture? Alternatively, there's the consideration of potentially replacing the DataPLANT AAI solution with an externally supported solution provided by the NFDI. This would aim to achieve similar outcomes while adhering to the standardized IAM approach endorsed by the NFDI.

In a broader scope, the goals of the NFDI IAM Working Group encompass fostering the adoption of IAM concepts across consortia. This entails enabling users both within and outside the community to perform certain actions and access resources seamlessly. This scope revolves around establishing clear access management practices and facilitating robust accounting mechanisms. To extend user information and attributes, particularly affiliation details, for purposes like accounting and reporting, a plan needs to be devised. This would involve obtaining and integrating additional data points beyond the basics of contact information. When it comes to entitlements and attributes management, especially in the context of access control and accounting, a comprehensive strategy needs to be defined. This involves attaching specific information to individual users, granting them the authorization to utilize particular resources. This process requires careful consideration to ensure proper access management and effective resource allocation. The connectivity of various Identity Providers (IDPs) to the systems is another significant aspect. Depending on the available services within NFDI-IAM, these connections could occur at either the NFDI-IAM level or the DataPLANT Keycloak level.

In summary, DataPLANT stands at a juncture where its existing AAI framework needs to be aligned with the vision put forth by the NFDI IAM Working Group. This entails exploring compatibility options, potential replacements, and the broader goals of standardized IAM practices. The path forward involves addressing aspects like extended user information, entitlements management, attribute customization, and the integration of multiple IDPs.