EOSC Association
Published May 12, 2025 | Version March 2025
Publication Open

EOSC AAI Architecture 2025

Creators

  • 1. ROR icon GÉANT
  • 2. SUNET
  • 3. ROR icon EGI Foundation
  • 4. ROR icon NORDUnet
  • 5. ROR icon Istituto Nazionale di Fisica Nucleare
  • 6. ROR icon Maastricht University
  • 7. ROR icon National Institute for Subatomic Physics
  • 8. ROR icon Karlsruhe Institute of Technology
  • 9. ROR icon Gesellschaft für wissenschaftliche Datenverarbeitung mbH Göttingen
  • 10. ROR icon Poznan Supercomputing and Networking Center
  • 11. ROR icon National Infrastructures for Research and Technology - GRNET S.A
  • 12. ROR icon European Organization for Nuclear Research

Contributors

Description

This document presents recommendations for the initial implementation of the EOSC AAI Federation, offering background on prior work and summarising recent advancements, including updates to the AARC Blueprint Architecture.

AAI implementers who wish to go directly to the technical requirements may refer to the “Implementation” section, while those interested in the rationale behind the architectural choices are encouraged to also read the “Background Information” section.

The overarching goal of the EOSC AAI Federation is to eventually support a full-mesh, dynamic topology without introducing a centralised component into the European AAI ecosystem. However, current technological constraints — particularly those associated with OpenID federation — limit the feasibility of such a model.

The work required at the architecture level will certainly extend beyond 2025, while efforts at the tooling and policy levels have yet to begin. This gap has been recognised in the EOSC AAI WG and there has been a clear decision that although the work towards the desired final architecture should continue without any delays, we need to provide practical solutions that can support the needs of today.

To be more specific, the high priority requirements recognised are the needs for enabling SSO across the first wave of EOSC Nodes that will be forming the EOSC Federation and executing workflows that utilise resources across multiple Nodes.

The design for this first implementation is guided by three core principles:

  • Defining the minimum set of requirements;
  • Prioritising the simplest possible component configuration; and
  • Ensuring the solution is implementable with today’s technology.

To establish a solid foundation and deliver the essential functionality of the EOSC AAI Federation, several architectural and technical decisions have been made. These are detailed in the Implementation section and include, among others, the delegation of logic away from proxies, the adoption of OpenID Connect and OAuth2 as core protocols, and the integration of MyAccessID.

This document is intended as a practical guide for candidate EOSC Nodes, outlining the steps necessary to connect with the EOSC AAI Federation. In the EOSC model, Nodes act as the primary integration points for services as it is described in the EOSC Federation Handbook [EOSC-Handbook]; services are onboarded to individual Nodes rather than directly to the Federation.

Connecting a Node and its services to the Federation requires specific capabilities - such as an Infrastructure Proxy, Community AAI, or the use of a unified Identity Layer. These are detailed in the section “EOSC Node Federated AAI Requirements”.

Where possible, we offer alternative solutions to accommodate legal, technical, or organisational constraints that may prevent Nodes from fully adopting the recommended setup.

Files

EOSC AAI Architecture 2025 - March 2025.pdf

Files (2.5 MB)

Name Size Download all
md5:a7569d85b365173d4bda5c06ec126770
2.5 MB Preview Download

Additional details

Funding

European Commission
AARC TREE – Authentication and Authorisation for Research Collaboration Technical Revision to Enhance Effectiveness 101131237