The GÉANT AA Framework
A robust authentication and authorisation solution for software development in the GÉANT project
Software Development Environments
The network services delivered by the GÉANT project, are developed by teams of specialist networking and software engineers. These teams are aided by of software environments, platforms and best practice guidelines that support and guide the engineers in their service development work. This helps to ensure the software applications and services are developed to optimum quality, functionality and security, assuring that NRENs and their academic and research users have high quality, secure services.
GÉANT AA Framework Explained
The Authentication and Authorisation (AA) framework addresses security issues for a number of different GÉANT multi‐domain network services in the GÉANT Service Area. It provides software developers in the GÉANT project, for example those developing the cNIS, AutoBAHN and I-SHARe tools, with a common and flexible authentication authorisation solution to facilitate their software development process. It also provides them to incorporate maximum control over authorisation decisions (Attribute/Role entitlements) to the web resource provider. Such authorisation decisions typically cover attribute and role entitlements.
The GÉANT AA Framework implementation uses existing frameworks, industry standards and best practices in order to avoid re-inventing the wheel and to take advantage of the extensible design. It is Java-based, making use of Spring Security Framework, Crowd Integration library, OIOSAML.java library and Maven.
The architecture of the AA Framework
The current AA Framework implementation allows developers to make their own choice of Authentication Providers, User Attributes Providers and ACL services to use: the diagram below shows the options offered to the service developers.
Implementation choices available for developers
Taking care of security
The AA Framework provides a simple and configurable authentication and authorisation solution for software developers. Its plug-in based extensible design makes it suitable to meet the various needs for several services in the GÉANT Service Area. In this way, the software developers can focus on the core functionality of their service, leaving security aspects with the AA Framework.
Currently, the AutoBAHN provisioning tool and the I-SHARe workflow tool use the AA Framework in their architecture.
- AutoBAHN uses XML Authentication and User Attributes Provider.
- I-SHARe uses Crowd Authentication and User Attributes Provider.
There are a number of other GÉANT services and applications that are potential users of the AA framework:
- LHCOPN Portal
- GÉANT Mail Archives
- GÉANT Tools Portal