AAI Report
The AAI Report is the result of the work of invited experts organized in four inter-university working groups established in late 2001 according to the AAI-Concept.
AAI-Report, v1.0a, July 2002 [PDF, 72 pages, 480 kByte]
Management Summary
The longstanding tradition of collaboration amongst our institutions of higher education in Switzerland resulted in some important achievements relevant in the context of this report: standards in the form of a uniform access policy to the institutions of higher education. The processes dealing with access policy are mostly based on paper. This severely impacts the deployment of networked resources requiring some form of authorization, be it a proof of membership, academic degree or role. Therefore, an inter-university study group published a report in September 2001 proposing a roadmap to develop and implement an Authentication and Authorization Infrastructure (AAI) for the higher education community in Switzerland (AAI-concept).
SWITCH took on the task to implement the phase 'preparatory study' as outlined in the AAI-concept and invited specialists from the higher education community in Switzerland to work on the organizational, technical, legal and financial issues of such an infrastructure. The present report is understood as the final report of the 'preparatory study' phase. A close examination of various aspects of authentication and authorization has shown that there are feasible solutions available with real benefits, mainly in the field of enabling students' mobility and improving the protection of valuable information, the support for nomadic users, user convenience and the efficient use of IT resources. There are also considerable risks involved in not building an AAI, like growing registration overhead due to increased mobility or isolation due to not being able to access resources from remote locations.
The main findings of the study are:
- Two promising architectures of an AAI were identified: PAPI (RedIRIS, Spain) and Shibboleth (Internet2). Both of them have been developed for a large academic community and are promising enough to go into an extensive test and pilot phase, although they do not fulfill all evaluation criteria. The main functionalities of these architectures are authentication and authorization of web access. Other functionalities, like document signing and encryption can be added in a later release of the AAI.
- The AAI can be well integrated into existing processes of participating institutions, like the registration process for students or employees. Institutions may stay responsible for authenticating their users and Resource Owners may keep full control of their resources and access rights.
- The AAI will be able to interface with existing systems such as user databases and authentication systems. Institutions may select the authentication technology by themselves and are not forced to implement any PKI or smart-card-based authentication solution as a preliminary requirement to participate.
- The main legal issues are data protection and abuse. A legal framework has been worked out which solves these issues between the institutions, service providers, and users.
- A detailed cost estimation of an AAI implementation has proved impossible at this stage. First, the final architecture has to be selected and experience be gained with pilot implementations. The costs of pilot projects will basically be staff costs. Since the participating organizations, including SWITCH, are willing to pay for their projects by themselves, the financing of this next phase is guaranteed.
Recommendation
The project team recommends to build a virtual AAI organization across
the participating institutions and to immediately start a pilot phase in
order to get
- practical experience with pilot implementations which is to lead to the final selection of the AAI architecture;
- more detailed results covering the organizational and technical issues;
- a more in-depth cost estimation for the implementation phase.
As many organizations as possible should be brought in in the pilot phase so as to secure their active interest in the project.
Until the end of the pilot phase, the legal framework between all parties involved has to be implemented. Until all the legal instruments are in place, a Letter of Intent (LoI) should be signed in order to have a sufficient legal basis to start with the pilot projects.
Contributors during that phase of the project were
Name | Organisation(s) |
Nicole Beranek Zanon | SWITCH |
Thomas Brunner | SWITCH |
Dr. Andreas Dudler | Präsident SWITCH; Informatikdienste ETH Zürich |
Christoph Graf | SWITCH |
Gerhard Hassenstein | Berner Fachhochschule |
Daniela Isch | at rete ag |
Dr. Pascal Jacot-Guillarmod | Université de Lausanne |
Dr. Maximilian Jäger | Universität Zürich |
Thomas Jordan | Universität St. Gallen |
Andreas Kirstein | ETH-Bibliothek |
Claude Lecommandeur | École Polytechnique Fédérale de Lausanne |
Thomas Lenggenhager | SWITCH |
Wolfgang Lierz | ETH-Bibliothek |
Gérald Litzistorf | École d'ingenieurs de Genève |
Dr. Jacques Monnard | Swiss Virtual Campus |
Dr. Wolfram Neubauer | ETH-Bibliothek |
Wolfgang Nötzli | at rete ag |
André Redard | at rete ag |
Dr. Alexandre Roy | Université de Lausanne |
Alberto Salerno | at rete ag |
Dr. Markus Schaad | at rete ag |
Dr. Stephane Spahni | Hôpitaux Universitaires de Genève; Nice Computing |
Jürg Sperry | Universität St. Gallen |
Marc-Alain Steinemann | Universität Bern |
Alexander Sutter | Universität Bern |
Elsa Sutter | Universität Basel |
Dr. Constantin Tönz | SWITCH |
Dr. Hans Rudolf Trüeb | Prager Dreifuss |
Gerhard Tschantre | Universität Bern |
Prof. Maia Wentland Forte | Université de Lausanne |