AAI Report

The AAI Report is the result of the work of invited experts organized in four inter-university working groups established in late 2001 according to the AAI-Concept.

AAI-Report, v1.0a, July 2002 [PDF, 72 pages, 480 kByte]

Management Summary

The longstanding tradition of collaboration amongst our institutions of higher education in Switzerland resulted in some important achievements relevant in the context of this report: standards in the form of a uniform access policy to the institutions of higher education. The processes dealing with access policy are mostly based on paper. This severely impacts the deployment of networked resources requiring some form of authorization, be it a proof of membership, academic degree or role. Therefore, an inter-university study group published a report in September 2001 proposing a roadmap to develop and implement an Authentication and Authorization Infrastructure (AAI) for the higher education community in Switzerland (AAI-concept).

SWITCH took on the task to implement the phase 'preparatory study' as outlined in the AAI-concept and invited specialists from the higher education community in Switzerland to work on the organizational, technical, legal and financial issues of such an infrastructure. The present report is understood as the final report of the 'preparatory study' phase. A close examination of various aspects of authentication and authorization has shown that there are feasible solutions available with real benefits, mainly in the field of enabling students' mobility and improving the protection of valuable information, the support for nomadic users, user convenience and the efficient use of IT resources. There are also considerable risks involved in not building an AAI, like growing registration overhead due to increased mobility or isolation due to not being able to access resources from remote locations.

The main findings of the study are:

  • Two promising architectures of an AAI were identified: PAPI (RedIRIS, Spain) and Shibboleth (Internet2). Both of them have been developed for a large academic community and are promising enough to go into an extensive test and pilot phase, although they do not fulfill all evaluation criteria. The main functionalities of these architectures are authentication and authorization of web access. Other functionalities, like document signing and encryption can be added in a later release of the AAI.
  • The AAI can be well integrated into existing processes of participating institutions, like the registration process for students or employees. Institutions may stay responsible for authenticating their users and Resource Owners may keep full control of their resources and access rights.
  • The AAI will be able to interface with existing systems such as user databases and authentication systems. Institutions may select the authentication technology by themselves and are not forced to implement any PKI or smart-card-based authentication solution as a preliminary requirement to participate.
  • The main legal issues are data protection and abuse. A legal framework has been worked out which solves these issues between the institutions, service providers, and users.
  • A detailed cost estimation of an AAI implementation has proved impossible at this stage. First, the final architecture has to be selected and experience be gained with pilot implementations. The costs of pilot projects will basically be staff costs. Since the participating organizations, including SWITCH, are willing to pay for their projects by themselves, the financing of this next phase is guaranteed.

Recommendation
The project team recommends to build a virtual AAI organization across the participating institutions and to immediately start a pilot phase in order to get

  • practical experience with pilot implementations which is to lead to the final selection of the AAI architecture;
  • more detailed results covering the organizational and technical issues;
  • a more in-depth cost estimation for the implementation phase.

As many organizations as possible should be brought in in the pilot phase so as to secure their active interest in the project.

Until the end of the pilot phase, the legal framework between all parties involved has to be implemented. Until all the legal instruments are in place, a Letter of Intent (LoI) should be signed in order to have a sufficient legal basis to start with the pilot projects.

Contributors during that phase of the project were

NameOrganisation(s)
Nicole Beranek ZanonSWITCH
Thomas BrunnerSWITCH
Dr. Andreas DudlerPräsident SWITCH; Informatikdienste ETH Zürich
Christoph GrafSWITCH
Gerhard HassensteinBerner Fachhochschule
Daniela Ischat rete ag
Dr. Pascal Jacot-GuillarmodUniversité de Lausanne
Dr. Maximilian JägerUniversität Zürich
Thomas JordanUniversität St. Gallen
Andreas KirsteinETH-Bibliothek
Claude LecommandeurÉcole Polytechnique Fédérale de Lausanne
Thomas LenggenhagerSWITCH
Wolfgang LierzETH-Bibliothek
Gérald LitzistorfÉcole d'ingenieurs de Genève
Dr. Jacques MonnardSwiss Virtual Campus
Dr. Wolfram NeubauerETH-Bibliothek
Wolfgang Nötzliat rete ag
André Redardat rete ag
Dr. Alexandre RoyUniversité de Lausanne
Alberto Salernoat rete ag
Dr. Markus Schaadat rete ag
Dr. Stephane SpahniHôpitaux Universitaires de Genève; Nice Computing
Jürg SperryUniversität St. Gallen
Marc-Alain SteinemannUniversität Bern
Alexander SutterUniversität Bern
Elsa SutterUniversität Basel
Dr. Constantin TönzSWITCH
Dr. Hans Rudolf TrüebPrager Dreifuss
Gerhard TschantreUniversität Bern
Prof. Maia Wentland ForteUniversité de Lausanne