The NHR Community AAI - based on the CAAI software RegApp developed at KIT - allows users of NHR resources to log in to the NHR services using their home institution's own account. The implementation was carried out together with the HPC and IDM teams at the IT Center of RWTH Aachen University, where the project lifecycle tool "JARDS" for NHR is also operated. In the first step, JARDS will be connected to the single sign-on infrastructure so that local accounts no longer need to be managed. In future, users will be able to log in with the access data of their home institution, via ORCID or other social accounts and seamlessly access connected services after a single login. The Community AAI offers project managers centralized and secure management of projects, roles and access.
The portal can be accessed at login.nhr-verein.de and is operated as a client of the Karlsruhe RegApp infrastructure.
What is a Community AAI?
A Community AAI (Authentication and Authorization Infrastructure) is the joint login and rights management platform of a specialist or project community. It bundles identities from different sources (e.g. home institutions, ORCID, guest or social accounts) and provides uniform, secure access to the services of the community. RegApp is a CAAI software that has been developed at the SCC for more than 15 years and is operated jointly for various federations (e.g. bwIDM, NFDI, NHR).
What does a CAAI do
- Uniform login (single sign-on): Login with the account of the home institution, ORCID or other approved identity sources; log in once, use multiple services.
- Federation and mediation: Connection of many identity providers and services via standards such as SAML and OpenID Connect; optional integration via eduGAIN.
- Identity consolidation: Linking multiple accounts of one person, assigning stable identifiers and managing the level of assurance.
- Authorization and roles: Central administration of roles, groups, projects and authorizations (entitlements) for access to applications and resources.
- Lifecycle management: Onboarding, verification (e.g. by e-mail), assignment to projects, automatic provisioning/deprovisioning of access and resources at the start, change or end of a project.
- Security and compliance: Support for multi-factor authentication (if available at the respective IdP), consent and attribute release management, logging and auditing, data-saving attribute transfer.
- Service integration: Standardized interfaces and processes for onboarding new services, central attribute provisioning and policy enforcement.
- Self-service and operation: User and project self-service (e.g. profile, account linking, invitations), helpdesk support and highly available, scalable operating processes.
What added value does a CAAI offer
A Community AAI creates added value for everyone: users receive fast and uniform access to all connected services with a single login instead of multiple passwords; service providers reduce integration effort, benefit from consistent identity attributes and centralized security and consent processes; administration and community benefit from transparent role and project control, automated provisioning and deprovisioning, traceable audits and better compliance.