The Next Generation AAF
About the Next Gen AAF Project
The project will deliver next generation Australian Access Federation (AAF) infrastructure and products to make national and international research collaboration easier and more accessible than ever. Through a program of activities the project will:
- Enhance the AAF’s tools and services to facilitate collaborative research and enable improved connections between research groups and government organisations.
- Extend our existing software infrastructure to meet the expanding authentication requirements of Australia’s National Collaborative Research Infrastructure Strategy (NCRIS), and of research and education organisations connected to the AAF.
- Develop new solutions that will make joining the AAF simpler and reduce maintenance effort for current subscribers.
The project commenced in July 2015 and will run through until December 2016. Work is divided into three major activity streams:
Activity 1 – Government Requirements for AAF Participation
Many government departments and agencies must use suppliers who have implemented the Australian Signals Directorate’s (ASD) Protective Security Policy Framework (PSPF) and Information Security Manual (ISM) requirements. Under this activity the project team will:
- Identify ASD-compliant infrastructure providers and migrate AAF’s core services to the preferred infrastructure platform.
- Determine which PSPF and ISM requirements relate to AAF and begin working toward compliance.
- Remove barriers preventing a broader group of non-academic and government researchers from accessing eResearch infrastructure connected to the federation.
- Improved security through hardened infrastructure.
Activity 1 is expected to finish in November 2016, though work to align policies and practices to the framework will continue through 2017.
Activity 2 – Next Generation Software Extensions
These software extensions will enhance the AAF’s infrastructure underpinning the authentication needs of the NCRIS capabilities and the growing number of eResearch connected organisations. Under this activity the project team will:
- Develop and release the next generation Discovery Service.
- Develop and release the next generation Reporting Service.
- Pilot a RADIUS-based authentication extension to enable non-web-based authentication through the federation.
- Improved user experience and user interfaces across an expanded range of devices.
- Foundation laid for international federation connectivity and access to non-web protocols such as Enhanced Client or Proxy (ECP) in the next generation Discovery Service (DS).
- Improved utilisation statistics that provide detailed information to service provider and identity provider operators.
These activities will operate on the enhanced infrastructure implemented as part of Activity 1.
The next generation Discovery and Reporting Services went live in January 2016. AAF worked with Intersect and AARNet to develop a RADIUS extension for the federation. AAF will assess the outputs from this proof of concept to expand authentication aptions for non-web-based applications.
Activity 3 – Hosted Identity Provider
Connecting to the federation has traditionally meant investments in skill development and infrastructure for IT departments. This can be a significant issue — especially for smaller organisations. The project team will develop a Hosted Identity Provider (IdP) which will simplify connection to the federation for new subscribers, and remove much of the setup and maintenance burden from IdP administrators.
- Reduced setup complexity and learning curve means subscribers will be able to connect to the federation and access connected services faster.
- Subscribers won’t need to deploy extra infrastructure to connect to the federation.
- Significantly reduced need for specialised IT skills currently required for infrastructure connection and maintenance.
- Faster response to security threats through the centralised deployment of patches and updates.
Development work will be complete in December 2016 for a product launch in 2017.
Next Generation AAF Roadmap
What has happened with the Next Gen Project so far?
Activity 1 - Government Requirements for AAF Participation
- AAF core services have been successfully migrated to an Australian Signals Directorate compliant infrastructure provider. Amazon Web Services (AWS) was selected based on their strong product offering and Australian data centre locations.
- The project team have reviewed AAF’s current practices against the ASD framework and agreed the priorities and scope with the Steering Committee.
- The project team is documenting scoped processes required for the Information Security Management System.
- Activity 2 - Next Generation Software Extensions
- The Discovery Service is complete and was released in the production federation in January 2016.
- The Reporting Service is complete and was released in the production federation in January 2016
- In August 2016, a proof-of-concept RADIUS to ECP gateway enabled users from three different ECP-enabled Identity Providers to access a Linux server using their AAF credentials. We’re reviewing the prototype to understand its strengths and shortcomings and determine the next steps.
- Activity 3 - Hosted Identity Provider
- The project team have documented requirements through consultation with a number of organisations that have expressed interest in using the Hosted IdP service.
- A technical architecture and design is complete.
- The core functionaltiy has been developed. In July 2016 the project team completed a successful test of a Hosted IdP instance. This basic IdP can particpate in the development federation and authenticate to both Shibboleth and Rapid Connect Service Providers.
- Preliminary development is nearing completion with the first Hosted IdP instance expected to join the Test Federation in November.
What are the next steps for the project?
- Create or revise policies and procedures to bring AAF’s operations into closer alignment with the ASD security framework (Activity 1).
- Complete development and test the Hosted IdP in the Test Federation (Activity 3).
- The project will close in January 2017 before commencing an Early Adopter Program in February.
If you have any questions or suggestions about the project, contact John Scullen (Project Manager).