AAF logo search

The Next Generation AAF

About the Next Gen AAF Project

The project will deliver next generation Australian Access Federation (AAF) infrastructure and products to make national and international research collaboration easier and more accessible than ever. Through a program of activities the project will:

The project commenced in July 2015 and will run through until December 2016. Work is divided into three major activity streams:

Activity 1 – Government Requirements for AAF Participation

Many government departments and agencies must use suppliers who have implemented the Australian Signals Directorate’s (ASD) Protective Security Policy Framework (PSPF) and Information Security Manual (ISM) requirements. Under this activity the project team will:

  1. Identify ASD-compliant infrastructure providers and migrate AAF’s core services to the preferred infrastructure platform.
  2. Determine which PSPF and ISM requirements relate to AAF and begin working toward compliance.

Key Benefits

Activity 1 is expected to finish in November 2016, though work to align policies and practices to the framework will continue through 2017.

Activity 2 – Next Generation Software Extensions

These software extensions will enhance the AAF’s infrastructure underpinning the authentication needs of the NCRIS capabilities and the growing number of eResearch connected organisations. Under this activity the project team will:

  1. Develop and release the next generation Discovery Service.
  2. Develop and release the next generation Reporting Service.
  3. Pilot a RADIUS-based authentication extension to enable non-web-based authentication through the federation.

Key Benefits

These activities will operate on the enhanced infrastructure implemented as part of Activity 1.

The next generation Discovery and Reporting Services went live in January 2016. AAF worked with Intersect and AARNet to develop a RADIUS extension for the federation. AAF will assess the outputs from this proof of concept to expand authentication aptions for non-web-based applications.

Activity 3 – Hosted Identity Provider

Connecting to the federation has traditionally meant investments in skill development and infrastructure for IT departments. This can be a significant issue — especially for smaller organisations. The project team will develop a Hosted Identity Provider (IdP) which will simplify connection to the federation for new subscribers, and remove much of the setup and maintenance burden from IdP administrators.

Key Benefits

Development work will be complete in December 2016 for a product launch in 2017.

Next Generation AAF Roadmap


promo image










What has happened with the Next Gen Project so far?

  1. Activity 1 - Government Requirements for AAF Participation

    • AAF core services have been successfully migrated to an Australian Signals Directorate compliant infrastructure provider. Amazon Web Services (AWS) was selected based on their strong product offering and Australian data centre locations.
    • The project team have reviewed AAF’s current practices against the ASD framework and agreed the priorities and scope with the Steering Committee.
    • The project team is documenting scoped processes required for the Information Security Management System.
  2. Activity 2 - Next Generation Software Extensions
    • The Discovery Service is complete and was released in the production federation in January 2016.
    • The Reporting Service is complete and was released in the production federation in January 2016
    • In August 2016, a proof-of-concept RADIUS to ECP gateway enabled users from three different ECP-enabled Identity Providers to access a Linux server using their AAF credentials. We’re reviewing the prototype to understand its strengths and shortcomings and determine the next steps.
  3. Activity 3 - Hosted Identity Provider
    • The project team have documented requirements through consultation with a number of organisations that have expressed interest in using the Hosted IdP service.
    • A technical architecture and design is complete.
    • The core functionaltiy has been developed. In July 2016 the project team completed a successful test of a Hosted IdP instance. This basic IdP can particpate in the development federation and authenticate to both Shibboleth and Rapid Connect Service Providers.
    • Preliminary development is nearing completion with the first Hosted IdP instance expected to join the Test Federation in November.

What are the next steps for the project?

If you have any questions or suggestions about the project, contact John Scullen (Project Manager).