Inferring and constructing origin-affiliation information across infrastructures (AARC G057)

Conveying affiliation information from origin providers across infrastructures proxies as defined in G025 is only possible if the origin identity provider releases such information. In case no eduPersonScopedAffiliation is provided, it may be partially reconstructed according to these guidelines. If there is no reliable way to infer origi

Guidelines for Secure Operation of Attribute Authorities and other issuers of access-granting statements

These guidelines describe the minimum requirements and recommendations for the secure operation of Attribute Authorities and similar services providing statements for the purpose of obtaining access to infrastructure services. Stated compliance with these guidelines may help to establish trust between issuers and Relying Parties. This document does not define an accreditation process

Implementers Guide to the WISE Baseline Acceptable Use Policy

Applying the Baseline AUP to concrete use cases may appear straightforward, but there are many edge cases and specific circumstances where it is not entirely obvious how to both achieve the aim of user-friendliness as well as be complete and practical. In this write-up, we try to give hints how to use the WISE Baseline AUP in practice in both community-first as well as ‘user-first’ membership management services

Guidelines for Secure Operation of Attribute Authorities and issuers of statements for entities (G071)

These guidelines describe the minimum requirements and recommendations for the secure operation of attribute authorities and similar services that make statements about an entity based on well-defined attributes. Adherence to these guidelines may help to establish trust between communities, operators of attribute authorities and issuers, and Relying Parties, infrastructures, and service providers. This document does not define an accreditation process

AARC Blueprint Architecture 2019

The AARC Blueprint Architecture (BPA) provides a set of building blocks for software architects and technical decision makers who are designing and implementing access management solutions for international research collaborations. This document describes the evolution of the AARC Blueprint Architecture, starting with a summary of the changes since AARC-BPA-2017. The current iteration of the BPA focuses on the interoperability aspects, to address an increasing number of use cases from research communities requiring access to federated resources offered by different research and e-Infrastructures. Hence the introduction of the Community AAI, which streamlines researchers’ access to services. These typically include services offered to members of a specific community, as well as infrastructure services that may be shared with other communities. Users can authenticate to the Community AAI primarily via institutional credentials from national identity federations in eduGAIN, but, if permitted by the community, can also use other Identity Providers

EOSC AAI Architecture 2025 : Implementation of the EOSC AAI Federation

This document presents recommendations for the initial implementation of the EOSC AAI Federation, offering background on prior work and summarising recent advancements, including updates to the AARC Blueprint Architecture. AAI implementers who wish to go directly to the technical requirements may refer to the “Implementation” section, while those interested in the rationale behind the architectural choices are encouraged to also read the “Background Information” section. The overarching goal of the EOSC AAI Federation is to eventually support a full-mesh, dynamic topology without introducing a centralised component into the European AAI ecosystem. However, current technological constraints — particularly those associated with OpenID federation — limit the feasibility of such a model. The work required at the architecture level will certainly extend beyond 2025, while efforts at the tooling and policy levels have yet to begin. This gap has been recognised in the EOSC AAI WG and there has been a clear decision that although the work towards the desired final architecture should continue without any delays, we need to provide practical solutions that can support the needs of today. To be more specific, the high priority requirements recognised are the needs for enabling SSO across the first wave of EOSC Nodes that will be forming the EOSC Federation and executing workflows that utilise resources across multiple Nodes. The design for this first implementation is guided by three core principles: Defining the minimum set of requirements; Prioritising the simplest possible component configuration; and Ensuring the solution is implementable with today’s technology. To establish a solid foundation and deliver the essential functionality of the EOSC AAI Federation, several architectural and technical decisions have been made. These are detailed in the Implementation section and include, among others, the delegation of logic away from proxies, the adoption of OpenID Connect and OAuth2 as core protocols, and the integration of MyAccessID. This document is intended as a practical guide for candidate EOSC Nodes, outlining the steps necessary to connect with the EOSC AAI Federation. In the EOSC model, Nodes act as the primary integration points for services as it is described in the EOSC Federation Handbook [EOSC-Handbook]; services are onboarded to individual Nodes rather than directly to the Federation. Connecting a Node and its services to the Federation requires specific capabilities - such as an Infrastructure Proxy, Community AAI, or the use of a unified Identity Layer. These are detailed in the section “EOSC Node Federated AAI Requirements”. Where possible, we offer alternative solutions to accommodate legal, technical, or organisational constraints that may prevent Nodes from fully adopting the recommended setup

EOSC Authentication and Authorization Infrastructure (AAI) : Report from the EOSC Executive Board Working Group (WG) Architecture AAI Task Force (TF)

The EOSC Architecture Working Group has assigned the AAI Task Force (AAI TF) the task to establish a common global ecosystem for identity and access control infrastructures for the European Open Science Cloud (EOSC). Since the EOSC is part of an international environment of research and education, the principles established by the EOSC AAI subtask must be globally viable. The EOSC AAI TF has produced a set of deliverables: - EOSC AAI First Principles & Requirements - EOSC AAI Baseline Architecture - EOSC AAI Federation participation guidelines (participation policy and technical framework) - EOSC AAI Best Practise

Scalable Negotiator for a Community Trust Framework in Federated Infrastructures (Snctfi)

This paper identifies operational and policy requirements to help establish trust between an Infrastructure and identity providers either in an R&E Federation or in another Infrastructure, in each case joined via a Service Provider to Identity Provider proxy

Federated Identity Management for Research Collaborations

This white-paper expresses common requirements of Research Communities seeking to leverage Identity Federation for Authentication and Authorisation. Recommendations are made to Stakeholders to guide the future evolution of Federated Identity Management in a direction that better satisfies research use cases. The authors represent research communities, Research Services, Infrastructures, Identity Federations and Interfederations, with a joint motivation to ease collaboration for distributed researchers. The content has been edited collaboratively by the Federated Identity Management for Research (FIM4R) Community, with input sought at conferences and meetings in Europe, Asia and North America

Classification of patients with sepsis according to blood genomic endotype: a prospective cohort study

Host responses during sepsis are highly heterogeneous, which hampers the identification of patients at high risk of mortality and their selection for targeted therapies. In this study, we aimed to identify biologically relevant molecular endotypes in patients with sepsis.This was a prospective observational cohort study that included consecutive patients admitted for sepsis to two intensive care units (ICUs) in the Netherlands between Jan 1, 2011, and July 20, 2012 (discovery and first validation cohorts) and patients admitted with sepsis due to community-acquired pneumonia to 29 ICUs in the UK (second validation cohort). We generated genome-wide blood gene expression profiles from admission samples and analysed them by unsupervised consensus clustering and machine learning. The primary objective of this study was to establish endotypes for patients with sepsis, and assess the association of these endotypes with clinical traits and survival outcomes. We also established candidate biomarkers for the endotypes to allow identification of patient endotypes in clinical practice.The discovery cohort had 306 patients, the first validation cohort had 216, and the second validation cohort had 265 patients. Four molecular endotypes for sepsis, designated Mars1-4, were identified in the discovery cohort, and were associated with 28-day mortality (log-rank p=0·022). In the discovery cohort, the worst outcome was found for patients classified as having a Mars1 endotype, and at 28 days, 35 (39%) of 90 people with a Mars1 endotype had died (hazard ratio [HR] vs all other endotypes 1·86 [95% CI 1·21-2·86]; p=0·0045), compared with 23 (22%) of 105 people with a Mars2 endotype (HR 0·64 [0·40-1·04]; p=0·061), 16 (23%) of 71 people with a Mars3 endotype (HR 0·71 [0·41-1·22]; p=0·19), and 13 (33%) of 40 patients with a Mars4 endotype (HR 1·13 [0·63-2·04]; p=0·69). Analysis of the net reclassification improvement using a combined clinical and endotype model significantly improved risk prediction to 0·33 (0·09-0·58; p=0·008). A 140-gene expression signature reliably stratified patients with sepsis to the four endotypes in both the first and second validation cohorts. Only Mars1 was consistently significantly associated with 28-day mortality across the cohorts. To facilitate possible clinical use, a biomarker was derived for each endotype; BPGM and TAP2 reliably identified patients with a Mars1 endotype.This study provides a method for the molecular classification of patients with sepsis to four different endotypes upon ICU admission. Detection of sepsis endotypes might assist in providing personalised patient management and in selection for trials.Center for Translational Molecular Medicine, Netherlands