LLMpediaThe first transparent, open encyclopedia generated by LLMs

Perun Attribute Authority

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: DFN-AAI Hop 5
Expansion Funnel Raw 153 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted153
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Perun Attribute Authority
NamePerun Attribute Authority
GenreAttribute management

Perun Attribute Authority is a centralized attribute and identity metadata service for federated identity systems, designed to provide attribute aggregation, normalization, and policy-driven distribution across federations and trust frameworks. It integrates with identity providers, service providers, and attribute authorities to harmonize attributes for access decisions in environments populated by organizations such as national research and education networks, intergovernmental projects, and multinational consortia. The system is used alongside existing infrastructure components to support attribute-driven authorization and consent workflows in large-scale deployments.

Overview

Perun Attribute Authority functions as an intermediary between identity providers and relying parties to collect, transform, and deliver attributes from sources such as Shibboleth, SAML 2.0, OpenID Connect, LDAP, and institutional databases operated by organizations like GEANT, Internet2, TERENA, eduGAIN, and European Union. It addresses attribute harmonization challenges encountered by entities including CERN, Max Planck Society, European Organization for Nuclear Research, University of Cambridge, Harvard University, Stanford University, Massachusetts Institute of Technology, California Institute of Technology, and Princeton University. The authority supports workflows used by projects such as XSEDE, PRACE, EUDAT, ELIXIR, Human Brain Project, CLARIN, DARIAH, and EOSC. It interoperates with identity frameworks and standards bodies like OASIS, IETF, W3C, ISO/IEC, and NIST.

Architecture and Components

The architecture comprises modules for attribute ingestion, attribute mapping, attribute storage, policy evaluation, consent management, and attribute release, interfacing with technologies including PostgreSQL, MySQL, Redis, Apache Kafka, RabbitMQ, Docker, Kubernetes, and OpenStack. Core components integrate with middleware stacks such as Shibboleth Service Provider, Shibboleth Identity Provider, Keycloak, Gluu Server, Auth0, Okta, and FreeIPA while supporting provisioning protocols like SCIM and synchronization tools used by Centrify, SailPoint, and Oracle Identity Management. Logging and observability rely on stacks like ELK Stack, Prometheus, Grafana, and Fluentd to serve operational teams at institutions including University of Oxford, ETH Zurich, Sorbonne University, Karolinska Institutet, and University of Tokyo.

Attribute Model and Management

The attribute model implements schemas and vocabularies drawn from standards and community initiatives such as eduPerson, SAML attribute profile, X.509, RFC 822, LODE, Schema.org, and domain-specific profiles used by consortia like GÉANT Data Protection Code of Conduct, Marie Skłodowska-Curie Actions, Horizon Europe, European Research Council, and Wellcome Trust. Attribute management workflows enable normalization, aggregation, and canonicalization using transformation rules analogous to approaches in LDAP Data Interchange Format, CSV, JSON-LD, and XML. Attribute lifecycle and provenance tracking integrate with metadata registries and catalogues maintained by institutions such as Library of Congress, German National Library, Bibliothèque nationale de France, Digital Public Library of America, and CrossRef.

API and Protocols

Perun exposes APIs and supports protocols including SAML 2.0, OAuth 2.0, OpenID Connect, SCIM, RESTful API conventions, and message brokering patterns compatible with AMQP and MQTT. API authentication and client registration workflows align with specifications produced by IETF OAuth Working Group, OpenID Foundation, W3C WebAuthn, and identity federation practices used by eduGAIN and InCommon. SDKs and client libraries integrate with ecosystems such as Spring Framework, Node.js, Python, Java, Go (programming language), and Ruby on Rails to support application developers at organizations like Google, Microsoft, Amazon Web Services, IBM, and Red Hat.

Security and Access Control

Security and access control are implemented with mechanisms informed by standards and guidance from NIST SP 800-63, ISO/IEC 27001, GDPR, eIDAS, HIPAA, and best practices advocated by ENISA and CIS. The system supports attribute release policies, consent capture, role-based access control and attribute-based access control patterns used in solutions like XACML, RBAC model, and policy engines such as OPA (Open Policy Agent). Cryptographic functions rely on libraries and standards including TLS, X.509 certificates, JWT, JWE, JWS, and hardware security modules from vendors like Thales Group, Gemalto, and HSM Forum partners.

Deployment and Integration

Deployments occur on infrastructures ranging from on-premises clusters operated by Deutsche Telekom, Orange S.A., BT Group, and NTT to cloud platforms such as Amazon Web Services, Google Cloud Platform, Microsoft Azure, Alibaba Cloud, and Oracle Cloud Infrastructure. Integration patterns follow blueprints used by large federations and research infrastructures supported by PRACE, EUDAT, GÉANT, CERN Openlab, Riken, and Jisc. Continuous integration and continuous delivery pipelines leverage tools like Jenkins, GitLab CI/CD, Travis CI, CircleCI, and Ansible for configuration management with orchestration providers including Terraform, Puppet, and Chef.

Use Cases and Implementations

Typical use cases include attribute aggregation for single sign-on in federations serving research and education, cross-border authentication for programs such as Horizon 2020 and Erasmus+, attribute enrichment for publishing platforms like Elsevier, Springer Nature, and Wiley-Blackwell, and consent-aware attribute release for clinical research supported by World Health Organization, European Medicines Agency, and Wellcome Trust. Implementations and pilot projects have been deployed by consortia including eduGAIN, InCommon, GÉANT partners, national infrastructures such as SURFnet, CESNET, RedIRIS, PIONIER, and commercial integrators like Accenture, Capgemini, Atos, and Cisco Systems.

Category:Identity management systems