naco
The “N” Attribute COnformity checker

Marcus Hardt, Gabriel Zachmann

Mar 2025

Technical Overview

Motivation

Why am I showing this in here in Taiwan / Asia?

  1. Global Interoperability!
  2. Global Interoperability!
  3. Global Interoperability!



Context

  • Federated Identity Management in Research
    • Community AAIs act as proxies between IdPs and services
    • Services require consistent user attributes for access control
    • Gap of standardisation across research e-infrastructures
  • Attribute Compliance Challenges
    • Different Community AAIs may release attributes inconsistently
    • Community AAIs forward attributes from IdPs with varying quality
    • No automated tooling to continuously verify compliance

Problem: Service Interoperability

  • Different attributes make service development more complex
  • This leads to: less services
  • Which threatens the success of independent ID-Management in science



NACO Overview

  • Definition and Purpose
    • Validation tool for attribute release
    • Multi Protocol:
      • OIDC tokens
      • SAML assertions
    • Continuous monitoring of many Community AAIs
    • Your AAI HERE!!!

Drop me an email: hardt@kit.edu

Naco Features

  • Supports multiple Community AAIs simultaneously
  • Configurable attribute specifications via JSON
  • Distinguishes mandatory vs. optional attributes
  • Validates
    • attribute presence
    • type correctness
    • correct scopes
  • REST Interface to interface with external tools (e.g. https://aarc3.cat.argo.grnet.gr)

Supported Specifications

  • AARC-G056 (Draft)
    • AARC Attribute guidelines
    • Interoperability requirements for federated access
    • Community-defined attribute expectations
    • Defines basic and extended attribute sets
  • NFDI Attribute Profile
    • Attribute requirements
    • Based on an early draft of AARC-G056
    • Additional optional attributes

5. Attribute Specification System

  • Mandatory Attributes (Basic Set)
    • Identifier (sub+iss, eduperson_unique_id, voperson_id)
    • Name information (xxxxxxx)
    • E-Mail (email, voperson_verified_email)
    • Home organisation affiliation (voperson_external_affiliation)
    • Assurance levels (eduperson_assurance)
  • Optional Attributes (Extended Set)
    • Entitlements and capabilities
    • ORCID identifier
    • SSH public keys
    • Policy agreements (voperson_policy_agreement)
    • Authentication profiles (acr)

6. What NACO Validates

  • Several Endpoints
    • User Info endpoint
    • Access Token body
    • Token Introspection
  • Validation Checks
    • Attribute presence (single or compound keys)
    • Type correctness (string, list, bool, dict)
    • Scope correctness (external vs community scopes)
  • Verdict Generation
    • Per-attribute and per-source results
    • Summary verdict per Community AAI
    • Colour-coded: green=OK, red=missing/error

8. Currently Monitored Community AAIs

  • European Research Infrastructure
    • EGI Check-in, eduTEAMS, LifeScience AAI, Unity (Helmholtz)
  • German Research Infrastructure
    • RegAPP (NFDI), Bildungsproxy, academic-id, didmos
  • International Collaborations
    • WLCG IAM (High-Energy Physics), CILogon (US)

9. Use Cases

  • Compliance Monitoring
    • Continuous validation of attribute release
    • Early detection of configuration drift
  • Service Provider Onboarding
    • Verify Community AAI meets requirements before integration
  • Federation Operations
    • Compare attribute coverage across Community AAIs
    • Support standardisation efforts
  • Incident Response
    • Alert administrators to validation failures

10. Future Directions

  • Extended Protocol Support
    • Enhanced SAML assertion validation
  • Enhanced Reporting
    • Historical trend analysis
    • Compliance dashboards
  • Scalability
    • Distributed validation nodes