AURA โ€” Airport / AODB Integration Kit Full partner kit  ยท  Airline edition  ยท  One-pager  ยท  Demonstrator  ยท  Integration blueprint โ€” biometrics simulated, AODB mocked  
Partner Onboarding ยท Airport / AODB Edition

Integrating AURA with airport operations

Automated Universal Recognition Architecture ยท KSIA Terminal 6
Audience: airport operations, AODB owners, IT/identity & security teams Status: integration blueprint for onboarding discussions โ€” not yet a live pilot

1. What AURA asks of the airport

AURA lets a passenger move through Terminal 6 on one verified identity, reused at security and boarding. For that to be safe and operationally correct, AURA needs two things from the airport: accurate flight & gate context (so gates show the right information) and trustworthy staff identities (so role-based access controls work). It also relies on the airport hosting the on-premise trust boundary where biometrics live.

The airport owns two integrations

It also hosts INT-6 โ€” the on-prem matching engine (simulated this phase) โ€” inside the airport's trusted environment. INT-6 is not a partner integration; it is the crown-jewels component that never leaves KSIA.

AIRPORT (KSIA) AURA โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” flight/gate events โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”‚ AODB โ”‚ โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บ โ”‚ Integration layer โ”‚ โ”‚ (INT-2) โ”‚ (non-personal, ๐ŸŸข) โ”‚ (validates inbound) โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ โ”‚ โ”‚ โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” staff identity+role โ”‚ โ”‚ โ”‚ Staff IdP โ”‚ โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บ โ”‚ RBAC โ”‚ โ”‚ SSO (INT-5) โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ โ”‚ โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” on-prem โ–ผ โ”‚ Matching engine (INT-6, simulated) โ”‚ โ—„โ”€โ”€ ON-PREM TRUST BOUNDARY โ”‚ templates never leave KSIA ๐Ÿ”ด โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

2. Flight & gate context (INT-2 ยท AODB)

INT-2 ยท Airport Operational Database (AODB)Phase 1 required
inbound (read) ยท asynchronous events ยท ๐ŸŸข non-personal ยท airport-hosted
PurposeFlight numbers, times, gates, delays, terminal status so gates and staff see correct context. PatternsP5 (webhook / event subscription) and/or a read API AODB โ†’ AURAflight & gate events and schedule reads โ€” non-personal only You provideevent feed or polling API, schema, change-notification mechanism Hard ruleLowest-risk integration โ€” it must contain no passenger personal data.

The AODB is AURA's source of operational truth. It is the safest integration precisely because it carries only non-personal data: a gate change or a delay, never a name.

What AURA consumes from the AODB

DataUsed forSensitivity
Flight number, scheduled / estimated timesAnchoring a journey to the right flight; gate displays๐ŸŸข non-personal
Gate & stand assignmentDirecting passengers; gate context for the boarding decision๐ŸŸข non-personal
Delays / status changes / cancellationsOperational triggers (see ยง3); keeping context fresh๐ŸŸข non-personal
Terminal statusOverall operational picture for Terminal 6๐ŸŸข non-personal

3. Operational triggers

AODB events don't just populate displays โ€” they drive AURA's operational behavior. Each event is non-personal, validated on arrival, then applied to gate context.

AODB EVENT AURA RESPONSE โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ gate change โ”€โ”€โ–บ update gate context; redirect guidance (via INT-7) delay / retime โ”€โ”€โ–บ refresh flight context; adjust passenger messaging cancellation โ”€โ”€โ–บ flag journeys on that flight; route to staff handling flight closed โ”€โ”€โ–บ stop accepting boarding for that flight at the gate stale / no update โ”€โ”€โ–บ mark context "stale"; staff verify gate/flight manually
TriggerOperational effectFail-safe note
Gate reassignmentGate context updated; passengers re-guidedIf event missed, staff override; last-known flagged stale
Delay / schedule changeContext refreshed; messaging adjustedNon-blocking; gate decision (INT-6) unaffected
CancellationAffected journeys flagged for staffNever auto-denies a passenger silently โ€” routed to human
Boarding closedGate stops accepting that flightDeterministic; manual override possible with audit

4. Staff SSO & RBAC touchpoints (INT-5)

INT-5 ยท Staff Identity / SSOPhase 1 required
inbound ยท synchronous ยท ๐ŸŸก staff identity (no passenger data) ยท airport/IdP-hosted
PurposeAuthenticate AURA staff (which officer is logging in?) to drive role-based access control. PatternsFederated sign-on (e.g. OIDC/SAML), role / group assignment IdP โ†’ AURAstaff identity + role assignment You provideIdP metadata, role/group mapping, MFA expectations Hard ruleThis is staff identity, not passenger identity. No passenger data flows here.

How RBAC uses staff identity

Once a staff member is authenticated via your IdP, AURA maps them to a role, and every sensitive action is checked against that role's capabilities on the server side โ€” not just hidden in the UI. A few concrete examples from the demonstrator:

CapabilityWhat it gatesRoles that hold it
journey.linkLink/check-in a passenger journeyenrollment agent, operations supervisor
ai.configureToggle the AI assistive features (e.g. kill switch)security admin (separation of duties)

What AURA asks of the airport IdP

5. On-prem trust boundary (INT-6)

The single most important architectural principle for the airport: biometrics never leave KSIA. The matching engine that compares a live capture to a stored template runs on-premise, inside the airport's trusted environment.

INT-6 ยท Matching Engine (on-prem, simulated this phase)Phase 1 (simulated)
internal ยท synchronous ยท ๐Ÿ”ด biometric ยท on-prem only โ€” not a partner integration
PurposeCompare a live capture to a stored template โ€” the actual gate decision. ContractRequest { identity_ref, live_capture, stage } โ†’ { decision, confidence, reason } Hard ruleTemplates & results never leave KSIA. A real engine slots into this same contract later with no re-architecture.
โ”€โ”€ UNTRUSTED (partners) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”Šโ”€โ”€ TRUSTED (AIRPORT / AURA) โ”€โ”€โ”€โ”€โ”€โ”€โ”€ airline DCS / doc provider / cloud โ”Š integration layer (validates) โ”Š โ”‚ โ”Š โ–ผ resolve token (on-prem) โ”Š โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”Š โ”‚ KSIA VAULT โ”‚ identities, โ”Š โ”‚ + INT-6 matching โ”‚ templates, โ”Š โ”‚ (crown jewels) โ”‚ consent, audit โ”Š โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
  1. Biometric templates never cross an external boundary. Only the on-prem engine touches them.
  2. Raw identity stays on-prem. Partners get tokens; only the KSIA vault resolves a token to a person.
  3. The gate decision is on-prem and synchronous. It never depends on the internet or any partner.

6. Resilience & fail-safe behavior

Airport operations cannot tolerate a system that strands passengers or makes unsafe decisions when something fails. AURA is designed to fail safe, not open.

Core resilience principles

  1. Fail safe, not open. If a security-relevant check can't complete, the result is REFER to a human โ€” never an automatic ALLOW.
  2. Gates keep working. Because the gate decision is on-prem (INT-6), a cloud or partner outage doesn't stop checkpoints/boarding for already-validated journeys.
  3. Human fallback owns the edge cases. Airport operations handle fallbacks with manual override and full audit.

Airport-relevant fallback table

IntegrationIf it failsโ€ฆFallback
INT-2 AODBflight data stale / unavailableUse last-known + flag "stale"; staff verify gate/flight manually
INT-5 Staff SSOSSO downBreak-glass staff access (dual-control, alarmed, audited)
INT-6 Matching (on-prem)low confidence / poor captureDeterministic REFER; human officer + manual document fallback
INT-1 Airline DCScan't validate bookingREFER to staff for manual booking check; journey not auto-activated
INT-7 Notificationdelivery failsBest-effort retry; non-blocking; passenger can use kiosk/staff
Network / cloudconnectivity lostOn-prem gate decisions continue; async items queue and backfill
The promise to operations. Any partner or network outage degrades gracefully into a human-assisted process โ€” it never denies a legitimate passenger silently and never auto-allows an unsafe one.

7. Forbidden fields โ€” enforced at the boundary

Enforced, not just stated. AURA's integration layer actively blocks a fixed set of fields from ever crossing to an external connector. If any appear, the request is rejected and the attempt is audited. These include: template_data, raw_image, selfie, given_name, family_name, and document_number. The on-prem matching engine (INT-6) is the only component permitted to handle biometric data โ€” and it never leaves KSIA.

For the airport, this matters most for the AODB: by design the AODB carries no passenger personal data at all, so it sits comfortably on the right side of this rule. Staff SSO (INT-5) carries staff identity only โ€” never passenger data.

RulePlain English (airport view)
No biometrics outboundTemplates/images stay inside KSIA on the on-prem engine.
AODB is non-personalFlight/gate data only โ€” never a passenger name.
Staff โ‰  passengerSSO carries staff identity for RBAC, not passenger identity.
Inbound validationAURA treats all AODB/IdP data as untrusted and validates before use.

8. What's real today vs simulated

AspectState in this phase
AODB integration contract (INT-2)Real, working contract โ€” runs as a contract-shaped mock you can exercise end-to-end
Staff SSO & RBAC (INT-5)Real RBAC enforced server-side; staff identity via a mocked IdP contract
On-prem matching (INT-6)Simulated โ€” deterministic decision; no real biometrics; same contract a real engine will use
Live operational / passenger dataNot used โ€” synthetic / non-personal test data only
Gov/border (INT-4), analytics (INT-8)Designed, not built this phase

9. Sandbox & airport onboarding

What AURA provides you

What AURA asks of you

Airport onboarding checklist

10. Workshop questions for airport teams

The items AURA expects to resolve with the airport. A privacy-first / resilient default is proposed for each; the workshop confirms or adjusts it.

#Open questionAURA's proposed default
1AODB delivery: events or read API?Event/webhook feed for changes + read API for reconciliation
2AODB change-notification mechanism?Push events on gate/delay/status change; agreed schema
3Stale-data handling?Use last-known, flag "stale", staff verify manually
4SSO protocol & role mapping (INT-5)?OIDC/SAML federation with explicit role/group mapping + MFA
5Break-glass for SSO outage?Dual-control, alarmed, fully audited emergency access
6On-prem hosting for INT-6 / vault?Inside KSIA's trusted environment; templates never leave
7Network-loss behavior?On-prem gate decisions continue; async items queue + backfill
8Auth mechanism for INT-2/INT-5?Mutual TLS and/or signed short-lived tokens; per-partner keys
9Fallback ownership for operations?Airport operations, with manual override & full audit
10SLAs, support & incident escalation?Agreed during onboarding

Airport / AODB edition of AURA's partner onboarding kit, grounded in Stage 6 Integration Readiness and the working INT-2, INT-5 and INT-6 connector mocks in the current demonstrator. Connector scope this phase is INT-1, 2, 3, 5, 6 and 7. Field names and contract details are illustrative and confirmed per partner during onboarding. Biometrics remain simulated; this is an integration blueprint, not a live pilot.