Integrating AURA with airport operations
1. What AURA asks of the airport
AURA lets a passenger move through Terminal 6 on one verified identity, reused at security and boarding. For that to be safe and operationally correct, AURA needs two things from the airport: accurate flight & gate context (so gates show the right information) and trustworthy staff identities (so role-based access controls work). It also relies on the airport hosting the on-premise trust boundary where biometrics live.
The airport owns two integrations
- INT-2 ยท AODB โ flight schedules, gates, delays, terminal status (non-personal operational data).
- INT-5 ยท Staff SSO โ authenticate AURA staff so RBAC knows which officer is acting.
It also hosts INT-6 โ the on-prem matching engine (simulated this phase) โ inside the airport's trusted environment. INT-6 is not a partner integration; it is the crown-jewels component that never leaves KSIA.
2. Flight & gate context (INT-2 ยท AODB)
The AODB is AURA's source of operational truth. It is the safest integration precisely because it carries only non-personal data: a gate change or a delay, never a name.
What AURA consumes from the AODB
| Data | Used for | Sensitivity |
|---|---|---|
| Flight number, scheduled / estimated times | Anchoring a journey to the right flight; gate displays | ๐ข non-personal |
| Gate & stand assignment | Directing passengers; gate context for the boarding decision | ๐ข non-personal |
| Delays / status changes / cancellations | Operational triggers (see ยง3); keeping context fresh | ๐ข non-personal |
| Terminal status | Overall operational picture for Terminal 6 | ๐ข non-personal |
3. Operational triggers
AODB events don't just populate displays โ they drive AURA's operational behavior. Each event is non-personal, validated on arrival, then applied to gate context.
| Trigger | Operational effect | Fail-safe note |
|---|---|---|
| Gate reassignment | Gate context updated; passengers re-guided | If event missed, staff override; last-known flagged stale |
| Delay / schedule change | Context refreshed; messaging adjusted | Non-blocking; gate decision (INT-6) unaffected |
| Cancellation | Affected journeys flagged for staff | Never auto-denies a passenger silently โ routed to human |
| Boarding closed | Gate stops accepting that flight | Deterministic; manual override possible with audit |
4. Staff SSO & RBAC touchpoints (INT-5)
How RBAC uses staff identity
Once a staff member is authenticated via your IdP, AURA maps them to a role, and every sensitive action is checked against that role's capabilities on the server side โ not just hidden in the UI. A few concrete examples from the demonstrator:
| Capability | What it gates | Roles that hold it |
|---|---|---|
journey.link | Link/check-in a passenger journey | enrollment agent, operations supervisor |
ai.configure | Toggle the AI assistive features (e.g. kill switch) | security admin (separation of duties) |
What AURA asks of the airport IdP
- Federated sign-on (OIDC/SAML) with IdP metadata exchanged during onboarding.
- Explicit role / group mapping so AURA roles map cleanly to airport staff groups.
- MFA expectations for sensitive roles.
- A break-glass path (dual-control, alarmed, audited) for SSO outages โ see ยง6.
5. On-prem trust boundary (INT-6)
The single most important architectural principle for the airport: biometrics never leave KSIA. The matching engine that compares a live capture to a stored template runs on-premise, inside the airport's trusted environment.
{ identity_ref, live_capture, stage } โ { decision, confidence, reason }
Hard ruleTemplates & results never leave KSIA. A real engine slots into this same contract later with no re-architecture.
- Biometric templates never cross an external boundary. Only the on-prem engine touches them.
- Raw identity stays on-prem. Partners get tokens; only the KSIA vault resolves a token to a person.
- The gate decision is on-prem and synchronous. It never depends on the internet or any partner.
6. Resilience & fail-safe behavior
Airport operations cannot tolerate a system that strands passengers or makes unsafe decisions when something fails. AURA is designed to fail safe, not open.
Core resilience principles
- Fail safe, not open. If a security-relevant check can't complete, the result is REFER to a human โ never an automatic ALLOW.
- Gates keep working. Because the gate decision is on-prem (INT-6), a cloud or partner outage doesn't stop checkpoints/boarding for already-validated journeys.
- Human fallback owns the edge cases. Airport operations handle fallbacks with manual override and full audit.
Airport-relevant fallback table
| Integration | If it failsโฆ | Fallback |
|---|---|---|
| INT-2 AODB | flight data stale / unavailable | Use last-known + flag "stale"; staff verify gate/flight manually |
| INT-5 Staff SSO | SSO down | Break-glass staff access (dual-control, alarmed, audited) |
| INT-6 Matching (on-prem) | low confidence / poor capture | Deterministic REFER; human officer + manual document fallback |
| INT-1 Airline DCS | can't validate booking | REFER to staff for manual booking check; journey not auto-activated |
| INT-7 Notification | delivery fails | Best-effort retry; non-blocking; passenger can use kiosk/staff |
| Network / cloud | connectivity lost | On-prem gate decisions continue; async items queue and backfill |
7. Forbidden fields โ enforced at the boundary
template_data, raw_image,
selfie, given_name, family_name, and
document_number. The on-prem matching engine (INT-6) is the only component
permitted to handle biometric data โ and it never leaves KSIA.
For the airport, this matters most for the AODB: by design the AODB carries no passenger personal data at all, so it sits comfortably on the right side of this rule. Staff SSO (INT-5) carries staff identity only โ never passenger data.
| Rule | Plain English (airport view) |
|---|---|
| No biometrics outbound | Templates/images stay inside KSIA on the on-prem engine. |
| AODB is non-personal | Flight/gate data only โ never a passenger name. |
| Staff โ passenger | SSO carries staff identity for RBAC, not passenger identity. |
| Inbound validation | AURA treats all AODB/IdP data as untrusted and validates before use. |
8. What's real today vs simulated
| Aspect | State in this phase |
|---|---|
| AODB integration contract (INT-2) | Real, working contract โ runs as a contract-shaped mock you can exercise end-to-end |
| Staff SSO & RBAC (INT-5) | Real RBAC enforced server-side; staff identity via a mocked IdP contract |
| On-prem matching (INT-6) | Simulated โ deterministic decision; no real biometrics; same contract a real engine will use |
| Live operational / passenger data | Not used โ synthetic / non-personal test data only |
| Gov/border (INT-4), analytics (INT-8) | Designed, not built this phase |
9. Sandbox & airport onboarding
What AURA provides you
- Versioned contract definitions for INT-2 (events/read API) and INT-5 (federation + role mapping).
- A sandbox where AODB and IdP are mocked to those contracts, so flows run end-to-end safely.
- Observable request/response traces and audit entries for every simulated event and login.
- Test scenarios: success, AODB-stale, SSO-down (break-glass), and forbidden-field cases.
What AURA asks of you
- A non-production AODB feed/endpoint and a test IdP (or sandbox tenant) with test credentials.
- Representative non-personal / synthetic flight, gate and staff data.
- Confirmation of AODB schema & change-notification mechanism, and IdP role/group mapping.
- Agreement on break-glass procedure, MFA expectations, and stale-data handling.
- A technical point of contact for joint testing and issue triage.
Airport onboarding checklist
- Confirm INT-2 and INT-5 ownership and Phase 1 participation.
- Agree the versioned AODB contract (events vs read API, schema, change notifications).
- Exchange IdP metadata; agree role/group mapping and MFA for sensitive roles.
- Confirm on-prem hosting arrangement for INT-6 / vault (trust boundary).
- Agree resilience behavior: stale-data flagging, break-glass, manual override + audit.
- Run contract โ connectivity/auth โ fail-safe & forbidden-field tests.
- Confirm SLAs, support/escalation, and fallback ownership (airport operations).
10. Workshop questions for airport teams
The items AURA expects to resolve with the airport. A privacy-first / resilient default is proposed for each; the workshop confirms or adjusts it.
| # | Open question | AURA's proposed default |
|---|---|---|
| 1 | AODB delivery: events or read API? | Event/webhook feed for changes + read API for reconciliation |
| 2 | AODB change-notification mechanism? | Push events on gate/delay/status change; agreed schema |
| 3 | Stale-data handling? | Use last-known, flag "stale", staff verify manually |
| 4 | SSO protocol & role mapping (INT-5)? | OIDC/SAML federation with explicit role/group mapping + MFA |
| 5 | Break-glass for SSO outage? | Dual-control, alarmed, fully audited emergency access |
| 6 | On-prem hosting for INT-6 / vault? | Inside KSIA's trusted environment; templates never leave |
| 7 | Network-loss behavior? | On-prem gate decisions continue; async items queue + backfill |
| 8 | Auth mechanism for INT-2/INT-5? | Mutual TLS and/or signed short-lived tokens; per-partner keys |
| 9 | Fallback ownership for operations? | Airport operations, with manual override & full audit |
| 10 | SLAs, support & incident escalation? | Agreed during onboarding |
Airport / AODB edition of AURA's partner onboarding kit, grounded in Stage 6 Integration Readiness and the working INT-2, INT-5 and INT-6 connector mocks in the current demonstrator. Connector scope this phase is INT-1, 2, 3, 5, 6 and 7. Field names and contract details are illustrative and confirmed per partner during onboarding. Biometrics remain simulated; this is an integration blueprint, not a live pilot.