Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "AAI"

From EGIWiki
Jump to navigation Jump to search
 
(21 intermediate revisions by 9 users not shown)
Line 1: Line 1:
{{Template:Op menubar}} {{Template:Tools menubar}} {{TOC_right}}  
{{Deprecated}}


The EGI AAI proxy enables access to EGI services and resources using
<!--{{Template:Op menubar}} --> {{Template:Tools menubar}} {{TOC_right}}
federated authentication mechanisms. Specifically, the proxy service is
operated as a central hub between federated Identity Providers (IdPs) residing
‘outside’ of the EGI ecosystem, and Service Providers (SPs) that are
part of EGI. The main advantage of this design principle is that all entities
need to establish and maintain technical and trust relation only to a single
entity, the EGI AAI proxy, instead of managing many-to-many relationships. In this context, the proxy
acts as a Service Provider towards the Identity Providers and as an Identity
Provider towards the Service Providers.


Through the EGI AAI proxy, users are able to
The EGI Check-in service (also called EGI AAI proxy) enables access to EGI services and resources using federated authentication mechanisms. Specifically, the proxy service is operated as a central hub between federated Identity Providers (IdPs) residing ‘outside’ of the EGI ecosystem, and Service Providers (SPs) that are part of EGI. The main advantage of this design principle is that all entities need to establish and maintain technical and trust relation only to a single entity, the EGI AAI proxy, instead of managing many-to-many relationships. In this context, the proxy acts as a Service Provider towards the Identity Providers and as an Identity Provider towards the Service Providers.
authenticate with the credentials provided by the IdP of their Home
 
Organisation (e.g. via eduGAIN), as well as using social identity providers, or other selected external identity providers (support for eGOV IDs is also foreseen). To achieve this, the EGI
Through the EGI AAI proxy, users are able to authenticate with the credentials provided by the IdP of their Home Organisation (e.g. via eduGAIN), as well as using social identity providers, or other selected external identity providers (support for eGOV IDs is also foreseen). To achieve this, the EGI AAI has built-in support for SAML, OpenID Connect and OAuth2 providers and already enables user logins through Facebook, Google, LinkedIn, and ORCID. In addition to serving as an authentication proxy, the EGI AAI provides a central Discovery Service (Where Are You From – WAYF) for users to select their preferred IdP.
AAI has built-in support for SAML, OpenID Connect and OAuth2 providers and
 
already enables user logins through Facebook, Google, LinkedIn, and ORCID. In
The EGI AAI proxy is also responsible for aggregating user attributes originating from various authoritative sources (IdPs and attribute provider services) and delivering them to the connected EGI service providers in a harmonised and transparent way. Service Providers can use the received attributes for authorisation purposes, i.e. determining the resources the user has access to.  
addition to serving as an authentication proxy, the EGI AAI provides a central
Discovery Service (Where Are You From – WAYF) for users to select their
preferred IdP.


The EGI AAI proxy is
also responsible for aggregating user attributes originating from various
authoritative sources (IdPs and attribute provider services) and delivering
them to the connected EGI service providers in a harmonised and transparent way.
Service Providers can use the received attributes for authorisation purposes,
i.e. determining the resources the user has access to.
{| class="wikitable"
{| class="wikitable"
|-
|-
| '''Tool name'''  
| '''Tool name'''  
| ''EGI AAI''
| ''EGI AAI Check-in Service''
|-
|-
| '''Tool Category and description'''  
| '''Tool Category and description'''  
| ''EGI Core service''  
| ''EGI Core service''  
Provides Authentication and Authorisation capabilities enabling user-friendly and secure access to EGI services
Provides Authentication and Authorisation capabilities enabling user-friendly and secure access to EGI services  


|-
|-
| '''Tool url'''  
| '''Tool url'''  
| https://aai.egi.eu/proxy/<br>
| https://aai.egi.eu/<br>
|-
|-
| '''Email'''  
| '''Email'''  
| <br>
| [mailto:checkin-support@mailman.egi.eu checkin-support@mailman.egi.eu]
|-
|-
| '''GGUS Support unit'''  
| '''GGUS Support unit'''  
| <br>
| [[GGUS:AAI_SUPPORT_FAQ|AAI Support]]
|-
|-
| '''GOC&nbsp;DB&nbsp;entry'''  
| '''GOCDB entry'''  
| <br>
| [https://goc.egi.eu/portal/index.php?Page_Type=Site&id=1825 GRIDOPS-CheckIn]
|-
|-
| '''Requirements tracking - EGI tracker'''  
| '''Requirements tracking - EGI tracker'''  
| <br>
| [https://rt.egi.eu/rt/Search/Results.html?Query=Queue%20%3D%20%27AAI-Check-in%27%20 AAI-Check-in]
|-
|-
| '''Issue tracking - Developers tracker'''  
| '''Issue tracking - Developers tracker'''  
| <br>
| N/A
|-
|-
| '''Release schedule'''  
| '''Release schedule'''  
| <br>
| https://wiki.egi.eu/wiki/EGI-Engage:TASK_JRA1.1_Authentication_and_Authorisation_Infrastructure#Development_Roadmap
|-
|-
| '''Release notes'''  
| '''Release notes'''  
| <br>
| Ν/Α
|-
|-
| '''Roadmap'''  
| '''Roadmap'''  
| <br>
| <span style="font-size: 13.28px;">https://wiki.egi.eu/wiki/EGI-Engage:TASK_JRA1.1_Authentication_and_Authorisation_Infrastructure</span>
|-
|-
| '''Related OLA'''  
| '''Related OLA'''  
Line 67: Line 50:
|-
|-
| '''Test instance url'''  
| '''Test instance url'''  
| https://snf-689289.vm.okeanos.grnet.gr/proxy/<br>
| https://aai-dev.egi.eu/<br>
|-
|-
| '''Documentation'''  
| '''Documentation'''  
| https://wiki.egi.eu/AAI
| https://wiki.egi.eu/wiki/AAI#Documentation
|-
|-
| '''License'''  
| '''License'''  
Line 79: Line 62:
|-
|-
| '''Source code'''  
| '''Source code'''  
| https://github.com/grnet/egaai-ansible
| https://github.com/rciam
|}
|}


Line 86: Line 69:
= Change, Release and Deployment  =
= Change, Release and Deployment  =


TBD
TBD  
 


<br>


= Documentation  =
= Documentation  =


*[[ AAI_guide_for_IdPs | EGI AAI integration guide for Identity Providers ]]
*[https://docs.egi.eu/users/check-in/ Usage Guide]
*[[ AAI_guide_for_SPs | EGI AAI integration guide for Service Providers ]]
*[https://docs.egi.eu/users/check-in/vos/ Guide for VO Managers]
 
*[[AAI expressing vo group membership and role information|Expressing VO/group membership and role information]]
*[https://docs.egi.eu/providers/check-in/idp/ Integration Guide for Identity Providers]
*[https://docs.egi.eu/providers/check-in/sp/ Integration Guide for Service Providers]
**[[AAI guide for OpenStack|OpenStack cloud providers (Apache mod_auth_openidc) ]]
* [[AAI FAQ]]
[[Category:Tools]]
[[Category:Tools]]

Latest revision as of 17:33, 13 January 2022

Alert.png This article is Deprecated and should no longer be used, but is still available for reasons of reference.



Tools menu: Main page Instructions for developers AAI Proxy Accounting Portal Accounting Repository AppDB ARGO GGUS GOCDB
Message brokers Licenses OTAGs Operations Portal Perun EGI Collaboration tools LToS EGI Workload Manager



The EGI Check-in service (also called EGI AAI proxy) enables access to EGI services and resources using federated authentication mechanisms. Specifically, the proxy service is operated as a central hub between federated Identity Providers (IdPs) residing ‘outside’ of the EGI ecosystem, and Service Providers (SPs) that are part of EGI. The main advantage of this design principle is that all entities need to establish and maintain technical and trust relation only to a single entity, the EGI AAI proxy, instead of managing many-to-many relationships. In this context, the proxy acts as a Service Provider towards the Identity Providers and as an Identity Provider towards the Service Providers.

Through the EGI AAI proxy, users are able to authenticate with the credentials provided by the IdP of their Home Organisation (e.g. via eduGAIN), as well as using social identity providers, or other selected external identity providers (support for eGOV IDs is also foreseen). To achieve this, the EGI AAI has built-in support for SAML, OpenID Connect and OAuth2 providers and already enables user logins through Facebook, Google, LinkedIn, and ORCID. In addition to serving as an authentication proxy, the EGI AAI provides a central Discovery Service (Where Are You From – WAYF) for users to select their preferred IdP.

The EGI AAI proxy is also responsible for aggregating user attributes originating from various authoritative sources (IdPs and attribute provider services) and delivering them to the connected EGI service providers in a harmonised and transparent way. Service Providers can use the received attributes for authorisation purposes, i.e. determining the resources the user has access to.

Tool name EGI AAI Check-in Service
Tool Category and description EGI Core service

Provides Authentication and Authorisation capabilities enabling user-friendly and secure access to EGI services

Tool url https://aai.egi.eu/
Email checkin-support@mailman.egi.eu
GGUS Support unit AAI Support
GOCDB entry GRIDOPS-CheckIn
Requirements tracking - EGI tracker AAI-Check-in
Issue tracking - Developers tracker N/A
Release schedule https://wiki.egi.eu/wiki/EGI-Engage:TASK_JRA1.1_Authentication_and_Authorisation_Infrastructure#Development_Roadmap
Release notes Ν/Α
Roadmap https://wiki.egi.eu/wiki/EGI-Engage:TASK_JRA1.1_Authentication_and_Authorisation_Infrastructure
Related OLA N/A
Test instance url https://aai-dev.egi.eu/
Documentation https://wiki.egi.eu/wiki/AAI#Documentation
License Apache License 2.0
Provider GRNET
Source code https://github.com/rciam


Change, Release and Deployment

TBD


Documentation