Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "AAI FAQ"

From EGIWiki
Jump to navigation Jump to search
(Created page with "{{TOC_right}} = AAI and CheckIn FAQ = == IdP and user questions == == Connect to CheckIn an IdP federated in an hub and spoke federations == '''Question: I get an error simila...")
 
 
(4 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{Deprecated}}
{{TOC_right}}  
{{TOC_right}}  


Line 4: Line 6:


== IdP and user questions ==
== IdP and user questions ==
== Connect to CheckIn an IdP federated in an hub and spoke federations ==
=== Connect to CheckIn an IdP federated in an hub and spoke federations ===
'''Question: I get an error similar to: "Error - No connection between institution and service" (SURFconext example)'''
'''Question: I get an error similar to: "Error - No connection between institution and service" (SURFconext example)'''


Answer:
'''Answer:'''


In case of a "hub and spoke" federation the federation coordinator may require that the IdP administrators explicitly request to connect to a SP and let their users to authenticate on these SP.
In case of a "hub and spoke" federation the federation coordinator may require that the IdP administrators explicitly request to connect to a SP and let their users to authenticate on these SP.
Line 19: Line 21:
* In the dashboard, near the "EGI AAI Service provider proxy" there should be a "Connect" button, this will create a service ticket and the SURFconext team will make the connection active.
* In the dashboard, near the "EGI AAI Service provider proxy" there should be a "Connect" button, this will create a service ticket and the SURFconext team will make the connection active.
* After you received confirmation that the "EGI AAI Service provider proxy" is accessible, you will be able to login in CheckIn
* After you received confirmation that the "EGI AAI Service provider proxy" is accessible, you will be able to login in CheckIn
=== Authentication error with ADFS-based Identity Providers ===
'''Question: Why do I get the error below after successfully authenticating at my Home IdP?'''
<nowiki>opensaml::FatalProfileException at (https://aai.egi.eu/registry.sso/SAML2/POST)
SAML response reported an IdP error.
Error from identity provider:
Status: urn:oasis:names:tc:SAML:2.0:status:Responder</nowiki>
'''Answer:'''
The Responder error status is typically returned from ADFS-based IdP implementations (notably Microsoft ADFS 2.0 and ADFS 3.0) that cannot properly handle Scoping elements (see https://docs.microsoft.com/en-za/azure/active-directory/develop/active-directory-single-sign-on-protocol-reference#scoping). CheckIn can be configured to omit the scoping element from the authentication requests sent to such IdPs in order to allow successful logins. Please contact the CheckIn support team and include a screenshot of your error.

Latest revision as of 16:33, 13 January 2022

Alert.png This article is Deprecated and should no longer be used, but is still available for reasons of reference.




AAI and CheckIn FAQ

IdP and user questions

Connect to CheckIn an IdP federated in an hub and spoke federations

Question: I get an error similar to: "Error - No connection between institution and service" (SURFconext example)

Answer:

In case of a "hub and spoke" federation the federation coordinator may require that the IdP administrators explicitly request to connect to a SP and let their users to authenticate on these SP.

In most of the cases this is not a configuration problem neither for the CheckIn service nor for the Identity provider. The connection needs to be implemented in the hub and spoke IdP Proxy.

One example of such federation is SURFconext, the national IdP federation for research and education in the Netherlands operated by SURFnet. If you are using credentials from a Dutch IdP in eduGAIN, you or your IdP administrators need to request the connection. The following steps will lead you to perform the connection:

  • Connect to SURFconext dashboard
  • Search for "EGI AAI Service provider proxy"
    • If the service does not show in the search, you need to ask SURFnet to add it in the dashboard, please write to support at surfconext dot nl
  • In the dashboard, near the "EGI AAI Service provider proxy" there should be a "Connect" button, this will create a service ticket and the SURFconext team will make the connection active.
  • After you received confirmation that the "EGI AAI Service provider proxy" is accessible, you will be able to login in CheckIn

Authentication error with ADFS-based Identity Providers

Question: Why do I get the error below after successfully authenticating at my Home IdP?

opensaml::FatalProfileException at (https://aai.egi.eu/registry.sso/SAML2/POST)
SAML response reported an IdP error.
Error from identity provider:
Status: urn:oasis:names:tc:SAML:2.0:status:Responder

Answer:

The Responder error status is typically returned from ADFS-based IdP implementations (notably Microsoft ADFS 2.0 and ADFS 3.0) that cannot properly handle Scoping elements (see https://docs.microsoft.com/en-za/azure/active-directory/develop/active-directory-single-sign-on-protocol-reference#scoping). CheckIn can be configured to omit the scoping element from the authentication requests sent to such IdPs in order to allow successful logins. Please contact the CheckIn support team and include a screenshot of your error.