Difference between revisions of "AAI FAQ"
|Line 1:||Line 1:|
Latest revision as of 17:33, 13 January 2022
|This article is Deprecated and should no longer be used, but is still available for reasons of reference.|
AAI and CheckIn FAQ
IdP and user questions
Connect to CheckIn an IdP federated in an hub and spoke federations
Question: I get an error similar to: "Error - No connection between institution and service" (SURFconext example)
In case of a "hub and spoke" federation the federation coordinator may require that the IdP administrators explicitly request to connect to a SP and let their users to authenticate on these SP.
In most of the cases this is not a configuration problem neither for the CheckIn service nor for the Identity provider. The connection needs to be implemented in the hub and spoke IdP Proxy.
One example of such federation is SURFconext, the national IdP federation for research and education in the Netherlands operated by SURFnet. If you are using credentials from a Dutch IdP in eduGAIN, you or your IdP administrators need to request the connection. The following steps will lead you to perform the connection:
- Connect to SURFconext dashboard
- Search for "EGI AAI Service provider proxy"
- If the service does not show in the search, you need to ask SURFnet to add it in the dashboard, please write to support at surfconext dot nl
- In the dashboard, near the "EGI AAI Service provider proxy" there should be a "Connect" button, this will create a service ticket and the SURFconext team will make the connection active.
- After you received confirmation that the "EGI AAI Service provider proxy" is accessible, you will be able to login in CheckIn
Authentication error with ADFS-based Identity Providers
Question: Why do I get the error below after successfully authenticating at my Home IdP?
opensaml::FatalProfileException at (https://aai.egi.eu/registry.sso/SAML2/POST) SAML response reported an IdP error. Error from identity provider: Status: urn:oasis:names:tc:SAML:2.0:status:Responder
The Responder error status is typically returned from ADFS-based IdP implementations (notably Microsoft ADFS 2.0 and ADFS 3.0) that cannot properly handle Scoping elements (see https://docs.microsoft.com/en-za/azure/active-directory/develop/active-directory-single-sign-on-protocol-reference#scoping). CheckIn can be configured to omit the scoping element from the authentication requests sent to such IdPs in order to allow successful logins. Please contact the CheckIn support team and include a screenshot of your error.