|
|
| (14 intermediate revisions by 3 users not shown) |
| Line 1: |
Line 1: |
| {{TOC_right}} | | {{TOC_right}} |
|
| |
|
| = Overview =
| | The documentation has moved to https://docs.egi.eu/providers/check-in/idp/. |
| | |
| This wiki page contains information about integrating your identity provider with the [[AAI | EGI AAI Proxy]] in order to allow users in your community to access EGI tools and services.
| |
| | |
| = SAML Identity Provider =
| |
| | |
| To allow users in your community to sign into federated EGI applications, you need to connect to the EGI AAI SP Proxy as a SAML Identity Provider (IdP). Users of the application will be redirected to the central Discovery Service page of the EGI AAI Proxy where they will able to select to authenticate at your IdP. Once the user is authenticated, the EGI AAI Proxy will return a SAML assertion to the application containing the information returned by your IdP about the authenticated user.
| |
| | |
| == Metadata registration ==
| |
| | |
| SAML authentication relies on the use of metadata. Both parties (you as an IdP and the EGI AAI SP) need to exchange metadata in order to know and trust each other. The metadata include information such as the location of the service endpoints that need to be invoked, as well as the certificates that will be used to sign SAML messages. The format of the exchanged metadata should be based on the XML-based [https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf SAML 2.0 specification]. Usually, you will not need to manually create such an XML document, as this is automatically generated by all major SAML 2.0 IdP software solutions (e.g., Shibboleth, SimpleSAMLphp). It is important that you serve your metadata over HTTPS using a browser-friendly SSL certificate, i.e. issued by a trusted certificate authority.
| |
| | |
| You can get the metadata of the EGI SP Proxy on a dedicated URL:
| |
| <pre>
| |
| https://aai.egi.eu/proxy/module.php/saml/sp/metadata.php/sso
| |
| </pre>
| |
| | |
| == Attribute release ==
| |
| | |
| Within the EGI environment, a user must have one persistent, non-reassignable, non-targeted, opaque, and globally unique identifier. To achieve this, the EGI AAI Proxy generates a <tt>eduPersonUniqueId</tt> (urn:oid:1.3.6.1.4.1.5923.1.1.1.13) attribute based on the first non-empty value from this attribute list:
| |
| * <tt>eduPersonUniqueId</tt>
| |
| * <tt>eduPersonPrincipalName</tt>
| |
| * <tt>eduPersonTargetedID</tt>
| |
| | |
| As such, it is required by your IdP to release at least one of the above user identifiers.
| |
| | |
| The selected attribute value is hashed and the <tt>"egi.eu"</tt> scope portion is added to the generated ePUID, e.g.:
| |
|
| |
| <pre>
| |
| ef72285491ffe53c39b75bdcef46689f5d26ddfa00312365cc4fb5ce97e9ca87@egi.eu
| |
| </pre>
| |
| | |
| The generated ePUID should be accompanied with a minimum set of attributes:
| |
| | |
| * Email address (<tt>mail</tt>)
| |
| * Display name (<tt>displayName</tt>) OR (<tt>givenName</tt> AND <tt>sn</tt>)
| |
| | |
| The EGI AAI SP Proxy will attempt to retrieve these attributes from your IdP. If this is not possible, the missing user attributes will be acquired and verified through the user registration process with the EGI Account Registry .
| |
| | |
| Note that the above set of request attributes complies with the [https://refeds.org/category/research-and-scholarship REFEDS R&S] attribute bundle.
| |
| | |
| A more extensive list of all the attributes that may be made available to Service Providers is included in the following table:
| |
| | |
| {| class="wikitable"
| |
| |-
| |
| ! Attribute friendly name
| |
| ! Attribute OID
| |
| ! Example value
| |
| |-
| |
| |<tt>eduPersonUniqueId</tt>
| |
| |<tt>urn:oid:1.3.6.1.4.1.5923.1.1.1.13</tt>
| |
| |<tt>ef72285491ffe53c39b75bdcef46689f5d26ddfa00312365cc4fb5ce97e9ca87@egi.eu</tt>
| |
| |-
| |
| |<tt>mail</tt>
| |
| |<tt>urn:oid:0.9.2342.19200300.100.1.3</tt>
| |
| |<tt>john.doe@example.org</tt>
| |
| |-
| |
| |<tt>displayName</tt>
| |
| |<tt>urn:oid:2.16.840.1.113730.3.1.241</tt>
| |
| |<tt>John Doe</tt>
| |
| |-
| |
| |<tt>givenName</tt>
| |
| |<tt>urn:oid:2.5.4.42</tt>
| |
| |<tt>John</tt>
| |
| |-
| |
| |<tt>sn</tt>
| |
| |<tt>urn:oid:2.5.4.4</tt>
| |
| |<tt>Doe</tt>
| |
| |-
| |
| |<tt>eduPersonAssurance</tt>
| |
| |<tt>urn:oid:1.3.6.1.4.1.5923.1.1.1.11</tt>
| |
| |<tt>https://aai.egi.eu/LoA#Substantial</tt>
| |
| |-
| |
| |<tt>distinguishedName</tt>
| |
| |<tt>urn:oid:2.5.4.49</tt>
| |
| |<tt>/C=NL/O=Example.org/CN=John Doe</tt>
| |
| |-
| |
| |<tt>eduPersonScopedAffiliation</tt>
| |
| |<tt>urn:oid:1.3.6.1.4.1.5923.1.1.1.9</tt>
| |
| |<tt>faculty@example.org</tt>
| |
| |-
| |
| |<tt>eduPersonEntitlement</tt>
| |
| |<tt>urn:oid:1.3.6.1.4.1.5923.1.1.1.7</tt>
| |
| |<tt>urn:mace:egi.eu:www.egi.eu:wiki-editors:member@egi.eu</tt>
| |
| |}
| |
The wiki is deprecated and due to be decommissioned by the end of September 2022.