Overview

This wiki page contains information about enabling federated access to EGI tools and services through the EGI AAI Proxy.

SAML Service Provider

To enable federated access to a web-based application, you need to connect to the EGI AAI IdP Proxy as a SAML Service Provider (SP). Users of the application will be redirected to the Proxy to log in, and the Proxy can authenticate them using any of the supported backend authentication mechanisms, such as institutional IdPs registered with eduGAIN or Social Providers. Once the user is authenticated, the EGI AAI Proxy will return a SAML assertion to the application containing information about the authenticated user.

Metadata

SAML authentication relies on the use of metadata. Both parties (you as a SP and the EGI AAI IdP) need to exchange metadata in order to know and trust each other. The metadata include information such as the location of the service endpoints that need to be invoked, as well as the certificates that will be used to sign SAML messages. The format of the exchanged metadata should be based on the XML-based SAML 2.0 specification. Usually, you will not need to manually create such an XML document, as this is automatically generated by all major SAML 2.0 SP software solutions (e.g., Shibboleth, SimpleSAMLphp, and mod_auth_mellon). It is important that you serve your metadata over HTTPS using a browser-friendly SSL certificate, i.e. issued by a trusted certificate authority.

You can get the metadata of the EGI IdP Proxy on a dedicated URL:

https://aai.egi.eu/proxy/saml2/idp/metadata.php

Attribute