The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
AAI guide for SPs
Overview
This wiki page contains information about enabling federated access to EGI tools and services through the EGI AAI Proxy.
SAML Service Provider
To enable federated access to a web-based application, you need to connect to the EGI AAI IdP Proxy as a SAML Service Provider (SP). Users of the application will be redirected to the Proxy to log in, and the Proxy can authenticate them using any of the supported backend authentication mechanisms, such as institutional IdPs registered with eduGAIN or Social Providers. Once the user is authenticated, the EGI AAI Proxy will return a SAML assertion to the application containing information about the authenticated user.
Metadata
SAML authentication relies on the use of metadata. Both parties (you as a SP and the EGI AAI IdP) need to exchange metadata in order to know and trust each other. The metadata include information such as the location of the service endpoints that need to be invoked, as well as the certificates that will be used to sign SAML messages. The format of the exchanged metadata should be based on the XML-based SAML 2.0 specification. Usually, you will not need to manually create such an XML document, as this is automatically generated by all major SAML 2.0 SP software solutions (e.g., Shibboleth, SimpleSAMLphp, and mod_auth_mellon). It is important that you serve your metadata over HTTPS using a browser-friendly SSL certificate, i.e. issued by a trusted certificate authority.
You can get the metadata of the EGI IdP Proxy on a dedicated URL:
https://aai.egi.eu/proxy/saml2/idp/metadata.php
Attribute release
The EGI AAI IdP Proxy is guaranteed to release a minimal subset of the REFEDS R&S attribute bundle to connected Service Providers without administrative involvement, subject to user consent. The following attributes constitute a minimal subset of the R&S attribute bundle:
- unique EGI user ID (eduPersonUniqueId
- email address
- displayName OR (givenName AND sn)
A more extensive list of the attributes that may be made available to Service Providers is included in the following table:
| Attribute friendly name | Attribute OID | Example value |
|---|---|---|
| eduPersonUniqueId | urn:oid:1.3.6.1.4.1.5923.1.1.1.13 | ef72285491ffe53c39b75bdcef46689f5d26ddfa00312365cc4fb5ce97e9ca87@egi.eu |
| urn:oid:0.9.2342.19200300.100.1.3 | john.doe@example.org | |
| displayName | urn:oid:2.16.840.1.113730.3.1.241 | John Doe |
| givenName | urn:oid:2.5.4.42 | John |
| sn | urn:oid:2.5.4.4 | Doe |
| eduPersonAssurance | urn:oid:1.3.6.1.4.1.5923.1.1.1.16 | https://aai.egi.eu/LoA#Substantial |
| distinguishedName | urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | /C=NL/O=Example.org/CN=John Doe |
| eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | faculty@example.org |
| eduPersonEntitlement | urn:oid:1.3.6.1.4.1.5923.1.1.1.7 | urn:mace:egi.eu:www.egi.eu:wiki-editors:member@egi.eu |