Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "AAI usage guide"

From EGIWiki
Jump to navigation Jump to search
(16 intermediate revisions by 4 users not shown)
Line 11: Line 11:
To access EGI resources, you need to sign up for an account. As part of this process you will be assigned a personal '''EGI ID''', which will then be used across all EGI tools and services. To register your account, follow the instructions below:  
To access EGI resources, you need to sign up for an account. As part of this process you will be assigned a personal '''EGI ID''', which will then be used across all EGI tools and services. To register your account, follow the instructions below:  


{|
{| style="width:80%;"
|- style="vertical-align:top;"
|- style="vertical-align:top;"
!1.  
!1.  
Line 21: Line 21:
* browse through the list of Identity Providers to find your Home Organisation;  
* browse through the list of Identity Providers to find your Home Organisation;  
*: ''or, alternatively,''  
*: ''or, alternatively,''  
*type the name of your Home Organisation in the search box. Note that this filter only matches entries within the currently selected view (tab) of Identity Providers and is localised based on the selected language.
*type the name of your Home Organisation in the search box. Note that the names are localised based on the selected language.
|[[Image:AAI IdP discovery.png|thumb|350px]]
|[[Image:AAI IdP discovery.png|thumb|350px]]
|- style="vertical-align:top;"
|- style="vertical-align:top;"
Line 55: Line 55:
|- style="vertical-align:top;"
|- style="vertical-align:top;"
!8.
!8.
|On the registration form, click '''Review Terms and Conditions''' ([https://documents.egi.eu/document/74 Grid Acceptable Use Policy - Grid AUP]).  
|On the registration form, click '''Review Terms and Conditions''' ([https://documents.egi.eu/document/2623 Acceptable Use Policy and Conditions of Use - EGI AUP]).  
|[[Image:AAI GAUP.png|thumb|350px]]
|[[Image:EGI-AUP.png|thumb|350px]]
|- style="vertical-align:top;"
|- style="vertical-align:top;"
!9.
!9.
Line 67: Line 67:
|- style="vertical-align:top;"
|- style="vertical-align:top;"
!11.
!11.
|After submitting your request, EGI AAI will send you an email with a verification link in it. After you click that link, you'll be taken to the request confirmation page.  
|After submitting your request, EGI AAI will send you an email with a verification link in it. After you click that link, you'll be taken to the request confirmation page. ''Important: If you do not find the email in your Inbox, please check your Spam or Junk folder for an email from "EGI AAI Notifications". If you do find the email in these folders, mark the email as "safe" or "not spam" to ensure that you receive any future notifications about your EGI ID.''
|
|
|- style="vertical-align:top;"
|- style="vertical-align:top;"
Line 85: Line 85:
Identity linking allows you to access EGI resources with your existing personal EGI ID, using any of the login credentials you have linked to your account. You can use any of your organisational or social login credentials for this purpose. To link a new organisational or social identity to your EGI account:  
Identity linking allows you to access EGI resources with your existing personal EGI ID, using any of the login credentials you have linked to your account. You can use any of your organisational or social login credentials for this purpose. To link a new organisational or social identity to your EGI account:  


{|
{| style="width:80%";
|- style="vertical-align:top;"
|- style="vertical-align:top;"
!1.  
!1.  
Line 112: Line 112:
!6.
!6.
|On the Link New Identity form, click '''Review Terms and Conditions''' ([https://documents.egi.eu/document/74 Grid Acceptable Use Policy - Grid AUP]).  
|On the Link New Identity form, click '''Review Terms and Conditions''' ([https://documents.egi.eu/document/74 Grid Acceptable Use Policy - Grid AUP]).  
|[[Image:AAI link new identity form.png|thumb|350px]][[Image:AAI GAUP.png|thumb|350px]]
|[[Image:AAI link new identity form.png|thumb|350px]][[Image:EGI-AUP.png|thumb|350px]]
|- style="vertical-align:top;"
|- style="vertical-align:top;"
!7.
!7.
Line 137: Line 137:
|After successful authentication, you'll be able to access EGI resources with your existing personal EGI ID using the login credentials of the Identity Provider you selected in '''Step 11'''.
|After successful authentication, you'll be able to access EGI resources with your existing personal EGI ID using the login credentials of the Identity Provider you selected in '''Step 11'''.
|[[Image:AAI link new identity confirmed.png|thumb|350px]]
|[[Image:AAI link new identity confirmed.png|thumb|350px]]
|}
== Linking your Certificate to your EGI Account  ==
Certificate linking allows you to add the subject DN of your certificate to your existing personal EGI ID. For this you need to import your certificate to your browser.<br/>To link a subject DN to your EGI account:
<br/>
{| style="width:80%";
|- style="vertical-align:top;"
!1.
|Enter the following URL in a browser: https://aai.egi.eu/registry
|[[Image:AAI registry url.png|thumb|250px]]
|- style="vertical-align:top;"
!2.
|Click '''Login''' and authenticate using the login credentials of EGI account you prefer to add to your subject DN
|[[Image:AAI registry login.png|thumb|250px]]
|- style="vertical-align:top;"
!3.
|Navigate to '''My EGI User Community Account''' page in one of the following ways:
*hover over your display name next to the person icon on the top right corner of the page;
*: ''or, alternatively,''
*select '''EGI User Community''' from the list of available Collaborations and then click '''My EGI User Community Account''' from the '''People''' menu
|[[Image:AAI my account.png|thumb|250px]]
|- style="vertical-align:top;"
!4.
|Under the '''Organisational Identities''' section of your profile page, click '''Link New Identity'''.
|[[Image:AAI link new identity.png|thumb|350px]]
|- style="vertical-align:top;"
!5.
|On the introductory page for Identity Linking, click '''Begin'''
|[[Image:AAI link new identity intro.png|thumb|350px]]
|- style="vertical-align:top;"
!6.
|On the Link New Identity form, click '''Review Terms and Conditions''' ([https://documents.egi.eu/document/74 Grid Acceptable Use Policy - Grid AUP]).
|[[Image:AAI link new identity form.png|thumb|350px]][[Image:EGI-AUP.png|thumb|350px]]
|- style="vertical-align:top;"
!7.
|If you agree to the EGI AAI Terms of Use, select the '''I Agree''' option. ''Important: You will not be able to agree to the terms until you review them.''
|[[Image:AAI ToU agreement.png|thumb|350px]]
|- style="vertical-align:top;"
!8.
|Finally, click '''Submit''' to submit your request. ''Important: You will not be able to submit your request until you agree to the terms.''
|
|- style="vertical-align:top;"
!9.
|After submitting your request, you will be logged out automatically from your current account and EGI AAI will send you an email with a link in it.
After you click that link, you'll be taken to the Link New Identity confirmation page.
|[[Image:AAI link new identity submitted.png|thumb|350px]]
|- style="vertical-align:top;"
!10.
|On the Link New Identity confirmation page, click '''Confirm'''
|[[Image:AAI link new identity confirm.png|thumb|350px]]
|- style="vertical-align:top;"
!11.
|After confirmation, you will need to sign in using the '''IGTF Certificate Proxy'''.
|[[Image:AAI IdP discovery IGTF.png|thumb|350px]]
|- style="vertical-align:top;"
!12.
|Then select the certificate you want to link to your account from the popup window.
|[[Image:Select Certificate.png|thumb|350px]]
|- style="vertical-align:top;"
!13.
|After successful authentication, you'll be able to access EGI resources with<br/>your existing personal EGI ID using '''IGTF Certificate Proxy''' and your certificate.
|[[Image:AAI link new identity confirmed.png|thumb|350px]]
|- style="vertical-align:top;"
!14.
|To verify that the sunject DN is added to your EGI account login using<br/>'''IGTF Certificate Proxy''' in the following link https://aai.egi.eu/registry/auth/login
|[[Image:Login using IGTF.png|thumb|350px]]
|- style="vertical-align:top;"
!15.
|Navigate to '''My EGI User Community Account''' page by hovering over your<br/>display name next to the person icon on the top right corner of the page.
Then scroll down to '''Organisational Identities''' and clink on '''view''' button in the row<br/>where the source is ''https://edugain-proxy.igtf.net/simplesaml/saml2/idp/metadata.php''.
|[[Image:List organisational Identities.png|thumb|350px]]
|- style="vertical-align:top;"
!16.
|Then scroll down to ''Certificates'' and you should see the subject DN of your certificate.
|[[Image:Certificates preview.png|thumb|350px]]
|- style="vertical-align:top;"
|}
= Viewing user profile information =
The profile includes all the information related to the user. This information can be categorised as follows:
# Basic profile
# VO/Group membership
# VO Affiliations and Roles
# Linked identities
<br/><br/>
{| style='width: 80%;'
|- style='vertical-align:center;'
!1.
| <ol><li>Basic profile:<ul><li>Name<li>Identifiers<li>Email Addresses
| style="float:right;" | [[File:User profile demographic.png|400px|thumb|none]]
|- style="vertical-align:center;"
!2.
| <ol><li>VO/Group Membership
| style="float:right;" | [[File:Screenshot from 2020-04-10 13-38-18.png|400px|thumb|none]]
|- style="vertical-align:center;"
!3.
| <ol><li>Roles
| style="float:right;" | [[File:Image1.png|400px|thumb|none]]
|- style="vertical-align:center;"
!4.
| <ol><li>Linked Identities
| style="float:right;" | [[File:Image5.png|400px|thumb|none]]
|}
|}

Revision as of 10:03, 23 April 2020


Overview

This wiki page contains information about registering an account with the EGI AAI in order to access a variety of EGI tools and services using the same account.

This process is not about creating yet another (username/password) credential but to link user's existing credential (for example using an eduGAIN IdP) with EGI.

Signing Up for an EGI Account

To access EGI resources, you need to sign up for an account. As part of this process you will be assigned a personal EGI ID, which will then be used across all EGI tools and services. To register your account, follow the instructions below:

1. Enter the following URL in a browser: https://aai.egi.eu/signup
AAI signup url.png
2. Select your Identity Provider from the discovery page:
  • browse through the list of Identity Providers to find your Home Organisation;
    or, alternatively,
  • type the name of your Home Organisation in the search box. Note that the names are localised based on the selected language.
AAI IdP discovery.png
3. Enter your login credentials to authenticate yourself with your Home Organisation
4. After successful authentication, you may be prompted by your Home Organisation to consent to the release of personal information to the EGI AAI Service Provider Proxy.
5. On the EGI AAI Consent about releasing personal information page, click Yes, continue to consent to the release of personal information to the EGI User Account Registry. If you select the Remember option, your browser will remember your choice unless you clear your cookies or restart the browser.
AAI consent.png
6. After successful authentication, you will be redirected to the EGI account registration form. On the introductory page, click Begin to start the registration process.
AAI sign up intro.png
7. Depending on the attributes released by your Identity Provider, you will need to go through one of the following account registration processes:
  1. Self-service Sign Up: Allows you to join the EGI User Community without approval by an administrator if all the information below is asserted by your Home Organisation:
    1. at least one of the following unique user identifiers:
      • your pseudonymous, non-reassignable identifier (eduPersonUniqueId attribute);
      • your name-based identifier (eduPersonPrincipalName attribute);
      • your pseudonymous identifier (eduPersonTargetedID attribute or SAML persistent identifier)
    2. your first name (givenName attribute)
    3. your surname (sn attribute)
    4. your email address (mail attribute)
    5. your role (affiliation) in your Home Organisation (eduPersonScopedAffiliation attribute)
  2. Sign Up: If any of the information above cannot be released by your Home Organisation, you will need to provide the values of the missing attributes yourself. Your request to join the EGI User Community must then be approved by an EGI User Sponsor. You may optionally select a particular individual to review your request through the Sponsor dropdown list.
AAI signup attributes.png
AAI signup sponsors.png
8. On the registration form, click Review Terms and Conditions (Acceptable Use Policy and Conditions of Use - EGI AUP).
EGI-AUP.png
9. If you agree to the EGI AAI Terms of Use, select the I Agree option. Important: You will not be able to agree to the terms until you review them.
AAI ToU agreement.png
10. Finally, click Submit to submit your request. Important: You will not be able to submit your request until you agree to the terms.
11. After submitting your request, EGI AAI will send you an email with a verification link in it. After you click that link, you'll be taken to the request confirmation page. Important: If you do not find the email in your Inbox, please check your Spam or Junk folder for an email from "EGI AAI Notifications". If you do find the email in these folders, mark the email as "safe" or "not spam" to ensure that you receive any future notifications about your EGI ID.
12. After reviewing your request, click Confirm and re-authenticate yourself using the Identity Provider you selected in Step 2.
13. In the case of the Sign Up registration, you need to wait for an EGI User Sponsor to approve your request to join the EGI User Community. Upon approval, EGI AAI will send you a notification email.

Note: After your registration has been completed, you can manage your profile through the EGI Account Registry portal at https://aai.egi.eu/registry.

Linking Additional Organisational/Social Identities to your EGI Account

Identity linking allows you to access EGI resources with your existing personal EGI ID, using any of the login credentials you have linked to your account. You can use any of your organisational or social login credentials for this purpose. To link a new organisational or social identity to your EGI account:

1. Enter the following URL in a browser: https://aai.egi.eu/registry
AAI registry url.png
2. Click Login and authenticate using any of the login credentials already linked to your EGI account
AAI registry login.png
3. Navigate to My EGI User Community Account page in one of the following ways:
  • hover over your display name next to the gear icon on the top right corner of the page;
    or, alternatively,
  • select EGI User Community from the list of available Collaborations and then click My EGI User Community Account from the People menu
AAI my account.png
4. Under the Organisational Identities section of your profile page, click Link New Identity.
AAI link new identity.png
5. On the introductory page for Identity Linking, click Begin
AAI link new identity intro.png
6. On the Link New Identity form, click Review Terms and Conditions (Grid Acceptable Use Policy - Grid AUP).
AAI link new identity form.png
EGI-AUP.png
7. If you agree to the EGI AAI Terms of Use, select the I Agree option. Important: You will not be able to agree to the terms until you review them.
AAI ToU agreement.png
8. Finally, click Submit to submit your request. Important: You will not be able to submit your request until you agree to the terms.
9. After submitting your request, EGI AAI will send you an email with a link in it. After you click that link, you'll be taken to the Link New Identity confirmation page.
AAI link new identity submitted.png
10. On the Link New Identity confirmation page, click Confirm
AAI link new identity confirm.png
11. After confirmation, you will need to sign in using the login credentials from the Institutional/Social Identity Provider you want to link to your account.
AAI IdP discovery.png
12. After successful authentication, you'll be able to access EGI resources with your existing personal EGI ID using the login credentials of the Identity Provider you selected in Step 11.
AAI link new identity confirmed.png

Linking your Certificate to your EGI Account

Certificate linking allows you to add the subject DN of your certificate to your existing personal EGI ID. For this you need to import your certificate to your browser.
To link a subject DN to your EGI account:

1. Enter the following URL in a browser: https://aai.egi.eu/registry
AAI registry url.png
2. Click Login and authenticate using the login credentials of EGI account you prefer to add to your subject DN
AAI registry login.png
3. Navigate to My EGI User Community Account page in one of the following ways:
  • hover over your display name next to the person icon on the top right corner of the page;
    or, alternatively,
  • select EGI User Community from the list of available Collaborations and then click My EGI User Community Account from the People menu
AAI my account.png
4. Under the Organisational Identities section of your profile page, click Link New Identity.
AAI link new identity.png
5. On the introductory page for Identity Linking, click Begin
AAI link new identity intro.png
6. On the Link New Identity form, click Review Terms and Conditions (Grid Acceptable Use Policy - Grid AUP).
AAI link new identity form.png
EGI-AUP.png
7. If you agree to the EGI AAI Terms of Use, select the I Agree option. Important: You will not be able to agree to the terms until you review them.
AAI ToU agreement.png
8. Finally, click Submit to submit your request. Important: You will not be able to submit your request until you agree to the terms.
9. After submitting your request, you will be logged out automatically from your current account and EGI AAI will send you an email with a link in it.

After you click that link, you'll be taken to the Link New Identity confirmation page.

AAI link new identity submitted.png
10. On the Link New Identity confirmation page, click Confirm
AAI link new identity confirm.png
11. After confirmation, you will need to sign in using the IGTF Certificate Proxy.
AAI IdP discovery IGTF.png
12. Then select the certificate you want to link to your account from the popup window.
Select Certificate.png
13. After successful authentication, you'll be able to access EGI resources with
your existing personal EGI ID using IGTF Certificate Proxy and your certificate.
AAI link new identity confirmed.png
14. To verify that the sunject DN is added to your EGI account login using
IGTF Certificate Proxy in the following link https://aai.egi.eu/registry/auth/login
Login using IGTF.png
15. Navigate to My EGI User Community Account page by hovering over your
display name next to the person icon on the top right corner of the page.

Then scroll down to Organisational Identities and clink on view button in the row
where the source is https://edugain-proxy.igtf.net/simplesaml/saml2/idp/metadata.php.

List organisational Identities.png
16. Then scroll down to Certificates and you should see the subject DN of your certificate.
Certificates preview.png

Viewing user profile information

The profile includes all the information related to the user. This information can be categorised as follows:

  1. Basic profile
  2. VO/Group membership
  3. VO Affiliations and Roles
  4. Linked identities



1.
  1. Basic profile:
    • Name
    • Identifiers
    • Email Addresses
User profile demographic.png
2.
  1. VO/Group Membership
Screenshot from 2020-04-10 13-38-18.png
3.
  1. Roles
Image1.png
4.
  1. Linked Identities
Image5.png