AAI guide for IdPs
This wiki page contains information about integrating your identity provider with the EGI AAI Proxy in order to allow users in your community to access EGI tools and services.
Organisations who want to register their IDP in Check-in needs to fill this form in case the IdP is not publishing R&S and Sirtfi compliance in eduGAIN. A PDF scansion of a printed and signed copy should be sent to operations [at] egi.eu
Identity Provider integration workflow
To integrate your Identity Provider with the EGI Check-in service, you need to submit a GGUS ticket indicating your request. The responsible support unit is AAI Support. The integration follows a two-step process:
- Step 1. Register your Identity Provider and test integration with the development instance of EGI Check-in. The development instance allows for testing authentication and authorisation to EGI services and resources without affecting the production environment of EGI. Note that the development instance is not connected to the production service and no information is shared between the two systems.
- Step 2. Register your Identity Provider with the production instance of EGI Check-in to allow members of your Community to access production EGI services and resources protected by Check-in. This requires that your Identity Provider meets all the policy requirements and that integration has been thoroughly tested during Step 1.
The most important URLs for each environment are listed in the table below but more information can be found in the protocol-specific sections that follow.
|Protocol||Development environment||Production environment|
SAML Identity Provider
To allow users in your community to sign into federated EGI applications, you need to connect to the EGI AAI SP Proxy as a SAML Identity Provider (IdP). Users of the application will be redirected to the central Discovery Service page of the EGI AAI Proxy where they will able to select to authenticate at your IdP. Once the user is authenticated, the EGI AAI Proxy will return a SAML assertion to the application containing the information returned by your IdP about the authenticated user.
SAML authentication relies on the use of metadata. Both parties (you as an IdP and the EGI AAI SP) need to exchange metadata in order to know and trust each other. The metadata include information such as the location of the service endpoints that need to be invoked, as well as the certificates that will be used to sign SAML messages. The format of the exchanged metadata should be based on the XML-based SAML 2.0 specification. Usually, you will not need to manually create such an XML document, as this is automatically generated by all major SAML 2.0 IdP software solutions (e.g., Shibboleth, SimpleSAMLphp). It is important that you serve your metadata over HTTPS using a browser-friendly SSL certificate, i.e. issued by a trusted certificate authority.
To exchange metadata, please send an email including the following information:
- Metadata URL
Depending on the software you are using, the authoritative XML metadata URL for your IdP might be in the following form:
Note that if your IdP is part of a federation, then it would be preferred to send us the URL to a signed federation metadata aggregate. We can then cherry pick the appropriate entityID from that.
You can get the metadata of the EGI Check-in SP Proxy on a dedicated URL that depends on the integration environment being used:
|Development environment||Production environment|
For the production environment, it is recommended that you get the metadata for the EGI Check-in SP (entityID:
https://aai.egi.eu/proxy/module.php/saml/sp/metadata.php/sso) from a signed eduGAIN metadata aggregate. For example, the following aggregates are provided by GRNET:
Within the EGI environment, a user must have one persistent, non-reassignable, non-targeted, opaque, and globally unique identifier. To achieve this, the EGI AAI Proxy generates a eduPersonUniqueId (urn:oid:126.96.36.199.4.1.59188.8.131.52.13) attribute based on the first non-empty value from this attribute list:
- eduPersonTargetedID / SAML 2.0 Persistent NameID
As such, it is required by your IdP to release at least one of the above user identifiers.
The selected attribute value is hashed and the "egi.eu" scope portion is added to the generated ePUID, e.g.:
The generated ePUID should be accompanied with a minimum set of attributes:
- Email address (mail)
- Display name (displayName) OR (givenName AND sn)
- Affiliation with home organisation (eduPersonScopedAffiliation)
Note that the above set of request attributes complies with the REFEDS R&S attribute bundle.
The EGI AAI SP Proxy will attempt to retrieve these attributes from your IdP. If this is not possible, the missing user attributes may be acquired and verified through the user registration process with the EGI Account Registry.
Information about group membership and role information should be released by your IdP as entitlement values (eduPersonEntitlement) following the URN scheme below:
- <NAMESPACE> is in the form of urn:<NID>:<DELEGATED-NAMESPACE>[:<SUBNAMESPACE>*], where
- <NID> is the namespace identifier associated with a URN namespace registered with IANA, as per RFC8141, ensuring global uniqueness. Implementers can and should use one of the existing registered URN namespaces, such as urn:geant  and urn:mace ;
- <DELEGATED-NAMESPACE> is a URN sub-namespace delegated from one of the IANA registered NIDs
to an organisation representing the e-infrastructure, research infrastructure or research collaboration.
- <GROUP> is the name of a VO, research collaboration or a top level arbitrary group. <GROUP> names are unique within the urn:mace:egi.eu:group namespace;
- zero or more <SUBGROUP> components represent the hierarchy of subgroups in the <GROUP>; specifying sub-groups is optional
- the optional <ROLE> component is scoped to the rightmost (sub)group; if no group information is specified, the role applies to the VO
- <GROUP-AUTHORITY> is a non-empty string that indicates the authoritative source for the entitlement value. For example, it can be the FQDN of the group management system that is responsible for the identified group membership information
Example entitlement values expressing VO/group membership and role information: