This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
en:services:it_security:aai:start [2016/03/09 09:05]
dadler1 [Authentication Process]
en:services:it_security:aai:start [2016/03/09 09:05] (current)
dadler1 [Identity Providers]
Line 1: Line 1:
 +====== AAI ======
 +We offer Authentication and Authorization Infrastructure (AAI) services based on a suite of protocols and methods under the umbrella framework named  [[https://​en.wikipedia.org/​wiki/​Shibboleth_(Internet2)|Shibboleth]]. We run several Identity Provider Servers for Authentication/​Authorization of students and employees to internal and external Web Services that make use of the SAML protocol framework.
 +<WRAP center round info 80%>
 +Employees of UMG can from now on use the Identity Provider for Georg-August University.
 +===== Identity Providers ======
 +The GWDG operates Identity Providers ​
 +  * for employees of Max-Planck Institutes managed via our [[en:​services:​general_services:​idm:​start|MetaDir]], ​
 +  * for students and employees of Georg-August University (including UMG), and
 +  * for employees and customer accounts of GWDG.
 +Amongst others Shibboleth is a web-based Single-Sign-On solution which enables Service Providers (SPs) and Identity Providers (IdPs) on both ends to configure ​
 +fine-grained flow of personal information and establishes trust between pools of user management systems (IdPs) and services without the need to create
 +new account for each and every new service. Even more interesting,​ the infrastructure allows for anonymization of user records to a certain degree.
 +All three IdPs are registered in the  [[https://​www.aai.dfn.de/​en|DFN-AAI Federation]] and the  [[https://​en.wikipedia.org/​wiki/​EduGAIN|EduGAIN Interfederation]]. While the former is a national federation of german education and research institutes, the latter combines those national federations.
 +===== Accessible Web Services =====
 +The following is an excerpt of services that are ready-to-be used.
 +  *  [[https://​webconf.vc.dfn.de|DFNVC web conferences]] Organize web conferences (use "​Anmeldung über DFN AAI" to login).
 +  *  [[https://​www.siropglobal.org/​|SiROP]] Search and find scientific projects (use "​worldwide"​ login).
 +  *  [[https://​gigamove.rz.rwth-aachen.de|gigamove]] Upload large files for a temporary time. 
 +  *  [[https://​foodl.org/​|foodle]] Online tool for coordinating meeting dates.
 +  *  [[http://​www.textgrid.de/​registrierungdownload/​download-und-installation/​|TextGrid Virtual Research Environment for Humanities (client download)]] Login is built-in the client software.
 +  *  [[https://​www.wohnraum-fuer-studierende.de/​startseite/​|Wohnraum Suchmaschine für Studierende im Großraum Paderborn)]] (Accessible via Uni-Login).
 +  *  [[https://​filesender.funet.fi|filesender-funet]] Send large files via web-mail.
 +  * [[http://​muse.jhu.edu/​|Project Muse]] Download access to journals of the "Basic College Collection"​ for members of the university.
 +A comprehensive list of available services to participants of the DFN-AAI Federation and EduGain Federation are available ​ [[https://​www.aai.dfn.de/​verzeichnis/​|here]].
 +In addition to web services, the shibboleth IdPs also provide access to software retailers which give discounts on a particular user-group:  ​
 +  * For Students of University of Göttingen: ​ [[https://​www.studyhouse.de|Studyhouse (asknet portal)]] - Rent/​purchase software products such as Microsoft Office 365 and various Adobe products at students discount via shibboleth authentication.
 +  * For Employees of University of Göttingen (also UMG) and GWDG:  [[https://​www.academic-center.de/​cgi-bin/​product/​P10016549|Academic Center (asknet portal)]] - Rent Microsoft Office 365 for a fee of 4.99 € per year.
 +===== Authentication Process =====
 +We give a brief overview of the authentication process.
 +| 1. You request a web service that is protected via means of SAML/​Shibboleth. | {{:​en:​services:​it_security:​aai:​dfn-webconf.png?​200|}} |
 +| 2. Your browser is redirected to the "Where Are You From" page. Given that the web service is running as part of the DFN AAI the user is redirected to the DFN WAYF web-site where students, members and/or employees of Max-Planck, Uni Göttingen or GWDG should select the appropriate IdP. |   {{ :​en:​services:​it_security:​aai:​dfn-wayf.png?​200| }} |
 +  * Employees of Max-Planck select "​Max-Plank"​
 +  * Employees and Customer Accounts of GWDG select "​Gesellschaft für wissenschaftliche Datenverarbeitung mbH" ​
 +  * Students and Employees of Uni-Göttingen and UMG select "​Georg-August University Göttingen"​
 +| 3. You are then redirected to the Login page of the IdP server. | {{ :​en:​services:​it_security:​aai:​shib-idp-mpg.png?​200| }} |
 +| 4. If you are using the Shibboleth IdP for the very first time then you will need to accept the "Terms of Usage"​. | {{:​en:​services:​it_security:​aai:​tou1.png?​200| }} |
 +| 5. If you are using the web service for the very first time then you will see the list of attributes that are passed over to the web service (this is specific to each web service). | {{:​en:​services:​it_security:​aai:​uapprove.png?​200| }} |
 +| 6. Finally you are redirected back on the web service as an "​authorized"​ user. Depending on the requirements of the web service and the transfered attributes you are becoming an "​authenticated"​. ​ | {{:​en:​services:​it_security:​aai:​loggedin.png?​200| }} |
 +If the web service expects attributes we haven'​t yet configured, you will probably get an error page from our Identity Provider. Since we only pass over the absolute minimum of your personal information in terms of attributes, you might experience problems getting into new services. See also our [[https://​faq.gwdg.de/​index.php?​action=show&​cat=26|FAQ]]. ​
 +Note that when you login to a different shibboleth-protected web service (e.g. gigamove) a second email/​password authentication is not required but you will still be informed about attributes to be submitted from our IdP to web server providers.
 +You close the session by closing the web browser, clearing session data etc.., or a logout function of the website. There'​s also a link for closing *ALL* shibboleth sessions at once (see below).
 +    * GWDG IdP Logout: [[https://​shibboleth-idp.gwdg.de/​gwdg/​profile/​Logout]]
 +    * Uni Göttingen IdP Logout: [[https://​shibboleth-idp.uni-goettingen.de/​uni/​profile/​Logout]]  ​
 +    * MPG IdP Logout: [[https://​shibboleth-idp.mpg.de/​mpg/​profile/​Logout]] ​