As part of larger European projects such as Erasmus+, the European Student Card Initiative (ESCI) and Erasmus without Paper (EWP) the "MyAcademicID IAM Service" has been created that's also connected to eduGAIN and therefore available to eduID.at members. Any of the services that are being or will be offered as part of these larger projects (e.g. the digital Online Leaning Agreement or the Erasmus+ App) will be reachable via that central entry point.
Towards Identity Providers in academic Identity Federations (such as eduID.at) that entry point acts as a SAML 2.0 Service Provider (SP) that requires the transmission of a set of attributes, including the recently defined European Student Identifier. That SAML SP calls itself the "MyAcademicID IAM Service" and is operated by the Team at GÉANT that also runs the MyAcademicID and eduTEAMS infrastructure and services.
Towards any of the services "behind" that central component it may act as an Identity Provider (IDP) or OpenID Provider (OP) or possibly some OAuth2 component. The point here being that what's "beind" the proxy is technically irrelevant to the academic Identity Providers – IDPs only need to make sure to release the required attributes to the SAML SP-side of the "MyAcademicID IAM Service", so that students, staff and/or faculty from academic institutions can make use of connected services as needed.
As specified by the MyAcademicID team the "MyAcademicID IAM Service" requires a specific set of data in order for logins to the services "behind" it to be possible. While it would be pointless to repeat this specification here we can provide guidance to the local eduID.at community by sharing copy/paste-able instructions on how to enable access to the central component and thereby to all the services "behind" it. This assumes use of the Shibboleth Identity Provider software and a configuration that matches our own documentation and deployment recommendations, specifically the attribute resolver and attribute filter documentation.
The preferred identifier(s) to use are SAML Pairwise-ID or SAML Subject-ID. If your IDP deployment already follows our recommendations for the creation and release of these attributes there's nothing else for you to do to ensure one of these identifiers will be released to the service. If you're not yet following our documentation maybe now would be a good time to change that.
The "MyAcademicID IAM Service" does allow for use of alternative identifiers but the conditions of what exactly to release and when become a bit complex (cf. its attribute requirement specification). So adding support for Pairwise-ID and Subject-ID to your IDP and using one of these with the "MyAcademicID IAM Service" is both easiest and also generally useful: You'll be needing to support Pairwise-ID and Subject-ID for other services in the future anyway as those are the SAML Standard Identifiers, going forward.
European Student Identifier
In support of these larger projects the European Student Identifier (ESI) was defined and this too needs to be made available in your IDP and released to the central "MyAcademicID IAM Service". Copy/paste-able examples for its creation are part of our standard set of documentation for the Shibboleth IDP's attribute resolver as well as for its scalable release to eligible services.
Other common attributes
Make sure to also have the common attributes
schacHomeOrganization available and release them to the "MyAcademicID IAM Service", all of which we already provide extensive configuration guidance for.
Attribute release configuration
In late 2021 CE a Service Category was created to scalably manage the controlled release of the ESI across services and regions. We recommend using this method to manage release of the ESI to the "MyAcademicID IAM Service" as well. This replaces the only method available earlier that relies on enumeration of
entityID values of all Service Providers that may recieve the ESI as a SAML attribute from your Identity Provider software.
An easy way to test your attribute release configuration for Erasmus+ services is the MyAcademicID Attribute Release Test Service. Alternatively testing attribute release policies on the command line of your Shibboleth IDP server using the
aacli tool is fast and easy (though you'd have to interpret the results yourself, comparing the set of attribute shown by the aacli (that would be released) against the published requirements of the "MyAcademicID IAM Service" (see "Attribute requirements") above.
We're assuming you've already configured support for releasing the SAML SubjectID Profile Attributes (SAML Pairwise-ID or SAML Subject-ID) in a scalable way according to our documentation (cf. section "Identifiers" above). Otherwise you'd have to add
AttributeRule elements for
samlPairwiseID (or if you can't support that, for
samlSubjectID) to your attribute release rule specific to the "MyAcademicID IAM Service".
An attribute filter policy for the Shibboleth IDP that releases the ESI to eligible services, including the "MyAcademicID IAM Service", based on the published Service Category would look like the following:
<AttributeFilterPolicy id="MyAcacemicID-ESI"> <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="https://myacademicid.org/entity-categories/esi"/> <AttributeRule attributeID="schacPersonalUniqueCode"> <PermitValueRule xsi:type="ValueRegex" regex="^urn:schac:personalUniqueCode:int:esi:.*$" /> </AttributeRule> </AttributeFilterPolicy>