Versionen im Vergleich

Alte Version 8

changes.mady.by.user Peter Brand

Gespeichert am

verglichen mit

Neue Version Aktuell

changes.mady.by.user Peter Brand

Gespeichert am

Schlüssel

  • Diese Zeile wurde hinzugefügt.
  • Diese Zeile wurde entfernt.
  • Formatierung wurde geändert.

ACOnet operates the ACOnet OpenIDPa self-service SAML Identity Provider for members and guests of ACOnet participants. This service is open to everyone needing to access federated resources from eduID.at members who is lacking credentials at a SAML IDP known to the relevant service.

Registration of an ACOnet OpenIDP account only provides a means to authenticate. Use of this service does not imply access to any specific resource or service, as this remains the service owner's sole responsibility. Likewise, service owners are reminded that successful authentication at any [inter-]federated SAML IdP should not necessarily be equated with successful authorization. Always protect your resources with proper access rules based on attributes provided (such as eduPersonScopedAffiliation) unless your service is in fact open to everyone & everything that can self-register an account and authenticate.
Hinweis
iconfalse

The

...

ACOnet OpenIDP

...

Attributes sent by the ACOnet OpenIDP

Subjects may enter any profile data they want during the account registration phase, so relying on any of the data provided should only be done with extreme caution.

Warnung
iconfalse

The only piece of data which is verified in some sense is the email address, which will be used during account generation, so it must be deliverable and accessible to the subject registering the account – at least at the time of the account creation.

The following attributes will be issued by the OpenIDP to any Service Provider known to it (i.e., all eduID.at Service Providers):

Friendly nameFormal attribute nameDescription
givenNameurn:oid:2.5.4.42First name
snurn:oid:2.5.4.4Last name
displayNameurn:oid:2.16.840.1.113730.3.1.241"Firstname Lastname" (whitout the quotes)
mailurn:oid:0.9.2342.19200300.100.1.3The email address used for verification emails during account creation
eduPersonPrincipalNameurn:oid:1.3.6.1.4.1.5923.1.1.1.6Always of the form [a-z0-9]{7}@openidp.aco.net, i.e. seven random lower-case characters and/or digits + "@openidp.aco.net"
eduPersonEntitlement
(only in few cases) 		urn:oid:1.3.6.1.4.1.5923.1.1.1.7For application owners the OpenIDP allows the provisioning of entitlement values via a proprietary API. E.g. after the u:book support team (see below) has verified someone's identity and eligibility ("studentness") status, they are able to store that fact in an entitlement specific to their services, e.g. https://guests.ubook.at (to express the fact that someone should be entitled to use the services u:book offers).

Services known to accept ACOnet OpenIDP identities

Info
iconfalse

If you have an account at a eduID.at member institution always use your institutional account instead of registering a new one at the OpenIDP. Save yourself the additional registration step, creating and remembering Yet Another username and password. An OpenIDP account will not give you any additional rights or permissions. If you already have registered an OpenIDP account unnecessarily please contact the owners of the services you used it with (not ACOnet, who cannot help here) and ask them to transfer your user data to your institutional account.

These services are known to externalize their credentials management to the ACOnet OpenIDP, so they don't have to manage, keep secure and support passwords themselfs:

...

with entityID https://openidp.aco.net/saml was decommissioned in June 2025 CE.

While there are no current plans for a replacement service feel free to contact the ACOnet team to discuss your project's/service's requirements

...

.