Seitenhistorie
ACOnet operates the ACOnet OpenIDP, a self-service SAML Identity Provider for members and guests of ACOnet participants. This service is open to everyone needing to access federated resources from eduID.at members who is lacking credentials at a SAML IDP known to the relevant service.
| Hinweis | ||
|---|---|---|
| ||
Registration of an ACOnet OpenIDP account only provides a means to authenticate. Use of this service does not imply access to any specific resource or service, as this remains the service owner's sole responsibility. Likewise, service owners are reminded that successful authentication at any [inter-]federated SAML IdP should not necessarily be equated with successful authorization. Always protect your resources with proper access rules based on attributes provided (such as | ||
The |
...
ACOnet OpenIDP |
...
Attributes sent by the ACOnet OpenIDP
Subjects may enter any profile data they want during the account registration phase, so relying on any of the data provided should only be done with caution.
| Warnung | ||
|---|---|---|
| ||
The only piece of data which is verified in some sense is the email address, which will be used during account generation, so it must be deliverable and accessible to the subject registering the account – at least at the time of the account creation. |
The following attributes will be issued by the OpenIDP to any Service Provider known to it (i.e., all eduID.at Service Providers):
| Friendly name | Formal attribute name | Description |
|---|---|---|
| givenName | urn:oid:2.5.4.42 | First name |
| sn | urn:oid:2.5.4.4 | Last name |
| displayName | urn:oid:2.16.840.1.113730.3.1.241 | "Firstname Lastname" (without the quotes) |
urn:oid:0.9.2342.19200300.100.1.3 | The email address used for verification emails during account creation | |
| eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | Always of the form [a-z0-9]{7}@openidp.aco.net, i.e. seven (random) lower-case characters and/or digits + "@openidp.aco.net".The string is "random" only during generation of the account; after that the created eduPersonPrincipalName value will not change. Also, eduPersonPrincipalName values will not be re-used or re-assigned from one person to another. |
| eduPersonEntitlement (only in few cases) | urn:oid:1.3.6.1.4.1.5923.1.1.1.7 | For application owners the OpenIDP allows the provisioning of entitlement values via a proprietary API. E.g. after the u:book support team (see below) has verified someone's identity and eligibility ("studentness") status, they are able to store that fact in an entitlement specific to their services, e.g. |
Services known to accept ACOnet OpenIDP identities
| Info | ||
|---|---|---|
| ||
If you have an account at a eduID.at member institution always use your institutional account instead of registering a new one at the OpenIDP. Save yourself the additional registration step, creating and remembering Yet Another username and password. An OpenIDP account will not give you any additional rights or permissions. If you already have registered an OpenIDP account unnecessarily please contact the owners of the services you used it with (not ACOnet, who cannot help here) and ask them to transfer your user data to your institutional account. |
These services are known to externalize their credentials management to the ACOnet OpenIDP, so they don't have to manage, keep secure and support passwords themselfs:
...
with entityID |
While there are no current plans for a replacement service feel free to contact the ACOnet team to discuss your project's/service's requirements
...
.
Überblick
Inhalte
Aufgabenbericht