You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

As part of larger European projects such as Erasmus+, the European Student Card Initiative (ESCI) and Erasmus without Paper (EWP) the "MyAcademicID IAM Service" has been created that's also connected to eduGAIN and therefore available to eduID.at members. Any of the services that are being or will be offered as part of these larger projects (e.g. the digital Online Leaning Agreement or the Erasmus+ App) will be reachable via that central entry point.

Description

Towards Identity Providers in academic Identity Federations (such as eduID.at) that entry point acts as a SAML 2.0 Service Provider (SP) that requires the transmission of a set of attributes, including the recently defined European Student Identifier. That SAML SP calls itself the "MyAcademicID IAM Service" and is operated by the Team at GÉANT that also runs the MyAcademicID and eduTEAMS infrastructure and services.

entityID of the "MyAcademicID IAM Service" SAML 2.0 Service Provider

https://proxy.prod.erasmus.eduteams.org/metadata/backend.xml

Towards any of the services "behind" that central component it may act as an Identity Provider (IDP) or OpenID Provider (OP) or possibly some OAuth2 component. The point here being that what's "beind" the proxy is technically irrelevant to the academic Identity Providers – IDPs only need to make sure to release the required attributes to the SAML SP-side of the "MyAcademicID IAM Service", so that students, staff and/or faculty from academic institutions can make use of connected services as needed.

Attribute requirements

As specified by the MyAcademicID team the "MyAcademicID IAM Service" requires a specific set of data in order for logins to the services "behind" it to be possible. While it would be pointless to repeat this specification here we can provide guidance to the local eduID.at community by sharing copy/paste-able instructions on how to enable access to the central component and thereby to all the services "behind" it. This assumes use of the Shibboleth Identity Provider software and a configuration that matches our own documentation and deployment recommendations, specifically the attribute resolver and attribute filter documentation.

Identifiers

The preferred identifier(s) to use are SAML Pairwise-ID or SAML Subject-ID. If your IDP deployment already follows our recommendations for the creation and release of these attributes there's nothing else for you to do to ensure one of these identifiers will be released to the service. If you're not yet following our documentation maybe now would be a good time to change that.

The "MyAcademicID IAM Service" does allow for use of alternative identifiers but the conditions of what exactly to release and when become a bit complex (cf. its attribute requirement specification). So adding support for Pairwise-ID and Subject-ID to your IDP and using one of these with the "MyAcademicID IAM Service" is both easiest and also generally useful: You'll be needing to support Pairwise-ID and Subject-ID for other services in the future anyway as those are the SAML Standard Identifiers, going forward.

European Student Identifier

In support of these larger projects the European Student Identifier was defined and this too needs to be made available in your IDP and released to the central "MyAcademicID IAM Service". Copy/paste-able examples for its creation are part of our standard set of documentation for the Shibboleth IDP's attribute resolver and an example for its release is included below.

Other common attributes

Make sure to also have the common attributes displayName, mail, eduPersonScopedAffiliation and schacHomeOrganization available and release them to the "MyAcademicID IAM Service", all of which we already provide extensive configuration guidance for.

Attribute release configuration

An attribute filter policy for the Shibboleth IDP that releases the recommended, minimally required attributes to the "MyAcademicID IAM Service" could look like the following:

Below we're assuming you've already configured support for releasing the SAML SubjectID Profile Attributes (SAML Pairwise-ID or SAML Subject-ID) in a scalable way according to our documentation (see references above), which would also cover the "MyAcademicID IAM Service". Otherwise you'd have to add AttributeRule elements for samlPairwiseID (or if you can't support that, for samlSubjectID) to the configuration snippet below.


Also note that if you're following our documentation and recommendation about controlled, scalable attribute release using Service Categories you may not have to configure anything specifically for the "MyAcademicID IAM Service"! An easy way to find out is the MyAcademicID Attribute Release Test Service or alternatively testing attribute release policies on the command line of your Shibboleth IDP server using the aacli tool.


<AttributeFilterPolicy id="MyAcademicID-IAM-Service">
    <PolicyRequirementRule xsi:type="Requester" value="https://proxy.prod.erasmus.eduteams.org/metadata/backend.xml" />
    <AttributeRule attributeID="schacPersonalUniqueCode">
        <PermitValueRule xsi:type="ValueRegex" regex="^urn:schac:personalUniqueCode:int:esi:.*$" />
    </AttributeRule>
    <AttributeRule attributeID="displayName" permitAny="true" />
    <AttributeRule attributeID="mail" permitAny="true" />
    <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
    <AttributeRule attributeID="schacHomeOrganization" permitAny="true" />
</AttributeFilterPolicy>
  • No labels