ACOnet operates the ACOnet OpenIDP, a self-service SAML Identity Provider for members and guests of ACOnet participants. This service is open to everyone needing to access federated resources from eduID.at members who is lacking credentials at a SAML IDP known to the relevant service.
The prime purpose of the ACOnet OpenIDP is to allow service owners to offer their resource to their whole intended community, whether or not all members of that community already have access to a SAML Identity Provider. This removes the need for service owners to also implement local or alternative authentication methods within their resource (leading to password management and "password forgotten" support at the service), in addition to federated access via SAML. As such the ACOnet OpenIDP is part of the eduID.at Metadata, together with all other Identity Providers within eduID.at.
Attributes sent by the ACOnet OpenIDP
Subjects may enter any profile data they want during the account registration phase, so relying on any of the data provided should only be done with extreme caution.
The following attributes will be issued by the OpenIDP to any Service Provider known to it (i.e., all eduID.at Service Providers):
| Friendly name | Formal attribute name | Description |
|---|---|---|
| givenName | urn:oid:2.5.4.42 | First name |
| sn | urn:oid:2.5.4.4 | Last name |
| displayName | urn:oid:2.16.840.1.113730.3.1.241 | "Firstname Lastname" (whitout the quotes) |
urn:oid:0.9.2342.19200300.100.1.3 | The email address used for verification emails during account creation | |
| eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | Always of the form [a-z0-9]{7}@openidp.aco.net, i.e. seven random lower-case characters and/or digits + "@openidp.aco.net" |
| eduPersonEntitlement (only in few cases) | urn:oid:1.3.6.1.4.1.5923.1.1.1.7 | For application owners the OpenIDP allows the provisioning of entitlement values via a proprietary API. E.g. after the USI support team (see below) has verified someone's identity they are permitted to store that fact in an entitlement specific to their service, e.g. http://usi.at/student-discount (to express the fact that someone should be entitled to the discount USI offers, based on age verification). |
Services known to accept ACOnet OpenIDP identities
These services are known to externalize their credentials management to the ACOnet OpenIDP, so they don't have to manage, keep secure and support passwords themselfs:
- USI-Wien Kursanmeldung: The University Sports Institute (USI) at Vienna University implements online registration for its many sports courses via eduID.at. Since not all Austrian institutions whose members are eligible for USI courses currently participate in ACOnet or eduID.at those subjects can register an account at OpenIDP once, and use that for online registration at USI as long as desired.
- u:book is a federated service by University of Vienna allowing members of participating academic institutions in Austria to buy quality mobile computers at reduced prices, in addition to supporting services (such as software downloads and installation or mobile phone or data contracts).
- Training Courses by the Computer Center and Human Resources Development departments at the University of Vienna. Some of these are open to the general public and so need a method for people outside the eduID.at membership (or even ACOnet constituency) to register for courses online. Authorization in these cases happens by payment of the course fee, so (self-asserted) attributes or identity vetting are not of prime importance.
Überblick
Inhalte
Aufgabenbericht