The objective of the AAI (Authentication and Authorization Infrastructure) is, in a nutshell, to simplify inter-organizational access to web resources.With a single login, with his/her institutional account, an authorized user can access from anywhere all HEAL-Link subscriptions. The AAI makes use of a concept called federated identity management.
Necessity of access to a variety of electronic resources and the various difficulties that arise when using separate authentication credentials leads to the creation of an infrastructure for unified access. Under this structure a user, ascertains the identity of the institution he belongs once, the institution then provides the authorization to its authenticated user (who should have access to the corresponding services). Until now access was based either on individual credentials for each service / resource or on recognizing IP addresses.
The problems that the user faces with the described process are mentioned below:
- Time-consuming user registration and management procedures for any online source.
- Users manage multiple passwords.
- Authorizations issues are ignored with the existing authentications.
- The large effort required to integrate users from other universities due to lack of standard authorization.
- Authorization does not always become independent from the location (IP address recognition).
By using AAI Services we have the following advantages:
- Due to the digital identity, electronic resources do not need to provide registration services and user management.
- A standard authentication mechanism allows users to access various online resources.
- Users have access regardless their location.
- Data protection requirements are checked.
A Federation is a collection of organizations that agree to interoperate under a certain set of rules. Federations will usually define trusted roots, authorities and attributes, along with distribution of metadata representing this information. In general each organization participating in a federation operates one Identity Provider for their users and any number of Service Providers.
Federations are not prerequisite for the use of Shibboleth but they can greatly facilitate exchange of information. Also Federations by offering a certain set of rules they play a key role in the smooth functioning of shibboleth. HEAL-Link Federation is very important because HEAL-Link is responsible for the license agreements with the publishers, therefore HEAL-Link Federation must establish policies and access rules to its members.
Graphical description of a Federation and its members.
-
- AAI
Authentication and Authorization Infrastructure.
- AAI
-
- Assertion
A digital statement issued by an IDP, derived from the Digital Identity of an End User. Typically an Assertion is digitally signed and optionally encrypted.
- Assertion
-
- Authentication
Process of confirming the identity of an existing registered user.
- Authentication
-
- Authorization
Process of specifying access rights (granting or denying access) to resources.
- Authorization
-
- Attributes (Authorization)
User data (such as name, affiliation, study branch, etc.) needed for access control decisions. The attributes used by HEAL-Link Federarion are defined in the Technical & Attributes Specification document.
- Attributes (Authorization)
-
- Attribute Release Policy (ARP)
It defines which attributes are going to be released to a requesting resource (the attribute filter). It is a mechanism to implement privacy and data protection.
- Attribute Release Policy (ARP)
-
- Attribute Resolver
A component of the Identity Provider. It retrieves attributes from various data sources (LDAP, Active Directory, …) and performs the necessary transformations for SAML transport.
- Attribute Resolver
-
- Digital Identity
A set of information that is attributable to an End User. It is issued and managed by an IDP Operator on the basis of the identification of the End User.
- Digital Identity
-
- Discovery Service
Technical term/synonym for WAYF.
- Discovery Service
-
- End User
Typically, a human person who belongs to an organization, who uses Federated Authentication via his/her organization’s IDP. However, an End User can also be a legal person, a virtual artifact (e.g. a computer process, an application) or a tangible object (e.g. a device).
- End User
-
- Entitlement
Entitlements form a specialized class of Authorization Attributes important enough to call out separately. They can be used to identify a user’s eligibility to access a given resource such as an e-journal. HEAL-Link Federation uses this attribute for the authprization of aythenticated users.
- Entitlement
-
- EntityID
The EntityID is a unique identifier, identifying each Service Provider and Identity Provider.
- EntityID
-
- Federated Authentication
An End User uses his Digital Identity to authenticate for accessing services offered by SP Operators within the same or a different organization.
- Federated Authentication
-
- Federated Identity Management
The management and use of identity information across security domains, e.g. between individual universities. It deals with issues such as interoperability, liability, security, privacy and trust.
- Federated Identity Management
-
- Federation
A federation is a collection of organizations that agree to interoperate under a certain set of rules.
- Federation
-
- Federation Operator
The organization managing the Federation, operating the central components and acting as a competence centre. HEAL-Link is the Federation Operator of the HEAL-Link Federation.
- Federation Operator
-
- Federation Partner
An organization that is not a HEAL-Link member, but wants to participate to HEAL-Link Federation and has signed the HEAL-Link Federation Partner Agreement.
- Federation Partner
-
- HEAL-Link Federation
HEAL-Link Federation consists of the corresponding Participants that cooperate in the area of Federated Authentication and authorization and, for this purpose, operate a common Federation. HEAL-Link is the Federation Operator of HEAL-Link Federation.
- HEAL-Link Federation
-
- HEAL-Link Federation Participant
An organization, member of HEAL-Link, that participates in HEAL-Link Federation, or a HEAL-Link Federation Partner.
- HEAL-Link Federation Participant
-
- Home Organization
A participating organization, member of HEAL-Link, representing a user community. A Home Organization registers users and stores information about them. Furthermore, it is able to authenticate its users and it operates an IDP.
- Home Organization
-
- Identity Provider (IDP)
The system component that issues Assertions on behalf of End Users who use them to access the services of SPs after they have already been authenticated by their organization’s authentication system.
- Identity Provider (IDP)
-
- IDP Operator
The organization operating an IDP. IDP Operator refers to the legal entity that signs contracts, is a HEAL-Link Participant and is responsible for the overall processes supporting the IDP.
- IDP Operator
-
- Metadata
The Metadata contain technical details and descriptive information about the IDPs and SPs of HEAL-Link Federation. For interoperability in a specific context, the Metadata format definition is part of a Federation Technology Profile.
- Metadata
-
- Relying Party
In general, one or more Service Provider or Identity Provider that is sender or recipient of an Assertion. A relying party could be a single Service Provider or a group of Service Providers. The SPs and IDPs can be grouped into a relying party by including them into an EntitiesDescriptor element in the Metadata. Such a group of Service Providers can then for example be used to inform an Identity Provider to use a specific way to transmit the attributes to the components of this specific relying party.
- Relying Party
-
- Resource
Web application, web site, information system, etc. An AAI-enabled Resource requests attributes about users from an IDP and makes access decisions (authorization) based on these attributes.
- Resource
-
- SAML
SAML – the Security Assertion Markup Language – is an XML framework for exchanging authentication and authorization information. SAML is a standard of OASIS. Shibboleth software is based on SAML.
- SAML
-
- Service Provider (SP)
The system component that evaluates the Assertion from an IDP and also uses this information for controlling access to protected services. Synonym for an AAI-enabled Resource, which is used in a more technical sense.
- Service Provider (SP)
-
- Shibboleth
Open source software developed by Shibboleth Consortium. Shibboleth is based on SAML and allows the implementation of an AAI. HEAL-Link makes use of Shibboleth.
- Shibboleth
-
- Single Sign-On (SSO)
With Single Sign-On a user gains access to multiple Resources by authenticating only once to his/her Home Organization.
- Single Sign-On (SSO)
-
- Virtual Home Organization (VHO)
The Virtual Home Organization is an Identity Provider for users, which arent’t in a participating Home Organization.
- Virtual Home Organization (VHO)
-
- VHO group
A VHO group is a container within the VHO. It contain VHO end users and/or subgroups, which also can contain VHO end users. A VHO group is managed by one or more VHO administrators
- VHO group
-
- VHO administrator
The VHO administator is a resource owner, who is responsible for his VHO group(s) and its VHO end users. He maintain the account data and provide support for VHO end users.
- VHO administrator
-
- VHO end user
A VHO end user is a valid user, which belongs to the VHO.
- VHO end user
-
- WAYF (Where Are You From)
The WAYF service, also called Discovery Service, lets the user choose his Home Organization from a list and then redirects the user to the corresponding login page for authentication.
- WAYF (Where Are You From)
Participating Home Organizations are all HEAL-Link members.
Up to date, the following organizations have signed the HEAL-Link Federation Partner Agreement and thus are HEAL-Link Federation Partners.
- ACM
- Select “Institutional login” tab
- Type and select “HEAL-Link”
- American Chemical Society (ACS)
- Select your institution
- American Institute of Physics (AIP)
- Select Institutional access – Login via Shibboleth
- Select of “HELLENIC ACADEMIC LIBRARIES LINK (HEAL-Link)”
- Select your institution
- American Physical Society (APS)
- Click “OpenAthens Log in”
- Select “HEAL-Link”
- Select your institution
- Cambridge University Press (CUP)
- Click “Institutional Log in”
- Select “HEAL-Link”
- Select your institution
- Clarivate-Web of Science (applies to institution members with an individual subscription)
- Select “GRNET Federation” and then your institution.
- Elsevier (Sciencedirect)
- Click “Sign in” at the top right
- Click “sign in” at the “You can also sign in via your institution…”
- Enter the name of your institution in Greek or the domain of your institutions (eg.. For Aristotle University: auth.gr, for University of Patras: upatras.gr, for National Tachnical University of Athens: ntua.gr etc.)
- Elsevier (Scopus)
- Click “Sign in” at the top right
- Click “sign in” at the “You can also sign in via your institution…”
- Enter the name of your institution in Greek or the domain of your institutions (eg.. For Aristotle University: auth.gr, for University of Patras: upatras.gr, for National Tachnical University of Athens: ntua.gr etc.)
- Emerald (MCB)
- Click “Login” at the top right.
- Enter the name of your institution in English or the domain of your institutions (eg.. For Aristotle University: auth.gr, for University of Patras: upatras.gr, for National Tachnical University of Athens: ntua.gr etc.)
- IEEE
- Select your institution
- Institute of Physics (IOP)
- Select/type “HEAL-Link”
- Select your institution
- John Benjamins
- At the window “Select your organization” select “HEAL-Link” and click “Go To Sign in”
- Select your institution
- Lippincott Williams & Wilkins
- Type the english name of your institution upper left
- ProQuest
- Click at top-center the “Log in through your library to access more features” button
- Type and then select the english name or the domain name of your institution (eg. Aristotle University or auth.gr) at the pop-up window “Find your library”
- Project MUSE
- Type the english name of your institution at the “Access via my Institution” window
- PsycARTICLES (APA)
- Type the english name of your institution upper left
- Springer – Nature (SpringerLink platform)
- Select/type “HEAL-LINK GREECE” at the window on the right side.
- Select your institution
- Springer – Nature (nature platform)
- Select/type “HEAL-Link” at the “Access through your institution” window.
- Select your institution
- Taylor & Francis
- Select HEAL-Link (Hellenic Academic Libraries Link)
- Select your institution
- Wiley
- Select Hellenic Academic Libraries Link (HEAL-Link) and then your institution.
For institutions that have individual subscriptions to publishers / providers
- EBSCO Publishing
- Select from the drop down menu “Greek HEAL-Link Federation” and then “View all institutions”
- JSTOR
- Select your institution
All HEAL-Link members should sign the corresponding Members Agreement and its attachements for the proper function of AAI Services.
More info: Support/Downloads –>Documents
An organization can become a HEAL-Link Federation Partner, if it provides subscribed digital content to HEAL-Link or to one or more HEAL-Link members.
Typically, a Federation Partner operates AAI-enabled web resources (Service Providers) and makes them available for the users with an AAI-enabled account at one of the participating Home Organizations that operate an Identity Provider (IDP) and for the users with an AAI-enabled account at HEAL-Link Federation’s Virtual Home Organization.
AAI-enabled web resource can be e-learning platforms, e-journal databases, etc. which make use of federated authentication and authorize access to their applications, based on the information they got via AAI from the Identity Provider of the users’ home organization.
Join Requirements
The following entities and organizations may qualify to become Federation Partners:
- Higher Education and Research Institutions (domestic and international) that wish to provide resources that support AAI access to one or more members of HEAL-Link.
- Each and every digital content provider who has signed agreements with HEAL-Link or with one or more of HEAL-Link members and wishes to offer AAI-enabled resources to one or more HEAL-Link Members.
For any kind of support you can communicate with the corresponding helpdesk of your Home Organization by selecting it from the following list:
Home Organizations List and their helpdesks.
In case you can not find your Home Organisation please contact us.
HEAL-Link Federation Agreements
Federation Partners
An Organization that wants to join as HEAL-Link Federation Partner should sign this agreement.
Home Organizations
Each HEAL-Link member is by default also HEAL-Link Federation Home Organization, since it has the technical infrastructure, and entitled to use AAI Infrastructure. However it is mandatory to sign this agreement with HEAL-Link for the AAI Services.
Registration practice statement
Policies
AAI Policy – Exhibit 1
Specification Documents
Technical & Attributes Specification – Exhibit 2
AAI Services (Base Package) and Dependencies – Exhibit 3
AAI Base Package covers mandatory services for the proper operation of AAI Infrastructure.
The goal of the WAYF (Where Are You From) service is to send a user to the Identity Provider of his Home Organization. The WAYF also is referred to as Discovery Service, which also is the name of a SAML specification implementing the Discovery Service protocol. WAYF and Discovery Services are used synonymously although they are slightly different.
All that the two servies have to accomplish, is to present the user a list of Home Organizations and redirect the user’s web browser to the selected Identity Provider (WAYF) or back to the Service Provider (Discovery Service).
