ΑΑΙ Infrastructure

The objective of the AAI (Authentication and Authorization Infrastructure) is, in a nutshell, to simplify inter-organizational access to web resources.With a single login, with his/her institutional account, an authorized user can access from anywhere all HEAL-Link subscriptions. The AAI makes use of a concept called federated identity management.

Necessity of access to a variety of electronic resources and the various difficulties that arise when using separate authentication credentials leads to the creation of an infrastructure for unified access. Under this structure a user, ascertains the identity of the institution he belongs once, the institution then provides the authorization to its authenticated user (who should have access to the corresponding services). Until now access was based either on individual credentials for each service / resource or on recognizing IP addresses.

The problems that the user faces with the described process are mentioned below:

  • Time-consuming user registration and management procedures for any online source.
  • Users manage multiple passwords.
  • Authorizations issues are ignored with the existing authentications.
  • The large effort required to integrate users from other universities due to lack of standard authorization.
  • Authorization does not always become independent from the location (IP address recognition).

By using AAI Services we have the following advantages:

  • Due to the digital identity, electronic resources do not need to provide registration services and user management.
  • A standard authentication mechanism allows users to access various online resources.
  • Users have access regardless their location.
  • Data protection requirements are checked.

A Federation is a collection of organizations that agree to interoperate under a certain set of rules. Federations will usually define trusted roots, authorities and attributes, along with distribution of metadata representing this information. In general each organization participating in a federation operates one Identity Provider for their users and any number of Service Providers.

Federations are not prerequisite for the use of Shibboleth but they can greatly facilitate exchange of information. Also Federations by offering a certain set of rules they play a key role in the smooth functioning of shibboleth. HEAL-Link Federation is very important because HEAL-Link is responsible for the license agreements with the publishers, therefore HEAL-Link Federation must establish policies and access rules to its members.

Graphical description of a Federation and its members.

    • AAI
      Authentication and Authorization Infrastructure.

    • Assertion
      A digital statement issued by an IDP, derived from the Digital Identity of an End User. Typically an Assertion is digitally signed and optionally encrypted.

    • Authentication
      Process of confirming the identity of an existing registered user.

    • Authorization
      Process of specifying access rights (granting or denying access) to resources.

    • Attributes (Authorization)
      User data (such as name, affiliation, study branch, etc.) needed for access control decisions. The attributes used by HEAL-Link Federarion are defined in the Technical & Attributes Specification document.

    • Attribute Release Policy (ARP)
      It defines which attributes are going to be released to a requesting resource (the attribute filter). It is a mechanism to implement privacy and data protection.

    • Attribute Resolver
      A component of the Identity Provider. It retrieves attributes from various data sources (LDAP, Active Directory, …) and performs the necessary transformations for SAML transport.

    • Digital Identity
      A set of information that is attributable to an End User. It is issued and managed by an IDP Operator on the basis of the identification of the End User.

    • Discovery Service
      Technical term/synonym for WAYF.

    • End User
      Typically, a human person who belongs to an organization, who uses Federated Authentication via his/her organization’s IDP. However, an End User can also be a legal person, a virtual artifact (e.g. a computer process, an application) or a tangible object (e.g. a device).

    • Entitlement
      Entitlements form a specialized class of Authorization Attributes important enough to call out separately. They can be used to identify a user’s eligibility to access a given resource such as an e-journal. HEAL-Link Federation uses this attribute for the authprization of aythenticated users.

    • EntityID
      The EntityID is a unique identifier, identifying each Service Provider and Identity Provider.

    • Federated Authentication
      An End User uses his Digital Identity to authenticate for accessing services offered by SP Operators within the same or a different organization.

    • Federated Identity Management
      The management and use of identity information across security domains, e.g. between individual universities. It deals with issues such as interoperability, liability, security, privacy and trust.

    • Federation
      A federation is a collection of organizations that agree to interoperate under a certain set of rules.

    • Federation Operator
      The organization managing the Federation, operating the central components and acting as a competence centre. HEAL-Link is the Federation Operator of the HEAL-Link Federation.

    • Federation Partner
      An organization that is not a HEAL-Link member, but wants to participate to HEAL-Link Federation and has signed the HEAL-Link Federation Partner Agreement.

    • HEAL-Link Federation
      HEAL-Link Federation consists of the corresponding Participants that cooperate in the area of Federated Authentication and authorization and, for this purpose, operate a common Federation. HEAL-Link is the Federation Operator of HEAL-Link Federation.

    • HEAL-Link Federation Participant
      An organization, member of HEAL-Link, that participates in HEAL-Link Federation, or a HEAL-Link Federation Partner.

    • Home Organization
      A participating organization, member of HEAL-Link, representing a user community. A Home Organization registers users and stores information about them. Furthermore, it is able to authenticate its users and it operates an IDP.

    • Identity Provider (IDP)
      The system component that issues Assertions on behalf of End Users who use them to access the services of SPs after they have already been authenticated by their organization’s authentication system.

    • IDP Operator
      The organization operating an IDP. IDP Operator refers to the legal entity that signs contracts, is a HEAL-Link Participant and is responsible for the overall processes supporting the IDP.

    • Metadata
      The Metadata contain technical details and descriptive information about the IDPs and SPs of HEAL-Link Federation. For interoperability in a specific context, the Metadata format definition is part of a Federation Technology Profile.

    • Relying Party
      In general, one or more Service Provider or Identity Provider that is sender or recipient of an Assertion. A relying party could be a single Service Provider or a group of Service Providers. The SPs and IDPs can be grouped into a relying party by including them into an EntitiesDescriptor element in the Metadata. Such a group of Service Providers can then for example be used to inform an Identity Provider to use a specific way to transmit the attributes to the components of this specific relying party.

    • Resource
      Web application, web site, information system, etc. An AAI-enabled Resource requests attributes about users from an IDP and makes access decisions (authorization) based on these attributes.

    • SAML
      SAML – the Security Assertion Markup Language – is an XML framework for exchanging authentication and authorization information. SAML is a standard of OASIS. Shibboleth software is based on SAML.

    • Service Provider (SP)
      The system component that evaluates the Assertion from an IDP and also uses this information for controlling access to protected services. Synonym for an AAI-enabled Resource, which is used in a more technical sense.

    • Shibboleth
      Open source software developed by Shibboleth Consortium. Shibboleth is based on SAML and allows the implementation of an AAI. HEAL-Link makes use of Shibboleth.

    • Single Sign-On (SSO)
      With Single Sign-On a user gains access to multiple Resources by authenticating only once to his/her Home Organization.

    • Virtual Home Organization (VHO)
      The Virtual Home Organization is an Identity Provider for users, which arent’t in a participating Home Organization.

    • VHO group
      A VHO group is a container within the VHO. It contain VHO end users and/or subgroups, which also can contain VHO end users. A VHO group is managed by one or more VHO administrators

    • VHO administrator
      The VHO administator is a resource owner, who is responsible for his VHO group(s) and its VHO end users. He maintain the account data and provide support for VHO end users.

    • VHO end user
      A VHO end user is a valid user, which belongs to the VHO.

    • WAYF (Where Are You From)
      The WAYF service, also called Discovery Service, lets the user choose his Home Organization from a list and then redirects the user to the corresponding login page for authentication.

Participating Home Organizations are all HEAL-Link members.

Up to date, the following organizations have signed the HEAL-Link Federation Partner Agreement and thus are HEAL-Link Federation Partners.

All HEAL-Link members should sign the corresponding Members Agreement and its attachements for the proper function of AAI Services.

More info: Support/Downloads –>Documents

An organization can become a HEAL-Link Federation Partner, if it provides subscribed digital content to HEAL-Link or to one or more HEAL-Link members.

Typically, a Federation Partner operates AAI-enabled web resources (Service Providers) and makes them available for the users with an AAI-enabled account at one of the participating Home Organizations that operate an Identity Provider (IDP) and for the users with an AAI-enabled account at HEAL-Link Federation’s Virtual Home Organization.

AAI-enabled web resource can be e-learning platforms, e-journal databases, etc. which make use of federated authentication and authorize access to their applications, based on the information they got via AAI from the Identity Provider of the users’ home organization.

Join Requirements

The following entities and organizations may qualify to become Federation Partners:

  • Higher Education and Research Institutions (domestic and international) that wish to provide resources that support AAI access to one or more members of HEAL-Link.
  • Each and every digital content provider who has signed agreements with HEAL-Link or with one or more of HEAL-Link members and wishes to offer AAI-enabled resources to one or more HEAL-Link Members.

For any kind of support you can communicate with the corresponding helpdesk of your Home Organization by selecting it from the following list:

Home Organizations List and their helpdesks.

In case you can not find your Home Organisation please contact us.

HEAL-Link Federation Agreements

Federation Partners
An Organization that wants to join as HEAL-Link Federation Partner should sign this agreement.


Home Organizations
Each HEAL-Link member is by default also HEAL-Link Federation Home Organization, since it has the technical infrastructure, and entitled to use AAI Infrastructure. However it is mandatory to sign this agreement with HEAL-Link for the AAI Services.


Registration practice statement


Policies


AAI Policy – Exhibit 1


Specification Documents


Technical & Attributes Specification – Exhibit 2


AAI Services (Base Package) and Dependencies – Exhibit 3
AAI Base Package covers mandatory services for the proper operation of AAI Infrastructure.

The goal of the WAYF (Where Are You From) service is to send a user to the Identity Provider of his Home Organization. The WAYF also is referred to as Discovery Service, which also is the name of a SAML specification implementing the Discovery Service protocol. WAYF and Discovery Services are used synonymously although they are slightly different.

All that the two servies have to accomplish, is to present the user a list of Home Organizations and redirect the user’s web browser to the selected Identity Provider (WAYF) or back to the Service Provider (Discovery Service).