Versions Compared

Old Version 1

changes.mady.by.user Peter Bolha

Saved on

compared with

New Version 2

changes.mady.by.user Peter Bolha

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

About

The Academic Gateway is a tool which provides a single, easy to naviagte environment for logging into (primarily academic) services.

General concept

When a user tries to authenticate to an SP (Service Provider) (for example log in to an information system of their university), there are usually several ways of performing this operation. The user can either:

  • use their local identity

    • for example direct log in to their university’s information system

    • user’s credentials are stored locally in the service and can’t be automatically used to log in to other systems

  • use a federated identity

    • for example log in via an external login page to an identity federation like eduGAIN which provides information about user’s identity to the SP

    • the federation acts as an external IdP (Identity Provider)

    • user’s credentials are stored remotely at the identity federation and can be used to log in to any system supporting communication with the identity federation

  • use a commercial identity

    • for example log in via an external login page to a commercial service like Google, LinkedIn or Facebook which provides information about user’s identity to the SP

    • the commercial service acts as an external IdP

    • user’s credentials are stored remotely at the commercial service and can be used to log in to any system supporting communication with the commercial service

Each of these options typically uses its specific set of plugins and communication protocols in the background and puts users through different kinds of login pages. The Academic Gateway provides a way to unify this proces from the viewpoint of the user by acting as a proxy between the service they’re trying to access and the actual IdPs.

...

Technical specification

  • hides background interaction between various plugins used by serveral different ways of auth behind a single login screen which is easier to use

  • decides which way of auth to choose based on user’s input (crendentials/external auth) and subsequently delegates the specific communication to the respective plugins responsible for that kind of auth

  • uses ECP (Enhanced Client or Proxy Profile) to send user’s credentials to an external IdP using SAML protocol during authentication process if it’s supported - reduces tight coupling with external IdPs, simplifies integration

    • insted of directly verifying user’s credentials, they are sent to an external IdP which returns user’s attributes in its reply in case the authentization was successful

    • our plugin campususerpass adds support for ECP when using SimpleSAMLphp

  • From the viewpoint of the SAML protocol, AG is a proxy

    • it acts as an IdP towards services (SPs) user is trying to access (log in to)

    • it acts as an SP towards other external IdPs (commercial, federations)

  • AG implements IdP hinting according to AARC-G049 and AARC-G061 specifications

  • Authentization using auth proxy based on SAML2 protocol implemented in SimpleSAMLphp

  • Primarily inentended for academic subjects

  • Unified way of logging in form various contexts on a single page without unnecessary redirects

    • login from 1 screen in 1 process

    • login possible from various sources (external IdP or local credentials)

      • commecrial accounts (LinkedIn, Google…) (external)

      • user’s existing accounts in implementing institution (e.g. account in school’s information system) (local)

      • user accounts in national (eduID.cz) and international (eduGAIN) federations (external)

    • institutions can cutomize their preferred displayed order of login options, there are 3 basic modules which can be configured to be displayed with different priorities

      • local sign in

      • picking an identity from a predefined list

      • lookup of identity in a search bar

    • individual user accounts from certain institution

    • shared user identity in a federation

  • Configurable parameters (more info in the README section on GitLab - link below)

    • language localization

    • color scheme

    • institution’s logo

    • Main config options (closely specified in GitLab readme)

      • MUNI Framework

        • compliant with the unified visual style of Masaryk University

        • fewer customizable options

      • Bootstrap 5

        • allows wider variey of configuration options

        • it’s possible to swap out entire visuals by replies

    • We provide a template which can be entirely omitted and replaced by custom look

🚧 Project overview (introductory Powerpoint):

https://www.cesnet.cz/wp-content/uploads/2022/11/2022-11-09-MUNI_AAI-MFA-Autentizacni_brana-Baranek.pdf

🚧 Project documentation (final report):

https://fondrozvoje.cesnet.cz/(S(t1vexvzlmnfq1tdpnsbli1nl))/projekt.aspx?ID=676

🚧 Diagram source:

Architecture and software stack plan

Diagram of the architecture

...

Docker image

Ready to use Docker image of the project including all the necessary dependencies and build instructions.

https://gitlab.ics.muni.cz/perun-proxy-aai/containers/docker-campusidp

GitLab repository

This is the The official project repository containing the source code and detailed configuration instructions.

...