Connecting the service

Content of this page describes the administrative process of connecting service to e-INFRA CZ AAI.

A guide on how to implement a service provider/relying party is available at here.

Service administration and registration take place in the Service Provider administration application(SPAdmin). It is available at https://spadmin.e-infra.cz/ .

Managing service

The AAI provides a special tool for managing connected and connecting new services to it. The idea of this tool is for users, create a request with specified settings of the service. After the request is created, AAI operators can review it and decide if the proposal can be accepted or not. After the request is approved, appropriate changes are made in the service configuration.

AAI environments

Services are separated into different environments of the AAI according to their stage of implementation. Currently, two environments are supported - TESTING and PRODUCTION.

Testing environment

This is the test environment all new services are registered in. Such services are limited to being accessed only by the developers.

Production environment

After the service is developed to the level of your satisfaction, the manager of such service can request transferring the service to the production environment. Services, connected to the AAI in this environment, can be accessed by anyone with the e-INFRA CZ accounts (if restricted access is not set up). It is also published on the list of available services connected to the e-INFRA CZ AAI.

Registering a new service

  1. Visit the SPAdmin application (linked from above) and log in using your common login (e.g. your home organization login).

  2. Go to the “New service” tab (or click the button with the same name present on the home page).

  3. From the dropdown menu, choose the protocol your service will use (SAML2/OIDC).

  4. You will be presented with a form. Filling it will guide you through categories of data we need from you - service data, organization information, protocol-based information, and settings for delegated access control.

  5. After filling the form submit it. You will be informed via email that your application has been submitted. In case of any problem, do not hesitate to contact us.

  6. AAI operators will review your application. If any deficiencies are identified, you will receive an email notification about this fact. Any comments on the provided data can be found in the details of your application (linked from the email notification).

  7. If no problems were identified, your application will be approved. You will be again informed about this via email notification. Please note, that the registered service is connected to the TESTING environment. Only a limited set of people will be able to access the service.

If you have selected the OpenID Connect as a protocol, please note that the client credentials (Client ID and Client Secret) will be generated after approving the application by the AAI operators. You will need these to set up your service client. It will be made available to the service administrators on the service detail page in the SPReg application.

Additional information

During the registration process, you will be asked to specify what information about the user will your service consume from the AAI. A list of the provided information can be found on the following page.

Modifying settings

  1. Visit the SPAdmin application (linked from above) and log in using your common login (e.g. your home organization login).

  2. Go to the “My services” tab (or click the button with the same name present on the home page).

  3. From the list of services, you can manage, click on the row in the table with the data of service you wish to modify settings of.

  4. You will be presented with a detailed view of the current service settings. Click the “Modify Settings” button in the top right section.

  5. A page with categorized inputs will appear. Expand the section of the settings you want to modify and modify the settings. After you are done, click the “Submit” button. If all of the fields meet requirements the form is submitted. Otherwise, follow the error messages to correct the invalid fields and resubmit the form.

  6. You have now successfully created a request to modify the settings. You will be informed via email that your request has been submitted. In case of any problem, do not hesitate to contact us.

  7. AAI operators will review your request. If any deficiencies are identified, you will receive an email notification about this fact. Any comments on the provided data can be found in the details of your application (linked from the email notification).

  8. If no problems were identified, your request will be approved. You will be again informed about this via email notification.

  9. After the request is approved all proposed changes are reflected in the AAI service configuration. Do not forget to make appropriate changes in your service implementation configuration as well.

Transfer to the production environment

  1. Visit the SPAdmin application (linked from above) and log in using your common login (e.g. your home organization login).

  2. Go to the “My services” tab (or click the button with the same name present on the home page).

  3. From the list of services, you can manage, click on the row in the table with the data of service you wish to modify settings of.

  4. You will be presented with a detailed view of the current service settings. Click the “Move to production” button in the top right section.

  5. A page with information about creating the request will appear. Click the “Submit” button.

  6. You have now successfully created a request to modify the settings. You will be informed via email that your request has been submitted. In case of any problem, do not hesitate to contact us.

  7. AAI operators will review your request. If any deficiencies are identified, you will receive an email notification about this fact. Any comments on the provided data can be found in the details of your application (linked from the email notification).

  8. If no problems were identified, your request will be approved. You will be again informed about this via email notification.

  9. After the request is approved your service will be connected to the AAI production environment.

Remove service

  1. Visit the SPAdmin application (linked from above) and log in using your common login (e.g. your home organization login).

  2. Go to the “My services” tab (or click the button with the same name present on the home page).

  3. From the list of services, you can manage, click on the row in the table with the data of service you wish to modify settings of.

  4. You will be presented with a detailed view of the current service settings. Click the “Remove service” button in the top right section.

  5. A dialog with information about creating the request will appear. Click the “Yes” button.

  6. You have now successfully created a request to remove the service. You will be informed via email that your request has been submitted. In case of any problem, do not hesitate to contact us.

  7. AAI operators will review your request. If no problems were identified, your request will be approved. You will be again informed about this via email notification.

  8. After the request is approved your service will be disconnected from the AAI and it will no longer be offered to the e-INFRA CZ users.

Add managers

  1. Visit the SPAdmin application (linked from above) and log in using your common login (e.g. your home organization login).

  2. Go to the “My services” tab (or click the button with the same name present on the home page).

  3. From the list of services, you can manage, click on the row in the table with the data of service you wish to modify settings of.

  4. You will be presented with a detailed view of the current service settings. Switch to the “Managers” tab. The “Add managers” button should appear. Click it.

  5. A page with an input field will be presented. Enter the email addresses of the people you want to add as managers of the service. After filling them, click the add button.

  6. The system has now sent email notifications to the specified email addresses. The email contains a unique link for each address, via which the user can access the request. After opening the link, users will be offered to accept or reject your invitation.

  7. Please note, that the invited managers must have an e-INFRA CZ AAI account to be able to accept your invitation. Also, the invitation link is valid only for a period of time (usually 30 days). After this period the link is no longer usable and you will have to reinvite the person.

Support: perun@cesnet.cz