AAI Neu

DARIAH-DE Authentication and Authorization Infrastructure

Motivation

Since 2006 DARIAH-DE runs a productive Authentication and Authorization Infrastructure (AAI) for the DARIAH-EU community that allows researchers around the world to authenticate with an account either from the home institution or from DARIAH, while benefiting from a Single Sign-On experience and fine-grained authorization mechanisms. To widen the usage of this infrastructure the DARIAH-EU FIM4D Working Group invites and helps all DARIAH members to integrate their services.

In the past, it was difficult to connect services to the DARIAH AAI. In mid 2018, DARIAH introduced a central AAI proxy that brokers between DARIAH services and eduGAIN. The proxy took over many tasks from the services, which makes it much easier to connect new services.

Connecting Services to DARIAH

Key features the AAI proxy gives to DARIAH:

  • Almost any SAML Service Provider (SP) library can be used in an application

  • No registration of the SP in a federation needed anymore - just exchange SAML metadata with the proxy

  • The proxy ensures Identity Provider (IdP) Dicovery and the connection to eduGAIN

  • It provides a service with all IdP attributes, plus information from the central DARIAH directory (LDAP server)

DARIAH AAI Proxy

The DARIAH AAI Proxy is based on the open source Shibboleth IdP and SP software. It implements the Blueprint Architecture of the Horizon 2020 AARC project and consists of

  • an IdP component that is connected to DARIAH Services, and of

  • an SP component that is connected to all IdPs in eduGAIN.

These two components are strung together, such that the AAI proxy forwards all data from eduGAIN IdPs on to DARIAH SPs.

Not just a Proxy

Besides just forwarding IdP attributes, the DARIAH AAI proxy does a bit more to ensure DARIAH requirements:

  • Check if an eduGAIN user is registered in the DARIAH directory, and send her to DARIAH SelfService

  • Check the DARIAH and possible Service-specific Terms of Use have been accepted

  • Enrich IdP attributes with central authorization group infomation to be used for access control in services

 

DARIAH SelfService

Visit the DARIAH SelfService that works together with the proxy at auth.de.dariah.eu.

  • Register users that authenticate via the eduGAIN meta-federation

  • Let users agree to the general DARIAH and specific service Terms of Use

  • Manage user's data in DARIAH

  • Manage central authorization groups which services can use for access control

  • For users that do not have an eduGAIN IdP: apply for DARIAH accounts and manage passwords

For questions, or if you want to integrate a new service with the AAI, visit wiki.de.dariah.eu/display/publicde/DARIAH+AAI+Documentation or contact register@dariah.eu.