Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The DARIAH Authentication and Authorization Infrastructure (DARIAH AAI) is based on SAML and Shibboleth in the European higher education identity inter-federation eduGAIN and its members. See AARC Federations 101 Training Module or the DASISH Training on AAI for a gentle introduction to the underlying concepts.

For setting up a service in the DARIAH AAI, you want to protect it with a Shibboleth Service Provider, e.g. by following this SWITCHaai Tutorial. Other SP software following the SAML v2 standard can be used as well. In order to integrate better with the DARIAH AAI, follow this presentation on DARIAH AAI. See below for Service Developer Resources.

...

For administrators, there is a DARIAH User Administration which can be accessed here. It allows you to create and manage "homeless" and federated accounts, assign users to authorization groups, e.g. DARIAH Wiki spaces, and manage organizations in a country. See the DARIAH User Administration manual. If you have a question to the admins, please send e-Mail to register@dariah.eu.

For Service Developers

DARIAH AAI is integrated in Higher Education Federations using the SAML standard. This means any Web application should integrate with a so-called SAML Service Provider (SP). The SP will protect your application, driving the log-in process and providing your application with attributes about the user who has logged in using a SAML Identity Provider (IdP) at another organization. Be sure you understand these concepts well, perhaps using the Federations 101 article that is linked above.

In the following, we concentrate on securing your Web application using the Shibboleth SP, which is a widely used and flexible, programming language independent Apache- oder IIS-based module. However, there are other popular Open Source SAML SPs around, such as simpleSAMLphp, pySAML2, mod_auth_mellon, or Spring-Security-SAML, or even commercial ones.

...

Since Summer 2018, DARIAH has run an AAI Proxy. Any DARIAH service provider can use the Proxy's IdP Identity Provider component for authentication. The Proxy's SP component, however, is registered in the eduGAIN meta-federation and will allow researchers with and any IdP in eduGAIN to log in.

...

  • Save DARIAH Proxy metadata (https://aaiproxy.de.dariah.eu/idp) to you local disk under /etc/shibboleth/ as "dariah-proxy-idp.xml" and load them using <MetadataProvider type="XML" file="dariah-proxy-idp.xml"/> in shibboleth2.xml
  • Send your own SP's metadata (from https://your.sp.edu/Shibboleth.sso/Metadata) to register@dariah.eu with a request for entering them at the AAI proxy. Please state whether this service is a test or a production instance.
  • Set the SP to direct login using <SSO entityID="https://aaiproxy.de.dariah.eu/idp"> in shibboleth2.xml
  • Set REMOTE_USER="eppn unique-id"
  • enable the attributes you need in attribute-map.xml, among them you specifically might want to consider
    • <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" id="unique-id"><AttributeDecoder xsi:type="ScopedAttributeDecoder"/></Attribute>

...

Code Block
languagexml
titleattribute-map.xml
<!-- eduPerson attributes -->
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" id="unique-id">
        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
    </Attribute>
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
		<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
    </Attribute>
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
		<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
    </Attribute>
	<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>

<!-- standard attributes -->
    <Attribute name="urn:oid:2.5.4.3" id="cn"/> <!-- common name -->
    <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
    <Attribute name="urn:oid:2.5.4.4" id="sn"/> <!-- surname -->
    <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
    <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
    <Attribute name="urn:oid:2.5.4.10" id="o"/> <!-- organization -->
    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.5" id="schacCountryOfCitizenship"/>

<!-- DARIAH-specific -->
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="isMemberOf"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.10126.1.52.5.2" id="dariahRole"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.10126.1.52.4.15" id="dariahTermsOfUse"/>

...

DARIAH Administrators can assign users to groups, such as "texgrid-users", or "dariah-de-contributors". Such groups can be open for anybody, or upon request - see the DARIAH SelfService Self Service Documentation. The central DARIAH directory (DARIAH LDAP server) holds these authorization group information. Your service can use this multi-valued attribute in order to implement fine-grained access restrictions.

...

Code Block
languagexml
titleattribute-map.xml
<Attribute name="urn:oid:1.3.6.1.4.1.10126.1.52.4.15" id="dariahTermsOfUse"/>

Setting Up direct Trust with the DARIAH homeless Identity Provider

The recommended way of connecting a service with DARIAH is via the AAI proxy, see above. However, in some exceptional cases you might want to set up direct trust with the DARIAH "homeless" IdP. This might apply if:

  • a) You decidedly do not want members of the eduGAIN federation to use your service, or
  • b) Your service already has connections to eduGAIN IdPs via a national federation, and you just want to add DARIAH and its special attributes

The recipe to configure your Shibboleth SP is as follows:

Case a): DARIAH without eduGAIN

  • Save DARIAH homeless IdP metadata (https://idp.de.dariah.eu/idp/shibboleth) to you local disk under /etc/shibboleth/ as "dariah-homeless-idp.xml" and load them using <MetadataProvider type="XML" file="dariah-homeless-idp.xml"/> in shibboleth2.xml
  • Send your own SP's metadata (from https://your.sp.edu/Shibboleth.sso/Metadata) to register@dariah.eu with a request for entering them at the DARIAH homeless IdP. Please state whether this service is a test or a production instance, and which of the available attributes your service requires
  • Set the SP to direct login using <SSO entityID="https://idp.de.dariah.eu/idp/shibboleth"> in shibboleth2.xml
  • Set REMOTE_USER="eppn unique-id"
  • enable the attributes you need in attribute-map.xml. See above for the attributes that are available.

Case b): Connect to DARIAH IdP via eduGAIN directly