Versions Compared

Old Version 11

changes.mady.by.user Nicolas Liampotis

Saved on

compared with

New Version Current

changes.mady.by.user Martin Kuba

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: replaced old support email with support@aai.lifescience-ri.eu

Table of Contents

...

Regisration procedure

  1. Follow below instruction to prepare your service
  2. Send an email to support@aai.lifescience-ri.eu containing:
    1. Name of the service
    2. Link to SAML2 metadata or OIDC clientID
    3. Contact email
  3. You will receive confirmation when the service will be technically integrated

Services using SAML2 protocol

Metadata registration

SAML authentication relies on the use of metadata. Both parties (you as a SP and the LifeScience IdP) need to exchange metadata in order to know and trust each other. The metadata include information such as the location of the service endpoints that need to be invoked, as well as the certificates that will be used to sign SAML messages. The format of the exchanged metadata should be based on the XML-based SAML 2.0 specification. Usually, you will not need to manually create such an XML document, as this is automatically generated by all major SAML 2.0 SP software solutions (e.g., Shibboleth, SimpleSAMLphp, and mod_auth_mellon). It is important that you serve your metadata over HTTPS using a browser-friendly SSL certificate, i.e. issued by a trusted certificate authority.

You can get the metadata of the LifeScience IdP on a dedicated URL that depends on the integration environment being used:

Development environmentProduction environment
https://saml.pilot.lifescienceid.org/proxy/saml2/idp/metadata.phphttps://saml.lifescienceid.org/proxy/saml2/idp/metadata.php

Metadata considerations

Metadata provided by your SP should contain a descriptive name of the service that your SP represents in at least English. It is recommended to also provide the name in other languages which are commonly used in the geographic scope of the deployment. The name should be placed in the <md:ServiceName> in the <md:AttributeConsumingService> container.

It is recommended that the <md:IDPSSODescriptor>SPSSODescriptor> element included in your SP metadata contains both an AuthnRequestsSigned and an WantAssertionsSigned attribute set to true.

...

The LifeScience IdP is guaranteed to release a minimal subset of the REFEDS Research & Scholarship attribute bundle to connected Service Providers. A more extensive list of all the attributes that may be made available to Service Providers is included in the following table:

Attribute DescriptionAttribute Friendly NameAttribute OIDAttribute Example Value
Persistent
Life Science unique ID; this is a persistent, non-reassigned, non-targeted identifier
; this
, which is always scoped @lifescienceid.orgeduPersonUniqueIdurn:oid:1.3.6.1.4.1.5923.1.1.1.13

ef72285491ffe53c39b75bdcef46689f5d26ddfa00312365cc4fb5ce97e9ca87@lifescienceid.org

Life Science username; this is is a user-selected, human-readable, revocable identifierTBDTBD

jdoe@lifescienceid.org

Email addressmailurn:oid:0.9.2342.19200300.100.1.3john.doe@example.org
Display namedisplayNameurn:oid:2.16.840.1.113730.3.1.241John Doe
First namegivenNameurn:oid:2.5.4.42John
Family namesnurn:oid:2.5.4.4Doe
Assurance informationeduPersonAssuranceurn:oid:1.3.6.1.4.1.5923.1.1.1.11TBD
Affiliation within research infrastructureeduPersonScopedAffiliationurn:oid:1.3.6.1.4.1.5923.1.1.1.9affiliate@lifescienceid.org
Affiliation within Home OrganisationvoPersonExternalAffiliation
TBD
https://welcome.lifescienceid.org/attribute-definition/voPersonExternalAffiliation/v1 (only released in pilot environment)member@example.org
Entitilement(s): One or more URIs (either URNs or URLs) that indicate rights to specific resources; URN values expressing group membership and role information use the urn:geant:lifescienceid.org:group namespace (see also AARC-
JRA1.1A
G002)eduPersonEntitlementurn:oid:1.3.6.1.4.1.5923.1.1.1.7

urn:geant:lifescienceid.org:group:examplegroup#perun.pilots.lifescienceid.org

urn:geant:lifescienceid.org:group:examplegroup:examplesubgroup#perun.pilots.lifescienceid.org

urn:geant:lifescienceid.org:group:examplegroup:examplesubgroup:role=manager#perun.pilots.lifescienceid.org

One or more ORCID researcher identifierseduPersonOrcidurn:oid:1.3.6.1.4.1.5923.1.1.1.16http://orcid.org/0000-0002-1825-0097


Services using OpenID Connect (OIDC) protocol

OIDC Client Registration

LifeScience Authentication and Authorisation Infrastructure (LS-AAI) supports LifeScience community's OpenID Connect (OIDC) based clients or service providers. The providers are Web applications like SAML SPs. For the integration, the clients must be registered with OIDC authorisation server provided by the LS-AAI. The operators of the clients are required to provide OIDC client credentials (client id and secret) and redirect or callback URI for the successful registration.

...

Scope in the LS-AAI defines what claims or user attributes the OIDC client can access. Following three standard scopes with corresponding claims are provided:

ScopeClaim (User Attribute Name)Attribute Example Value
openidsubf99bba1f6384c659ecfdba26552f5ad5fabc2741@lifescienceid.org
profile


cn

cemailgivenNamesneduPersonUniqueId
email
given_name
family_name



Isaac Newton

isaacnewton@university-example.org
Isaac
Newton


emailemailisaacnewton@university-example.org
refeds_edu
(TBD)


eduperson_unique_id
eduperson_entitlement
eduperson_scoped_affiliation
eduperson_assurance



f99bba1f6384c659ecfdba26552f5ad5fabc2741@lifescienceid.org
urn:geant:lifescienceid.org:group:lifescience-test:members#perun.lifescienceid.org
affiliate@lifescienceid.org
urn:geant:lifescienceid.org:assurance:rs-sirtfi


Self Service Home Page

Following endpoint can be used to change password, OIDC redirect/callback URIs and SP url attribute:

...