Versions Compared

Old Version 3

changes.mady.by.user Peter Bolha

Saved on

compared with

New Version Current

changes.mady.by.user Gyöngyi Horváth

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

About ECHE Whitelist

Some academic institutions would like to participate in student mobility programs or university alliances but they are facing obstacles. They are not part of a federation, they do not have their own Identity Provider (IdP) or they can not release the necessary attributes about their students. The ECHE Whitelist is a list of organizations that are allowed to use Perun as a virtual IdP. Students can log in with their social IdPs or national identities (eID). Perun enriches the attributes from the social IdP with the necessary attribute containing the students' identifiers from their academic institution.

...

User enrollment

Students register using application forms where they fill in their student number - the unique identifier of a student within their institution. The IROs are responsible for independently verifying the student's identity outside of Perun's environment and subsequently approving their application. From that point on, students can use Perun as a virtual IdP providing their student identifier.

Adding new institutions 

The list of institutions eligible for the ECHE Whitelist is updated annually by the European Commission. This information is processed by GÉANT and relayed to Perun team members using personal communication channels such as emails. The Perun team has

scripts in the GÉANT GitLab repository that are capable of adding the new institutions from a csv file. The data received by the Perun team has to be parsed into a single csv file with the following schema: shacHomeOrganization;Country;Organisation Name. This file can contain institutions that already exist in Perun as well as new organizations. The scripts verify whether the institution exists before creating its new representation in Perun. Sometimes the data needs to be cleaned from duplicities, incorrect shacHomeOrganization format or similar inconsistencies.

Test run

Running the script eche_iolr_acceptance.py consumes info about the whitelisted institutions from test.csv and updates the acceptance instance of MyAcademicID - https://vo.acc.myacademicid.org/ 

Verifying that the creation was successful:

  1. Find the new organization in Perun GUI and retrieve the invitation link: Access Management → MyAcademicID → Groups → ECHE-IOLR → <new institution country code> → <new institution> → Students → Members → Copy Invitation link button
  2. Open the invitation link in a new tab in your browser and fill out the registration form
  3. Approve the application in Perun: Access Management → MyAcademicID → Groups → ECHE-IOLR → <new institution country code> → <new institution> → Students → Applications
  4. Verify that the new student from the application has the new institution's identity:
    1. In the Students group → Members → <New student> → <user ID> → Identities (The identity of the new institution with login set to the student's identifier should be visible here)
    2. In the Students group → Members → <New student> → <user ID> → Attributes (Here, the schacPersonalUniqueCodes and schacHomeOrganizations should include the new institution)

Production run

Running the script eche_iolr_production.py consumes info about the whitelisted institutions from production.csv and updates the production instance of MyAcademicID - https://vo.myacademicid.org/ 

Removal of institutions

Presently, the removal of institutions from the whitelist is not automated. Please contact Perun team members for manual removal of institutions that should no longer be whitelisted.

Technical notes

Perun uses the supplied schacHomeOrganization from the input csv file to calculate the schacPersonalUniqueCodes. Some countries (currently only France) don't want the schacHomeOrganization as a part of the schacPersonalUniqueCodes. Instead, the country code (in this case 'FR') is used in the schacPersonalUniqueCodes. However, we currently do not have any users from these countries so we haven't dealt with that even though the scripts should be able to handle this situation. Should the occasion arise, extra caution should be applied when creating these groups.

Perun team contacts

Peter Bolha - bolha@censet.cz (development, operations)

Matej Jošťák - jostak@cesnet.cz (deployment, operations)

Pavel Zlámal - zlamal@cesnet.cz (deployment, operations)