You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

About ECHE Whitelist

Some academic institutions would like to participate in student mobility programs or university alliances but they are facing obstacles. They are not part of a federation, they do not have their own Identity Provider (IdP) or they can not release the necessary attributes about their students. The ECHE Whitelist is a list of organizations that are allowed to use Perun as a virtual IdP. Students can log in with their social IdPs or national identities (eID). Perun enriches the attributes from the social IdP with the necessary attribute containing the students' identifiers from their academic institution.


This system is implemented on the MyAcademicID Perun instance. There, the MyAcademicID virtual organization contains the ECHE-IOLR group which represents the Whitelist. Individual countries are represented by subgroups of the ECHE-IOLR group. Institutions are represented by subgroups of the country groups. Each institution has an administration group called IRO (International Relations Officers) and a group for students called Students.

User enrollment

Students register using application forms where they fill in their student number - the unique identifier of a student within their institution. The IROs are responsible for independently verifying the student's identity outside of Perun's environment and subsequently approving their application. From that point on, students can use Perun as a virtual IdP providing their student identifier.

Adding new institutions 

The list of institutions eligible for the ECHE Whitelist is updated annually by the European Commission. This information is processed by GÉANT and relayed to Perun team members using personal communication channels such as emails. The Perun team has

scripts in the GÉANT GitLab repository that are capable of adding the new institutions from a csv file. The data received by the Perun team has to be parsed into a single csv file with the following schema: shacHomeOrganization;Country;Organisation Name. This file can contain institutions that already exist in Perun as well as new organizations. The scripts verify whether the institution exists before creating its new representation in Perun. Sometimes the data needs to be cleaned from duplicities, incorrect shacHomeOrganization format or similar inconsistencies.


Test run

Running the script eche_iolr_acceptance.py consumes info about the whitelisted institutions from test.csv and updates the acceptance instance of MyAcademicID - https://vo.acc.myacademicid.org/ 

Verifying that the creation was successful:

  1. Find the new organization in Perun GUI and retrieve the invitation link: Access Management → MyAcademicID → Groups → ECHE-IOLR → <new institution country code> → <new institution> → Students → Members → Copy Invitation link button
  2. Open the invitation link in a new tab in your browser and fill out the registration form
  3. Approve the application in Perun: Access Management → MyAcademicID → Groups → ECHE-IOLR → <new institution country code> → <new institution> → Students → Applications
  4. Verify that the new student from the application has the new institution's identity:
    1. In the Students group → Members → <New student> → <user ID> → Identities (The identity of the new institution with login set to the student's identifier should be visible here)
    2. In the Students group → Members → <New student> → <user ID> → Attributes (Here, the schacPersonalUniqueCodes and schacHomeOrganizations should include the new institution)

Production run

Running the script eche_iolr_production.py consumes info about the whitelisted institutions from production.csv and updates the production instance of MyAcademicID - https://vo.myacademicid.org/ 

Removal of institutions

Presently, the removal of institutions from the whitelist is not automated. Please contact Perun team members for manual removal of institutions that should no longer be whitelisted.

Technical notes

Perun uses the supplied schacHomeOrganization from the input csv file to calculate the schacPersonalUniqueCodes. Some countries (currently only France) don't want the schacHomeOrganization as a part of the schacPersonalUniqueCodes. Instead, the country code (in this case 'FR') is used in the schacPersonalUniqueCodes. However, we currently do not have any users from these countries so we haven't dealt with that even though the scripts should be able to handle this situation. Should the occasion arise, extra caution should be applied when creating these groups.


Perun team contacts

Peter Bolha - bolha@censet.cz (development, operations)

Matej Jošťák - jostak@cesnet.cz (deployment, operations)

Pavel Zlámal - zlamal@cesnet.cz (deployment, operations)


Notes

Some orgs don't release necessary attributes or don't have IdPs - whitelist is a virtual IdP
helps students sign up for Erasmus+ online, student mobility, uni alliances, erasmus without paper
Students can use social IdPs, we can enrich social identity with more attributes from our DB
They can also use eID (national identity)
IROs (International Relations Officers) of orgs have control over the validation
Institutions are whitelisted based on an annual list from the European comission
They would get removed if they become a part of federation (like eduGAIN) or would be delisted by the EC
used 2-3 times per year
MyAcademicID org has applications with auto-approval (for orgs with proper idps)
Orgs without their IdP have virtual IdPs in Perun (ECHE->Country->Organization→IRO (management, administrative), Students (students))
groups set up for orgs, applications automatically accepted for IROs (possible vulnerability)
IROs approve registrations from students (IRO group admin of students)
IROs verify students' identifiers outside of the system
students can use external IdPs like google
implemented in attribute module (catching events & creating appropriate attributes and identities)
separate login-namespace attribute for each organization
new orgs (universities) are added by a script going from csv file provided by Gyongyi or Christos
scripts are deployed on keybase
shacHomeOrganization value is usually used to calculate shacPersonalUniqueCode by most organizations (except in France for example, they replace the SHO with country code (like FR) in the SPUC)
scripts can work with it, but it's not tested in prod (for now, only France has it and we don't have their institutions)
extra parameter is necessary in the argument
scripts eche_iolr_production.py & eche_iolr_acceptance.py
No unified source of data so far, compiled from several places
Perun provisions user's standard attributes to LDAP and Proxy reads them from LDAP 


Adding groups

sometimes data needs to be cleaned, correct SHO format, duplicates
start with acc
receive data in email (Gyongyi, Christos) → red (remove), green (add)
process data into csv (shacHomeOrganization;Country;Organisation Name)
run ./eche_iolr_acceptance.py 1 #(1 → id of VO where it will be deployed)
check a couple of orgs manually in Perun acc to see if the script was successful
copy data to production csv file and run the production script
run ./eche_iolr_production.py 1
testing the addition
go to the new org → students group → members → copy invitation link

go to the invitation → fill in student id in the registrar → approve the
go to the group students → check whether the student has a new identity with the student id, attributes were set (affiliation, spuc, sho)

Removing groups

manually → currently no script for that

Plans

incorporate the (refactored) script in GEANT environment automatically
Ext source can't be created through the UI
  • No labels