You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »


The InAcademia team is working on a new release that will provide a more direct link between the InAcademia service and the published eduGAIN entityIDs (via our IdP Hinting Feature) and will update the user journey in the event that InAcademia receives an OIDC request containing a stale or invalid hint. As such, it will be necessary for merchants to make adjustments in the construction of their OIDC requests to InAcademia prior to the existing method being deprecated later this year.

Merchants will have the opportunity to preview the functionality in our customer integration/pre-production platform from April. It will be available for preview for a minimum of one month prior to deploy to production in Q2-2022 (release date to be confirmed in April).

The InAcademia service will continue to support the current method of initiating the IdP Hinting feature (using the ‘idp_hint’ parameter or ‘idp_hint’ claim where currently configured), for a period of three months in order to facilitate merchants in migrating to the new OIDC request format during that time. It is anticipated that the ‘idp_hint’ parameter and sha1 hash method will be deprecated in Q3-2022.

The timeline is summarised as follows:

Milestone

Timeline

Deploy to InAcademia pre-production environment for preview

April 2022

Publish planned release date

April 2022

Deploy to InAcademia production environment (enabling aarc_idp_hint parameter and the use of entityID-based hints)

Q2-2022

Publish deprecation date (for idp_hint parameter and sha1-hash hints)

Q2-2022

Deprecate idp_hint parameter and support for sha1-hash hints

Q3-2022

Merchants not using the IdP Hinting feature will not be impacted, but it is strongly recommended that all merchants carry out regression testing prior to the production release.


The forthcoming release comprises the following enhancements:

As-built

Upgraded feature

IdP Hinting requires a SHA1 hash-based hint (as supplied by InAcademia in JSON format) to be included in the OIDC request using the ‘idp_hint’ parameter or claim.


e.g. idp_hint=c50752ce1d12c2b37da13a1a396b8e3895d35dd9

IdP Hinting feature will require an URL-encoded entityID hash (to be supplied by InAcademia in JSON format) to be included in the OIDC request using the  new ‘aarc_idp_hint’ parameter.

e.g. aarc_idp_hint=https%3A%2F%2Fidp.nordu.net%2Fidp%2Fshibboleth

Support for SHA1 hash-based hinting to be deprecated in Q3-2022.

InAcademia specifies and supplies hashed hint values in the form of per-country JSON files. These JSON files are intended to be utilised by the merchant to consume and create a UI drop-down (using the ‘display name’ of the institution inside the JSON file) from which users* can select their home institution. This design supports merchant workflow to initiate a request to InAcademia using the hint associated with that home institution, where the user is directed to the related institutional identity provider using the InAcademia service based on the related sha1 hash.


*(where the user is registered at an institution in the country where the merchant is licensed to use InAcademia)

The same service will be offered, but the per-country JSON files shall comprise entityID-format hints.

e.g.

https://idp.nordu.net/idp/shibboleth

“en”: “NORDUnet”

“no”: “NORDUnet”

Provision of SHA1 hash-based JSON files to be deprecated in Q3-2022.

InAcademia falls back to the Discovery Service if the hint value cannot be reconciled to an entityID. This allows the user to select the most appropriate IdP from the DS and move on. This has the following downsides:

  • Observation from live operations demonstrates that users are 30% more likely to abandon their session if they reach discovery unexpectedly.
  • The Discovery Service currently relates to all global IdPs, and is not restricted to in-scope countries.
  • If the user hits ‘back’ the experience can be unpredictable.

If the received hint does not resolve to valid metadata InAcademia will return access_denied+error description=entityID error, returning the user to the merchant, thereby allowing the merchant to decide how to proceed in this scenario.


Please refer to the link below for the updated flow diagram:

https://wiki.geant.org/display/InAcademia/InAcademia+Functional+flow+with+errors

The currently optional IdP Hint Assertion feature allows merchants to include the ‘idp_hint’ claim that allows merchants to identify users who are directed to an IdP contrary to that selected in the merchant UI.

The IdP Hint Assertion feature will be enabled as default for all merchants, and will be initiated by the parameter (rather than requiring an additional claim).


What does this mean for merchants? Using an entityID-based IdP Hint means that merchants would need to:

  • include a correctly URL encoded entityID parameter in the GET request using the ‘aarc_idp_hint’ parameter (instead of the ‘idp_hint’ parameter), and
  • remove the IdP hint hash from any claims, and
  • handle users returning to the redirect_uri as a result of an invalid/stale hint being used in the request.


Requests should currently be formulated towards InAcademia in the following style:

https://op.srv.inacademia.org/InAcademia/authorization?response_type=id_token&response_mode=form_post&redirect_uri=https%3A%2F% 
2Fvalidate.inacademia.org2Freturn.php&client_id=InAcademia_Test_Your_Affiliation&nonce=ee826f25a6a17bcab4e7dc21a0bffdd6
&state=17edc5989051dd5ce2858ac09f30b3cd&scope=openid+transient+member&idp_hint=c50752ce1d12c2b37da13a1a396b8e3895d35dd9


And later (when the entityID is used) it would look like this:

https://op.srv.inacademia.org/InAcademia/authorization?response_type=id_token&response_mode=form_post&redirect_uri=https%3A%2F%
2Fvalidate.inacademia.org2Freturn.php&client_id=InAcademia_Test_Your_Affiliation&nonce=ee826f25a6a17bcab4e7dc21a0bffdd6
&state=5989051dd5ce2858ac09f30b3cd&scope=openid+transient+member&aarc_idp_hint=https%3A%2F%2Fidp.nordu.net%2Fidp%2Fshibboleth

 

The InAcademia product team would be happy to participate in one-to-one meetings to discuss these changes further with your product teams. In order to schedule a discussion, please contact info@inacademia.org.


Best wishes from

The InAcademia Team

Networks • Services • People 

Learn more at www.geant.org​

GÉANT Vereniging (Association) is registered with the Chamber of Commerce in Amsterdam with registration number 40535155 and operates in the UK as a branch of GÉANT Vereniging. Registered office: Hoekenrode 3, 1102BR Amsterdam, The Netherlands. UK branch address: City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK.

  • No labels