https://aai.cesnet.cz/ 2026-05-17T13:57:58+00:00 https://aai.cesnet.cz/ https://aai.cesnet.cz/_media/logo.png text/html 2025-05-19T20:44:12+00:00 Anonymous (anonymous@undisclosed.example.com) https://aai.cesnet.cz/en/index/documentation/sp/proxy/attributes_and_scopes?rev=1747687452&do=diff Attributes and scopes This document defines the attributes available to relying services from E-INFRA AAI. E-INFRA Identifier * Description: unique, unrecykled user´s identificator within e-infrastructure CESNET * SAML attribute(s): urn:oid:1.3.6.1.4.1.5923.1.1.1.13 (eduPersonUniqueId) text/html 2020-11-10T10:12:50+00:00 Anonymous (anonymous@undisclosed.example.com) https://aai.cesnet.cz/en/index/documentation/sp/proxy/federated_login?rev=1605003170&do=diff Login process The following picture displays the sequence of steps that are made when a user accessed service connected to the ProxyIdP. * User navigates to the webpage of the service he/she wants to use. * The service will require a user to log in. The login button is initiated by the user via clicking the login button or happens automatically. text/html 2020-12-16T11:30:43+00:00 Anonymous (anonymous@undisclosed.example.com) https://aai.cesnet.cz/en/index/documentation/sp/proxy/how_to_manage_access_to_a_service?rev=1608118243&do=diff Restricting access to the service The AAI provides advanced functionality to restrict access to the service based on some specified rules. One of these rules can be a requirement of membership in at least one of the specified organizational units (groups). Following is the description of setting up such a requirement. text/html 2024-09-02T08:45:59+00:00 Anonymous (anonymous@undisclosed.example.com) https://aai.cesnet.cz/en/index/documentation/sp/proxy/implementing_the_service_provider?rev=1725266759&do=diff Implementing service provider As mentioned in the other pages, ProxyIdP currently supports connecting services via two protocols. This page contains common practices and tips on how to implement authentication using one of these protocols. SAML * text/html 2020-12-16T07:18:01+00:00 Anonymous (anonymous@undisclosed.example.com) https://aai.cesnet.cz/en/index/documentation/sp/proxy/new_sp?rev=1608103081&do=diff Connecting the service Content of this page describes the administrative process of connecting service to E-INFRA AAI. A guide on how to implement a service provider/relying party is available at here. Service administration and registration takes place in the Service Provider registration application (SPReg). It is available at text/html 2020-12-09T14:00:25+00:00 Anonymous (anonymous@undisclosed.example.com) https://aai.cesnet.cz/en/index/documentation/sp/proxy/protocols?rev=1607522425&do=diff Protocols Proxy IdP supports two protocols for connecting a service - SAML2 and OpenID Connect. SAML2 Security Assertion Markup Language 2.0 is a version of the SAML standard for exchanging authorization data between the identity provider and the service provider. SAML is an XML-based protocol. Two major roles play a part in the SAML protocol - Identity Provider(IdP - Retains authoritative information about users, authenticates users and passes on information about users.) and Service Provid… text/html 2020-11-10T09:19:10+00:00 Anonymous (anonymous@undisclosed.example.com) https://aai.cesnet.cz/en/index/documentation/sp/proxy/proxy-architecture?rev=1604999950&do=diff Proxy IdP architecture Description of individual Proxy IDP components The Proxy IdP component is operated on the machines of CESNET virtualization platform. As a critical component, it is operated in High Availability mode: * The cluster consists of three, mutually representative, geographically separated machines with login [1-3].cesnet.cz. text/html 2020-11-10T08:02:08+00:00 Anonymous (anonymous@undisclosed.example.com) https://aai.cesnet.cz/en/index/documentation/sp/proxy/scopes?rev=1604995328&do=diff Scopes available through the protocol OpenID Connect One „scope“ entitles a client to receive one or more so called „claims”, for more details about OIDC specification go on <https://openid.net/specs/openid-connect-core-1_0.html#Claims> and <https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims> In addition of standard scopes defined by OIDC specification (openid, profile, email, phone, address), Proxy IdP also provides some more, either allowing non-standard claims (organization, e… text/html 2020-11-24T13:58:21+00:00 Anonymous (anonymous@undisclosed.example.com) https://aai.cesnet.cz/en/index/documentation/sp/proxy/serivces_proxy?rev=1606226301&do=diff Services provided by Proxy IdP A filter for WAYF/DS (Where Are You From/Discovery Service) SP can affect a list of the identity providers on WAYFProxy IdP because WAYF is based on CESNET WAYF (<https://www.eduid.cz/cs/tech/wayf>), a filter configuration is going on <https://ds.eduid.cz/filter.php>. Then provide the value of filter as an attribute filter. In the case of longer filters, we recommend to save the value into a file and provide the link as an attribute efilter. More information abou… text/html 2020-11-10T09:40:21+00:00 Anonymous (anonymous@undisclosed.example.com) https://aai.cesnet.cz/en/index/documentation/sp/proxy/social_providers?rev=1605001221&do=diff Social identity providers This is a bridge documentation for a social identity providers. Bridge provides a translation between the authentication mechanism of a social identity provider and the SAML2 protocol. Service registration for social IdP