This pilot aims at demonstrating how researcher could reuse their existing issued X.509 certificates in order to access Services published to eduGAIN.

This pilot showcases how to enable researchers access Services

  • Using the X.509 certificates that they already have
  • Not forcing them to register/use Home Organization accounts
  • Carrying a high LoA (Level of Assurance)

and at the same time enable Services

  • To follow the paradigm shift to federated SSO
  • To not lose/alienate their user base
  • To maintain LoA requirements

This pilot solution was presented at the 39th EUGridPMA Firenze meeting


For the purpose of this pilot, the solution has been deployed in a SimpleSAMLphp instance running on ~okeanos infrastructure and this SimpleSAMLpho based Identity Provider has been added to the EGI development Proxy.

1.Access WaTTS - The INDIGO Token Translation Service at
2.Select "European Grid Infrastructure (EGI)" as OpenId Connect Provider and click on Login
3.On the EGI Identity Provider Proxy, select the X.509 Certificates tab
4.On the X.509 Certificates tab, select the IGTF X.509 (pilot)
5.When prompted by the browser, select the Certificate that you want to use to login to the IGTF X.509 Identity Provider
6.After successful certificate client authentication, you will be presented with the information parsed from the Certificate that will be available as SAML attirbutes
7.Upon giving your consent, you are forwarded to the EGI Identity Provider Proxy where your attributes are possible enhanced or consolidated
8.Upon giving your consent, you are subsequently forwarded to the service you originally tried to access as an authenticated user and carrying the information from your certificate as SAML attributes.



  • No labels