Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Note

Before proceeding read the Requirements for Services.


Info
titleThis page explains how to register a Service Provider on the GEANT AAI Service

You can request to connect a service to the GEANT AAI Service using the following form:
https://webapp.aai.geant.org/sp_request

Note that service requests are reviewed for correctness and eligibility by the GEANT staff.

The metadata for the SAML2 Identity Provider can be found here:
https://proxy.aai.geant.org/metadata/frontend.xml

The discovery endpoint for the OIDC Provider can be found here:
https://proxy.aai.geant.org/.well-known/openid-configuration


Note

The registration of services goes through two phases, as described below.

Phase 1 - Connection to the test environment.

Initially, services are connected to the test environment. The test environment is exactly the same as the production environment. The purpose of this step is to allow service owners to ensure that the connection with the GEANT AAI Service is working correctly, user information is processed as needed and all configurations are in place.

During this phase access to the service is restricted to users that have opted in to the Sandbox group. The first time that a user tries to access a service that is connected to the test environment the user will be presented with message denying access to the service, unless the user opts-in to join the Sandbox group. By clicking the registration link for the Sandbox group, the user will be redirected to register on the Sandbox group. From then on, users will see a warning about the status of the service on the Consent Page.

Phase 2 - Promotion to production.

Once the service owner is certain that the connection of the service with the GEANT AAI Service is working as expected, the service owner can request to promote the service to production.



Section


Column
width30%

       1. Requester Details

Display name - Already prefilled from your Profile

Email - Already prefilled from your Profile

Identifier - Already prefilled from your Profile

Orgnanization - If it is not prefilled, please enter the name of your organization. This can be different from the organization / legal entity providing the service


Column
width10%



Column
width60%





Section


Column
width30%

2. Organization Information - Legal entity responsible for the service

Organization Name - The name of the organization responsible for the service

Organization Website - The website of the organization responsible for the service


Column
width10%



Column
width60%





Section


Column
width30%

3. Service Details

Service Name - The name of the service

Service Website (URL) - The URL of the website or landing page for the service

Service Logo (URL) - A URL with the logo / icon of the service

Service Description - A description of what the service is


Column
width10%



Column
width60%





Section


Column
width30%

4. Contact Information

Email addresses for administrative, security, helpdesk and technical contacts or teams responsible for the service


Column
width10%



Column
width60%





Section


Column
width30%

5. Service Provider Policies

Privacy Notice (URL) - A URL pointing to the privacy notice of the service

Acceptable Usage Policy / Terms of Use - A URL pointing to the Acceptable Usage Policy and / or Terms of Use of the service

Incident Response Policy (URL) - A URL pointing to the Incident Response policy applicable to the service. This is an optional field

Jurisdiction of the service - Jurisdiction and information if the service is established in a 3rd country

GÉANT Data Protection Code of Conduct - Click the check box if the service is compliant with the GÉANT Code of Conduct. You can find more information about the GÉANT Code of Contact on the GÉANT website

Sirtfi - Click the check box if the service is compliant with Sirtfi. You can find more information about the Sirtfi framework on the REFEDS website

Research and Scholarship - Click the check box of the service is compliant with Research and Scholarship entity category. You can find more information about the Research and Scholarship entity category on the REFEDS website


Column
width10%



Column
width60%





Section


Column
width30%

6 - 1 - A. Registering a SAML Service Provider

SAML or OIDC - Choose SAML for registering a SAML Service Provider

SP is part of eduGAIN - If the Service Provider is already registered in eduGAIN through a national federatoin click this checkbox

SAML2 Entity ID - This textbox is only visible if you have selected that the SP is part of the eduGAIN. Provide the SAML2 entity ID for the service

SAML2 Metadata (URL) - This textbox is only visible if you have NOT selected that the SP is part of eduGAIN. A URL pointing to the SAML2 metadata of the service


Column
width10%



Column
width60%





Section


Column
width30%

6 - 1 - B. Required attributes

The service has to select required attributes and provides a justification of any of them.


Column
width10%



Column
width60%

Image Added





Section


Column
width30%

6 - 1 - C. Additional Information

Before submitting the application, you can provide extra information about your application. For example, if the service is not ready for production or the service has specific attribute requirements. By default services receive the GEANT AAI Service identifier, the name and the email of the person. You can read about the available attributes here: Attributes available to Connected Services

You should consider, recognize and comply with the Terms of use for Service Providers option when you are moving the service to production environment. 


Column
width10%



Column
width60%







Section


Column
width30%

6 - 1 - CD. Form submission

When you click on the "Submit" button, you will see a page confirming your application request. You application will be reviewed by the GEANT AAI Service Support team and you will be notified via e-mail.


Column
width10%



Column
width60%





Section


Column
width40%

6 - 2 - A. Registering an OIDC Service Provider

SAML or OIDCChoose OIDC for registering an OIDC Service Provider
GrantsYou can select multiple grants. For more information on "Authorization Code Flow", "Refresh Token" and "Implicit Flow" read the OpenID Connect Core 1.0 document. For more information on "Token Exchange" read the RFC8693 — OAuth 2.0 Token Exchange document. The Implicit Flow is discouraged due to security concerns. Instead, consider the Authorization Code Flow with PKCE. For more information read the OAuth 2.0 Security Best Current Practice document, especially section "2.1.2. Implicit Grant"
Public client

A "public" client is incapable of maintaining the confidentiality of their credentials. For more information read the RFC6749 — The OAuth 2.0 Authorization Framework document, especially section 2.1. Client Types on the differences between "confidential" and "public" clients.

It is recommended to require PKCE when the client is public.

This option has no effect on the Implicit Flow.

PKCE

PKCE stands for "Proof Key for Code Exchange". For more information read the RFC7636 — Proof Key for Code Exchange by OAuth Public Clients document.

Using PKCE is recommended for all grants based on the Authorization Code Flow. For more information read the OAuth 2.0 Security Best Current Practice document, especially section "2.1.1. Authorization Code Grant".

This option has no effect on the Implicit Flow.

OIDC Redirect URLsEnter one or more OIDC redirect URLs for your service. Note, wildcards are not supported. URLs like https://www.example.com/* are considered invalid



Column
width60%






Section


Column
width30%

6 - 2 - B. Required attributes

The service has to select required attributes and provides a justification of any of them.


Column
width10%



Column
width60%

Image Added





Section


Column
width30%

6 - 2 - C. Additional Information

Before submitting the application, you can provide extra information about your application. For example, if the service is not ready for production or the service has specific claim requirements. By default services receive the GEANT AAI Service identifier, the name and the email of the person. You can read about the available scope/claims here: Attributes available to Connected Services

You should consider, recognize and comply with the Terms of use for Service Providers option when you are moving the service to production environment. 


Column
width10%



Column
width60%





Section


Column
width30%

6 - 2 - CD. Form submission

When you click on the "Submit" button, you will see a page confirming your application request. In the confirmation page you will see also the client_id and secret for your client. Please store the securely as these cannot retrieved later. You application will be reviewed by the GEANT AAI Service Support team and you will be notified via e-mail.


Column
width10%



Column
width60%