Academic Identity Federations

University of Helsinki is a member of Haka, national identity federation, and through Haka a member of eduGAIN, international identity federation.

• Haka is the national federation of Finnish higher education institutions and research institutes, with almost all Finnish higher education institutions as members.
• eduGAIN is an international federation with over 50 local trust federations as members, enabling login with credentials from over 2500 higher education and research institutions. Services joining eduGAIN can, if desired, limit the organizations whose credentials can be used to log into the application.

Technical working

Both identity federations operate with SAML2 protocol. Identity federation provides a secure and validated way of sharing Identity Provider's and Service Provider's SAML-metadata between federations.

• Identity Provider (IdP) is a service that provides identity information about users in their organization, i.e. authenticates user in their home organization. Our Identity Provider is the login.helsinki.fi service.
• Service Providers (SP) are various services that allow authentication with one or more Identity Providers.
• IdPs and SPs register to their local identity federation, Haka in our case, and use the metadata provided by their local federation. Metadata for a provider includes at least entity ID (unique ID), endpoint addresses for SAML2 messages and public certificate(s).

First used Identity Provider is chosen, usually using external discovery process.

• Haka provides a discovery service including all Haka IdPs: https://wiki.eduuni.fi/display/CSCHAKA/Discovery+Service
• With services registered to eduGAIN, it's recommended to use Seamless Access service to choose the IdP: https://seamlessaccess.org/

Second step is checking if the service has the metadata for the chosen IdP. If metadata is found, user is redirected to that IdP for the login process.

Finaly service receives either user information from the successful login, or a failure.

Restrictions

Since trust networks are based on adherence to mutually agreed practices, there are specifications for minimum information and practices for services joining them. However, practices vary across different national federations, so there are also restrictions (see below).

Assurance, reliability of the user information

In Haka, REFEDS Assurance Framework attributes are provided, that provide information how reliable user identification. Some users have been identified using strong electronic identification, some may have been identified only by self-provided email address.
On the eduGAIN side, these are according to the guidance of local identity federations and individual identity providers, and thus are not equally reliable.

Read more about the REFEDS Assurance Framework: https://refeds.org/assurance. 

Who can log in

A service connected to Haka can be logged into with credentials from all Haka members. The service itself can restrict users based on transmitted attributes, such as the user's home organization.

In eduGAIN, the majority of IdPs and SPs do not automatically form a trust relationship between them; this must be specifically defined. University of Helsinki users cannot log into all services connected to eduGAIN, because either HY has not allowed the transfer of information to the service, or the service has not allowed HY users to log in. The same applies vice versa; not all IdP credentials can be used to log into HY's services connected to eduGAIN.

In principle, the University of Helsinki allows logins to services that inform they have committed to the GÉANT data protection practice (EU data protection legislation). Other services are allowed individually. 

What information is provided for users

In Haka, there is a list of mandatory attributes that must be available for all users: https://wiki.eduuni.fi/display/CSCHAKA/funetEduPersonSchema2dot5#funetEduPersonSchema2dot5-Attributesforpersons

In eduGAIN, you cannot trust for any attribute to be released. Usually basic name information, eduPersonPrincipalName and eduPersonAffiliation are provided but not always. Services registered to eduGAIN must handle the missing attributes correctly, asking them from the user or in some cases preventing login and informing users about the reason.

Adding a service to the Identity Federation

Service must be using SAML2 protocol and implementation that supports federation. Shibboleth SP is our recommended SAML2 service implementation, which is known for the good support to the standard.

Services are registered using Haka Resource Registry: https://wiki.eduuni.fi/display/CSCHAKA/Resource+Registry

List of required information for the registration can be found from the Haka FAQ: https://wiki.eduuni.fi/display/CSCHAKA/Frequently+Asked+Questions