• Security & Identity
• Authentication
  • About AAI
  • Participants
  • Join AAI
  • Support & Downloads
    • FAQ
    • Helpdesk
    • Documents
    • Presentations
    • HOWTO
    • Identity Providers
    • Service Providers
    • Metadata
    • Tools
  • Demo
  • Contact
• Computer Emergencies
• Certificates
• Spam protection

Frequently Asked Questions

User's FAQ

• I cannot login / forgot my password. Who can help me?
• What about privacy and data protection?
• Which web resources can I access with my AAI-enabled account?
• What do I have to do to get an AAI account?

Technician's FAQ

• What is "Shibboleth"?
• What happens when I access an AAI Resource?
• What is this "Shibboleth Handle Request Processed" message?
• I submitted a form on an AAI-enabled resource, but the form data was not sent.
• How does OpenID relate to SWITCHaai?
• Does AAI need to store cookies?
• For which servers are cookies required and how long are they stored?
• Does AAI need JavaScript?

User's FAQ

I cannot login / forgot my password. Who can help me?

Please turn to the helpdesk at your organisation. In doubt, consult the list of helpdesks.

What about privacy and data protection?

All the organisations (Federation Members and Partners) participating in the AAI have signed a contract, the SWITCHaai Service Agreement or the SWITCHaai Federation Partner Agreement. By signing these agreements, they commit themselves to the secure handling of user data according to the Swiss data protection laws.

What concerns the technology, security has also been implemented: the AAI is based on the open-source software Shibboleth, which was designed with a tight security concept in mind. Shibboleth uses the Security Assertion Markup Language (SAML) and all exchanged user data is encrypted using secure SSL connections.

Which web resources can I access with my AAI-enabled account?

Some representative web resources are listed on the web resources page. A complete - but uncommented - list can be found in the AAI Resource Registry.

What do I have to do to get an AAI account?

If your Home Organization is a member of the AAI Federation, you are automatically registered as an AAI user. User name and password are the same as for your account at your Home Organization. For more information, see the Join AAI section.

Technician's FAQ

What is "Shibboleth"?

Shibboleth is the open-source software used by AAI. Together with the Security Assertion Markup Language (SAML) it provides the technical framework for AAI. For more information about Shibboleth, see the Shibboleth Introduction.

What happens when I access an AAI Resource?

When you try to access an AAI-enabled resource, your web browser is redirected to your Home Organization, you may have to choose your Home Organization on the "Where Are You From" Server (WAYF). As soon as you have logged in, you are redirected back to the resource. Notice that once you have successfully authenticated, you don't have to repeat the process for other resources but can access them directly, provided your Home Organization has a single sign-on system implemented and you don't close your web browser in-between.
If you are interested in more details visit our demonstration site.

What is this "Shibboleth Handle Request Processed" message?

Whenever you successfully have logged in at your Home Organization, it redirects you back to an AAI-protected Resource. During this process you briefly see that message on the screen (see figure 1). In case JavaScript is disabled in your browser, you have to complete the redirection by clicking the link provided on that page.

Figure 1: Handle redirection dialog

The message may appear again during your browser session and when you visit another AAI-enabled resource. The reason is that the Shibboleth session on the web resource you are visiting has limited lifetime. It is the resource that decides how long such a session is valid. When the session expires, the resource redirects your web brower to your Home Organization for repeated authentication. In case your Home Organization has implemented a web single sign-on system, that single sign-on session might still be valid, which means that no action is required from your part. If not, you will have to provide your credentials again before you are redirected back to the resource.

I submitted a form on an AAI-enabled resource, but the form data was not sent. What happened?

As an AAI-authenticated user you have a Shibboleth session set up. If this session expires, the web browser is redirected to your Home Organization to renew the session (see also question above). During this process the submitted data may get lost and the Resource may react as if no data were submitted. You then either can fill out the form again or try to go back in your web browser until you find the page that contains the filled out form and submit it again. If this effect occurs often, you should contact the administrator of the Resource and ask him to increase the Shibboleth session timeout.

How does OpenID relate to SWITCHaai?

The document Digital Identities, SWITCHaai and OpenID introduces the terminology, covers characteristics of digital identities and discusses how SWITCHaai and OpenID relate to each other.

Does AAI need to store cookies?

Yes, AAI needs to store cookies in your web browser's cookie store. Only with cookies it is possible to reliably save the state whether a user has already been authenticated or not.

For which servers are cookies required and how long are they stored?

The involved AAI components will store multiple cookies for the following domains:

1. The login site of your Home Organization. The cookie stores a session ID that is needed to know whether you are already authenticated or not. This cookie is required.
2. The web server hosting the resource you want to access. Cookie stores a session ID and potentially the URL that you requested before being authenticated. This cookie is required.
3. The WAYF Service stores your most recently selected Home Organization and resource. This allows the WAYF service to pre-select them the next time you return to the WAYF service. That way, you only need a single click to continue. This cookie is not mandatory to be saved but enhances usability. The names of these cookies are _saml_idp and _saml_sp

All cookies are so-called session cookies, except the one from the discovery service (WAYF) which is a persistent cookie. The session cookies exist only for the current web browser session. As soon as you close your web browser, they will be deleted and you have to authenticate again when accessing an AAI-protected service.
As mentioned above, the WAYF cookies only contain the IDs of the most recently accessed Home Organizations and Resources. These IDs are unpersonal and generic. They don't contain any information about you and they only can be read by web pages operated within the switch.ch domain.

Does AAI need JavaScript?

No, AAI does not need JavaScript to work properly. However, if JavaScript is disabled, one additional click will be needed when accessing a resource protected by AAI. Just after authentication at your Home Organization, your browser is sent back to the resource using a hidden HTML form (see question 3). When JavaScript is enabled, this form is automatically submitted after the page is loaded. If JavaScript is disabled, the user has to click on the submit button to achieve the same thing manually.