- AAI Attribute Viewer
- uApprove - IdP user consent extension
- Group Management Tool (GMT)
- Resource Registry
- Virtual Home Organization Service (VHO)
- Swiss edu-ID
- Discovery Service Options for SWITCHaai (WAYF/DS)
- SWITCH Embedded WAYF
- AAI for Mobile Apps
- RemoteUserFilter for IdP
- X.509 login handler for IdP
- Some further tools
AAI Attribute Viewer
The AAI Attribute Viewer is a service operated by SWITCH that simply displays all the attributes that are available for a user. The service will request all attributes for a user, however, which attributes an organisation releases for a user depends on the organisation's attribute release policy.
The AAI Attribute Viewer also shows (group) attributes aggregated from the SWITCHtoolbox. In addition, descriptive organisation attributes part of the SAML metadata are shown as well.
uApprove - IdP user consent extension
uApprove (BSD license) is a tool which gets the user's consent before releasing his/her attributes to a Shibboleth Service Provider.
From the user's point of view he/she has to press an "OK" button in order to allow the transfer of the attributes.
The user also has the option to release all attributes to all Service Providers, such that he/she will never be asked again.
Experience shows that a large fraction of users prefer this option.
Group Management Tool (GMT)
The Group Management Tool (GMT) is a web application developed (BSD license) by SWITCH to create and manage groups of Shibboleth users from many different Identity Providers. The group information can be used by other web applications to make access control decisions. This is on one hand accomplished by generating Apache .htaccess files to restrict access to web server directories based on the unique ID of a user. On the other hand, the group information can be queried by a remote hosts via a PHP or Perl interface.
Resource Registry - A Federation Manager, a web application
The Resource Registry is a central repository containing data about the identity providers (IdP) and service providers (SP) available within SWITCHaai. It collects general information about IdPs and SPs, such as the organization it belongs to and contact information. Additional data, e.g. description and purpose, is gathered for SPs. For data protection reasons, the owners of SPs have to declare the minimal set of attributes their SP requires. The Resource Registry implements a process for gathering and approving such declarations. The data is then used to generate the metadata files and attribute release policy files used by a majority of IdPs in the federation. These attribute filter files are important to comply with data protection and privacy requirements. While these files could also be managed locally (by each server administrator in the federation), the Resource Registry greatly simplifies that process and improves reliability.
Virtual Home Organization Service
In some cases there are users that don't have an AAI account but need access to an AAI-enabled resource. In that case the Virtual Home Organization (VHO) Service may be used. The VHO lets administrators create and maintain AAI accounts via a web interface. The attributes of VHO users mark them as special and in general they just have access to a particular resource.
The Swiss edu-ID is a digital identity SWITCH is developing for persistent use by university members. It is designed to be secure and recognised worldwide. The Swiss edu-ID service allows users to create an account with self-registration. In contrast to the Virtual Home Organization where a VHO group administrator creates and manages the accounts, the Swiss edu-ID is user-centric and allows any user with a valid email address to create and manage his own account. Some data of a Swiss edu-ID account can be verified or linked with exististing AAI or social network identities, which then increases the level of assurance of an edu-ID identity.
Discovery Service Options for SWITCHaai
The comparison between the different discovery services may help you to find the suitable solution for your SP.
To guide the users from a service provider to her/his identity provider, SWITCHaai provides an official Central "Where Are You From" (WAYF) service. See it in action with the Attribute Viewer.
The implementation developed by SWITCH (BSD license) has several additional features compared to the official Shibboleth WAYF from Internet2. It's a lightweight PHP implementation that supports multiple languages and several ways of preselecting an identity provider.
SWITCH Embedded WAYF
AAI for Mobile Apps
Up-to-now, apps on mobile devices like smartphones and tablets can only make use of AAI through a web browser. With 'AAI for Mobile Apps' up-to-date AAI attributes should become available to Apps without having the user to authenticate via a web browser.
By deploying a 'Mobile Proxy' server which is access protected by a Shibboleth SP and supports a subset of OAuth2.
RemoteUserFilter for IdP
If the users on the Identity Provider side are authenticated against Active Directory, Kerberos or some older CAS versions, it may be necessary to modify the login name that is read by Shibboleth from the REMOTE_USER environment variable. For example, the user may enter email@example.com (Kerberos username@REALM.XY) or otherschool\jane.d (Windows domain\samaccountname) as login name. However, if the username in the user directory is stored without the realm or domain, Shibboleth cannot fetch the proper attributes for this user. Therefore, one has to cut off the realm or domain from the entered login name. This can be done by the RemoteUserFilter.
The filter (BSD license) is basically placed between CAS (or another authentication system) and the Shibboleth Identity Provider and overwrites the getRemoteUser() function of a servlet request in order to modify the login name.
X.509 login handler
Strong authentication with X.509 user certificates for Shibboleth IdP 2. SWITCH has contributed the "X.509 login handler" to the Shibboleth project.
Find the documentation and the link for the source code on the Shibboleth 2 Wiki: https://wiki.shibboleth.net/confluence/display/SHIB2/X.509+Login+Handler
SWITCHaai JXPlorer Template
Shibboleth Log Viewer
Processing/extracting metadata information with XSLT
<idps> <idp domain="bfh.ch">https://aai-logon.bfh.ch/idp/shibboleth</idp> <idp domain="campus-kreuzlingen.ch">https://aai-logon.phtg.ch/idp/shibboleth</idp> <idp domain="chuv.ch">https://idp.chuv.ch/idp/shibboleth</idp> <idp domain="cscs.ch">https://aai-logon.ethz.ch/idp/shibboleth</idp> ... </idps>XSL transformations can be applied in many environments or applications. For testing purposes, the xsltproc command-line tool can be used to apply an XSL transformation:
xsltproc domain_to_idp_entityid.xsl metadata.switchaai.xmlNote that the output of an XSL transformation doesn't necessarily have to be another XML document, it is also possible to generate plain-text output.