EduCloud SSO pilot-instance, later will replace it – Up to the production operator to decide between one “big” proxy or a set of proxies (e.g. social proxy, strong authn proxy, etc) Developed by CSC, running in Pouta cloud Based on Shibboleth open source software – Co-operation with the Finnish Population Register Centre’s national proxy implementation project 5
calculation 2. Oppija ID resolution Opintopolku Stores links between Authn ID and Oppija ID SAML: Static User ID SAML: Oppija ID REST: Resolve Oppija ID for Authn ID
Input: static user ID from the authentication provider – Output: privacy-preserving authentication ID (will be stored to the Opintopolku system) SAML profile definition – “global” role attributes, IdP and SP connections, authentication levels Opintopolku connection Back-channel API – SAML AttributeQuery (SOAP) vs. new REST API 7
(oppija ID) to a user-selected authentication method – Invitator: e.g. teacher, secretary – Invitee: student, who can select his preferred authentication method Specification for the first version has been done – Web UI, supporting invitation via email or “live” Back-channel API will be developed later, if needed – Invitator & invitee authentication via IdP proxy (SAML) – https://github.com/educloudalliance/educloud-sso/wiki/Authn-Selector-Service 8