Request for tender of a service or an application often requires definitions for ensuring Haka compatibility. This page is a template for some possible requirements. Proper consideration is needed by a requestor.
Authentication protocol
Haka is a federated authentication infrastructure based on SAML2-protocol. In addition to general SAML2 standards Haka has certain Haka specific requirements. Haka aims to be as compatible as possible with international identity federations but in some cases it is not possible due to local requirements.
In some cases it is required that the application allows local user accounts in addition to federated identities.
User attributes
Haka user authentication enables transfer of user attributes to a service. User attributes in Haka are defined in FunetEduPerson attribute schema: FunetEduPerson schema
Application of personal data received as federated attributes and linking that data to local user accounts must always be evaluated per service. In general when using Haka, services should minimise the amount of locally created user attributes and rely on federated attributes.
Users in Haka are identified using one of the available identifiers specified in the attribute schema: FunetEduPerson schema. The most common identifier used is eduPersonPrincipalName-attribute. In some cases it is desirable that existing user accounts are linked to federated identifiers.
Authorisation
Based on the use case, authorisation can done based on attributes such as user name, role, organization or some other user attribute. Similarly more fine grained rights within the service may be based on user attributes.
Identity provider discovery
Each organization in Haka has their own identity provider. This requires Haka services to have means of directing users to authenticate at their respective identity providers. There are several options to handle identity provider discovery.
User provisioning
User accounts may be provisioned prior to user accessing the service. Usually this means importing users' Haka identifiers to the service.
Users may be provisioned as they access the service for the first time. After the user account exists additional rights can be granted to a user.