Service or application request for tender Request for tender of a service or an application often requires definitions for ensuring Haka compatibility. On this page This page is a template for some possible requirements are given but proper consideration must be give. Proper consideration is needed by a requestor.
Authentication protocol
Haka is a federated authentication infrastructure based on SAML2-protocol. In addition to general SAML2 standards Haka has certain Haka specific requirements. Haka aims to be as compatible as possible with international identity federations but in some cases due it is not possible due to local requirements it is not possible.
Info | ||
---|---|---|
| ||
User authentication must utilize Haka identity federation: https://confluence.csc.fi/x/JoIUAg. The service must include a SAML2 Service Provider component configured to support Haka SAML2-profile: https://confluence.csc.fi/x/m4IUAg |
...
Haka user authentication enables transfer of user attributes to a service. User attributes in Haka are defined in FunetEduPerson attribute schema: https://confluence.csc.fi/x/FoMUAg
Attribute usage and links Application of personal data received as federated attributes and linking that data to local user accounts must always be evaluated per service. In In general when using Haka, services should minimise the amount of locally created user attributes and rely on federated attributes.
...
Users in Haka are identified using one of the available identifiers specified in the attribute schema: https://confluence.csc.fi/x/FoMUAg. The most common identifier used is eduPersonPrincipalName-attribute. In some cases it is desirable that existing user accounts are linked to federated identifiers.
...
Info | ||
---|---|---|
| ||
Authorisation must be based on federated attributes of the user attributes. |
Info | ||
---|---|---|
| ||
Service use User roles of the service must be based on federated attributes. |
Identity provider discovery
...
User accounts may be provisioned prior to user accessing the service. Usually this means importing users' Haka identifiers to the service.
...