Service or application request for tender often requires definitions for ensuring Haka compatibility. On this page some possible requirements are given but proper consideration must be give
Authentication protocol
Haka is a federated authentication infrastructure based on SAML2-protocol. In addition to general SAML2 standards Haka has certain Haka specific requirements. Haka aims to be as compatible as possible with international identity federations but in some cases due to local requirements it is not possible.
In some cases it is required that the application allows local user accounts in addition to federated identities.
User attributes
Haka user authentication enables transfer of user attributes to service. User attributes in Haka are defined in user attribute schema: https://confluence.csc.fi/x/FoMUAg
Attribute usage and links to local user accounts must always be evaluated per service.
Users in Haka are identified using one of the available identifiers. Most common identifier used is eduPersonPrincipalName-attribute. In some cases it desirable that existing user accounts are linked to federated identifiers.
Authorisation
Restricting access to a service is often a fundamental requirement. Based on the use case, authorisation can done based on attributes such as user name or role.
Identity provider discovery
Each organization in Haka has their own identity provider. This requires Haka services to have means of directing users to authenticate at their respective identity providers. There are several options to handle indetity provider discovery.
User provisioning
User accounts may be provisioned prior to user accessing the service. Usually this means importing users Haka identifiers to the service.
Users may be provisioned as they access the service for the first time. After the user account exists additional rights can be granted to a user.