• Created by Unknown User (atuomi@csc.fi), last modified on Apr 20, 2016

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Service or application request for tender ofter requires definitions for ensuring Haka compatibility.  Always accurate examples or defintiions are impossible to give out. Rather, every request for tender requires customised requirements and must handled case by case. We have gathered some common requirements and examples on this page but they must be used with care.

Authentication protocol

Haka is a federated authentication infrastructure based on SAML2-protocol. In addition to general SAML2 standards Haka has certain Haka specific requirements. Haka aims to be as compatible as possible with international identity federations but in some cases due to local requirements it is not possible.  

User authentication must utilize Haka identity federation: https://confluence.csc.fi/x/JoIUAg. The service must include a SAML2 Service Provider component configure to support Haka SAML2-profile: https://confluence.csc.fi/x/m4IUAg

In some cases it is required that the application allows local user accounts in addition to federated identities.

The service must support the use of local user accounts. The capability must be available concurrently with Haka.

User attributes

Haka user authentication enables transfer of user attributes to service. User attributes in Haka are defined in user attribute schema: https://confluence.csc.fi/x/FoMUAg

Attribute usage and links to local user accounts must always be evaluated per service.  

Storing and updating user information must rely on attributes received through Haka.

Users in Haka are identified using one of the available identifiers. Most common identifier used is eduPersonPrincipalName-attribute.

User's Haka identifier must be linked to existing user accounts in the service.

Authorisation

Authorisation must be based on user attributes.

Service 

Identity provider discovery

Each organization in Haka has their own identity provider. This requires Haka services to have means of directing users to authenticate at their respective identity providers.

Services must weigh in on whether to locally managed discovery or use the centralized Haka Discovery Service.

Discovery must be done in service user interface

Discovery must be done using URL address

Centralized Haka Discovery Service must be used.

The service redirects user to a specified identity provider for authentication

User provisioning

  • No labels