Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
en:services:it_security:aai:start [2023/03/08 06:52] – [Feedback] en:services:it_security:aai:start [2024/01/31 13:49] (current) – [AAI]
Line 1: Line 1:
 +====== Authentication and Authorization Infrastructure (AAI) ======
 +
 +We offer AAI services based on a suite of protocols and methods under the umbrella framework named  [[https://en.wikipedia.org/wiki/Shibboleth_(Internet2)|Shibboleth]]. We run several Identity Provider Servers for Authentication/Authorization of students and employees to internal and external Web Services that make use of the SAML protocol framework.
 +
 +<WRAP center round info 80%>
 +Employees of UMG can from now on use the Identity Provider for Georg-August University.
 +</WRAP>
 +===== Identity Providers ======
 +
 +The GWDG operates Identity Providers 
 +  * for employees of Max-Planck Institutes managed via our [[en:services:general_services:idm:start|MetaDir]], 
 +  * for students and employees of Georg-August University (including UMG), and
 +  * for employees and customer accounts of GWDG.
 +
 +{{:en:services:it_security:aai:shib-idp-mpg.png?200|}}
 +{{:en:services:it_security:aai:shib-idp-uni2.png?200|}}
 +{{:en:services:it_security:aai:shib-idp-gwdg.png?200|}}
 +
 +Amongst others Shibboleth is a web-based Single-Sign-On solution which enables Service Providers (SPs) and Identity Providers (IdPs) on both ends to configure 
 +fine-grained flow of personal information and establishes trust between pools of user management systems (IdPs) and services without the need to create
 +new account for each and every new service. Even more interesting, the infrastructure allows for anonymization of user records to a certain degree.
 +
 +All three IdPs are registered in the  [[https://www.aai.dfn.de/en|DFN-AAI Federation]] and the  [[https://en.wikipedia.org/wiki/EduGAIN|EduGAIN Interfederation]]. While the former is a national federation of german education and research institutes, the latter combines those national federations.
 +
 +===== Accessible Web Services =====
 +
 +The following is an excerpt of services that are ready-to-be used.
 +
 +  *  [[https://webconf.vc.dfn.de|DFNVC web conferences]] Organize web conferences (use "Anmeldung über DFN AAI" to login).
 +  *  [[https://www.siropglobal.org/|SiROP]] Search and find scientific projects (use "worldwide" login).
 +  *  [[https://gigamove.rz.rwth-aachen.de|gigamove]] Upload large files for a temporary time. 
 +  *  [[https://foodl.org/|foodle]] Online tool for coordinating meeting dates.
 +  *  [[http://www.textgrid.de/registrierungdownload/download-und-installation/|TextGrid Virtual Research Environment for Humanities (client download)]] Login is built-in the client software.
 +  *  [[https://www.wohnraum-fuer-studierende.de/startseite/|Wohnraum Suchmaschine für Studierende im Großraum Paderborn)]] (Accessible via Uni-Login).
 +  *  [[https://filesender.funet.fi|filesender-funet]] Send large files via web-mail.
 +  * [[http://muse.jhu.edu/|Project Muse]] Download access to journals of the "Basic College Collection" for members of the university.
 +
 +A comprehensive list of available services to participants of the DFN-AAI Federation and EduGain Federation are available  [[https://www.aai.dfn.de/verzeichnis/|here]].
 +
 +In addition to web services, the shibboleth IdPs also provide access to software retailers which give discounts on a particular user-group:  
 +
 +  * For Students of University of Göttingen:  [[https://www.studyhouse.de|Studyhouse (asknet portal)]] - Rent/purchase software products such as Microsoft Office 365 and various Adobe products at students discount via shibboleth authentication.
 +  * For Employees of University of Göttingen (also UMG) and GWDG:  [[https://www.academic-center.de/cgi-bin/product/P10016549|Academic Center (asknet portal)]] - Rent Microsoft Office 365 for a fee of 4.99 € per year.
 +
 +
 +===== Authentication Process =====
 +
 +We give a brief overview of the authentication process.
 +
 +| 1. You request a web service that is protected via means of SAML/Shibboleth. | {{:en:services:it_security:aai:dfn-webconf.png?200|}} |
 +| 2. Your browser is redirected to the "Where Are You From" page. Given that the web service is running as part of the DFN AAI the user is redirected to the DFN WAYF web-site where students, members and/or employees of Max-Planck, Uni Göttingen or GWDG should select the appropriate IdP. |   {{ :en:services:it_security:aai:dfn-wayf.png?200| }} |
 +
 +  * Employees of Max-Planck select "Max-Plank"
 +  * Employees and Customer Accounts of GWDG select "Gesellschaft für wissenschaftliche Datenverarbeitung mbH" 
 +  * Students and Employees of Uni-Göttingen and UMG select "Georg-August University Göttingen"
 +
 +| 3. You are then redirected to the Login page of the IdP server. | {{ :en:services:it_security:aai:shib-idp-mpg.png?200| }} |
 +| 4. If you are using the Shibboleth IdP for the very first time then you will need to accept the "Terms of Usage". | {{:en:services:it_security:aai:tou1.png?200| }} |
 +| 5. If you are using the web service for the very first time then you will see the list of attributes that are passed over to the web service (this is specific to each web service). | {{:en:services:it_security:aai:uapprove.png?200| }} |
 +| 6. Finally you are redirected back on the web service as an "authorized" user. Depending on the requirements of the web service and the transfered attributes you are becoming an "authenticated" | {{:en:services:it_security:aai:loggedin.png?200| }} |
 +If the web service expects attributes we haven't yet configured, you will probably get an error page from our Identity Provider. Since we only pass over the absolute minimum of your personal information in terms of attributes, you might experience problems getting into new services. See also our [[https://faq.gwdg.de/index.php?action=show&cat=26|FAQ]]. 
 +
 +Note that when you login to a different shibboleth-protected web service (e.g. gigamove) a second email/password authentication is not required but you will still be informed about attributes to be submitted from our IdP to web server providers.
 +
 +You close the session by closing the web browser, clearing session data etc.., or a logout function of the website. There's also a link for closing *ALL* shibboleth sessions at once (see below).
 +    * Academic Cloud: https://sso.academiccloud.de/simplesaml/module.php/core/logout/default-flow
 +
 +
 +
 +===== Account Linking =====
 +Service providers often face challenges in identifying and managing multiple accounts belonging to the same user. These challenges can lead to several problems, such as spamming, fraud, and other malicious activities. Linking accounts is a process that allows users to connect multiple accounts to a single identity, which can provide several benefits to both the users and service providers like GWDG. Some of these benefits include:
 +
 +**Improved User Experience:** Linking accounts can improve the user experience by reducing the number of login credentials users need to remember. This can save time and effort for users and make the platform more user-friendly. By linking accounts, users can seamlessly access all their accounts without the need to log in to each account separately. This feature can be particularly useful for users with multiple accounts across different platforms. Note that by linking accounts, users can still manage their information and have complete authority over their data. They can decide what information is allowed to be /not to be released to which service.
 +
 +
 +**Enhanced Security:** Linking accounts can enhance security by making it easier for service providers to manage multiple accounts belonging to the same user. This can reduce the risk of fraudulent activities and other malicious behaviors. With account linking, service providers can detect suspicious activity and prevent potential security breaches.
 +
 +
 +**Personalized Recommendations:** Linking accounts can enable service providers to provide personalized recommendations based on the user's activity across multiple accounts. This can enhance the user experience and increase engagement on the platform.
 +
 +
 +**Streamlined Account Management:** Linking accounts can make it easier for users to manage their accounts by allowing them to view and edit all of their account information in one place. This can reduce the time and effort required to manage multiple accounts. With account linking, users can easily update their personal information and preferences across all linked accounts. This can save time and provide a more streamlined account management experience.
 +
 +
 +=== Identification of Multiple Accounts using Deep Learning ===
 +Deep Learning is a subset of machine learning that involves training computers to learn by example, recognize patterns and make predictions. At GWDG, we have started working on a deep-learning model to identify multiple accounts belonging to the same user. This model aims to learn patterns in the data that can help identify which accounts belong to the same user. This involves analyzing various factors such as login times, IP addresses, and device information.
 +Once the model has been trained, it is used to provide recommendations to users and assist them in identifying and linking their multiple accounts. The system automates the linking process, eliminating the need for users to link their accounts manually. This can save time and provide a more user-friendly experience.
 +
 +We take the privacy and security of our users' information seriously. To see the list of data we use for training the model, refer to the [[https://www.gwdg.de/privacy-notice| GWDG privacy page]]. We have also implemented various security measures such as encryption and tokenization when storing sensitive data so as not to compromise user personal information or violate any regulations regarding data protection laws like GDPR (General Data Protection Regulation).
 +
 +=== Feedback ===
 +As we are in the preparation process for this new service, we are eager to receive feedback from users to estimate our deep learning model's performance and plan our future steps accordingly. Our next steps will be to improve the model's performance for more accurate suggestions and integrate the model's output into more services.
 +
 +For more information, please read [[https://ieeexplore.ieee.org/document/9524207|this article]].