Before proceeding read the Requirements for Services.
This page explains how to register a Service Provider on the GEANT AAI Service
You can request to connect a service to the GEANT AAI Service using the following form:
https://webapp.aai.geant.org/sp_request
Note that service requests are reviewed for correctness and eligibility by the GEANT staff.
The metadata for the SAML2 Identity Provider can be found here:
https://proxy.aai.geant.org/metadata/frontend.xml
The discovery endpoint for the OIDC Provider can be found here:
https://proxy.aai.geant.org/.well-known/openid-configuration
The registration of services goes through two phases, as described below.
Phase 1 - Connection to the test environment.
Initially, services are connected to the test environment. The test environment is exactly the same as the production environment. The purpose of this step is to allow service owners to ensure that the connection with the GEANT AAI Service is working correctly, user information is processed as needed and all configurations are in place.
During this phase access to the service is restricted to users that have opted in to the Sandbox group. The first time that a user tries to access a service that is connected to the test environment the user will be presented with message denying access to the service, unless the user opts-in to join the Sandbox group. By clicking the registration link for the Sandbox group, the user will be redirected to register on the Sandbox group. From then on, users will see a warning about the status of the service on the Consent Page.
Phase 2 - Promotion to production.
Once the service owner is certain that the connection of the service with the GEANT AAI Service is working as expected, the service owner can request to promote the service to production.
1. Requester Details
Display name - Already prefilled from your Profile
Email - Already prefilled from your Profile
Identifier - Already prefilled from your Profile
Orgnanization - If it is not prefilled, please enter the name of your organization. This can be different from the organization / legal entity providing the service
2. Organization Information - Legal entity responsible for the service
Organization Name - The name of the organization responsible for the service
Organization Website - The website of the organization responsible for the service
3. Service Details
Service Name - The name of the service
Service Website (URL) - The URL of the website or landing page for the service
Service Logo (URL) - A URL with the logo / icon of the service
Service Description - A description of what the service is
4. Contact Information
Email addresses for administrative, security, helpdesk and technical contacts or teams responsible for the service
5. Service Provider Policies
Privacy Notice (URL) - A URL pointing to the privacy notice of the service
Acceptable Usage Policy / Terms of Use - A URL pointing to the Acceptable Usage Policy and / or Terms of Use of the service
Incident Response Policy (URL) - A URL pointing to the Incident Response policy applicable to the service. This is an optional field
Jurisdiction of the service - Jurisdiction and information if the service is established in a 3rd country
GÉANT Data Protection Code of Conduct - Click the check box if the service is compliant with the GÉANT Code of Conduct. You can find more information about the GÉANT Code of Contact on the GÉANT website
Sirtfi - Click the check box if the service is compliant with Sirtfi. You can find more information about the Sirtfi framework on the REFEDS website
Research and Scholarship - Click the check box of the service is compliant with Research and Scholarship entity category. You can find more information about the Research and Scholarship entity category on the REFEDS website
6 - 1 - A. Registering a SAML Service Provider
SAML or OIDC - Choose SAML for registering a SAML Service Provider
SP is part of eduGAIN - If the Service Provider is already registered in eduGAIN through a national federatoin click this checkbox
SAML2 Entity ID - This textbox is only visible if you have selected that the SP is part of the eduGAIN. Provide the SAML2 entity ID for the service
SAML2 Metadata (URL) - This textbox is only visible if you have NOT selected that the SP is part of eduGAIN. A URL pointing to the SAML2 metadata of the service
6 - 1 - B. Required attributes
The service has to select required attributes and provides a justification of any of them.
6 - 1 - C. Additional Information
Before submitting the application, you can provide extra information about your application. For example, if the service is not ready for production or the service has specific attribute requirements. By default services receive the GEANT AAI Service identifier, the name and the email of the person. You can read about the available attributes here: Attributes available to Connected Services
You should consider, recognize and comply with the Terms of use for Service Providers option when you are moving the service to production environment.
6 - 1 - D. Form submission
When you click on the "Submit" button, you will see a page confirming your application request. You application will be reviewed by the GEANT AAI Service Support team and you will be notified via e-mail.
6 - 2 - A. Registering an OIDC Service Provider
SAML or OIDC | Choose OIDC for registering an OIDC Service Provider |
Grants | You can select multiple grants. For more information on "Authorization Code Flow", "Refresh Token" and "Implicit Flow" read the OpenID Connect Core 1.0 document. For more information on "Token Exchange" read the RFC8693 — OAuth 2.0 Token Exchange document. The Implicit Flow is discouraged due to security concerns. Instead, consider the Authorization Code Flow with PKCE. For more information read the OAuth 2.0 Security Best Current Practice document, especially section "2.1.2. Implicit Grant" |
Public client | A "public" client is incapable of maintaining the confidentiality of their credentials. For more information read the RFC6749 — The OAuth 2.0 Authorization Framework document, especially section 2.1. Client Types on the differences between "confidential" and "public" clients. It is recommended to require PKCE when the client is public. This option has no effect on the Implicit Flow. |
PKCE | PKCE stands for "Proof Key for Code Exchange". For more information read the RFC7636 — Proof Key for Code Exchange by OAuth Public Clients document. Using PKCE is recommended for all grants based on the Authorization Code Flow. For more information read the OAuth 2.0 Security Best Current Practice document, especially section "2.1.1. Authorization Code Grant". This option has no effect on the Implicit Flow. |
OIDC Redirect URLs | Enter one or more OIDC redirect URLs for your service. Note, wildcards are not supported. URLs like https://www.example.com/* are considered invalid |
6 - 2 - B. Required attributes
The service has to select required attributes and provides a justification of any of them.
6 - 2 - C. Additional Information
Before submitting the application, you can provide extra information about your application. For example, if the service is not ready for production or the service has specific claim requirements. By default services receive the GEANT AAI Service identifier, the name and the email of the person. You can read about the available scope/claims here: Attributes available to Connected Services
You should consider, recognize and comply with the Terms of use for Service Providers option when you are moving the service to production environment.
6 - 2 - D. Form submission
When you click on the "Submit" button, you will see a page confirming your application request. In the confirmation page you will see also the client_id and secret for your client. Please store the securely as these cannot retrieved later. You application will be reviewed by the GEANT AAI Service Support team and you will be notified via e-mail.