Before proceeding read the Requirements for Services.
This page explains how to register a Service Provider on the GEANT AAI Service
You can request for a service to be connected on the GEANT AAI Service using the following form:
https://webapp.aai.geant.org/sp_request
Service requests are reviewed for correctness and eligibility by GEANT.
The metadata for the SAML2 Identity Provider can be found here: https://proxy.aai.geant.org/metadata/frontend.xml
The discovery endpoint for the OIDC Provider can be found here: https://proxy.aai.geant.org/.well-known/openid-configuration
1. Requester Details
Display name - Already prefilled from your Profile
Email - Already prefilled from your Profile
Identifier - Already prefilled from your Profile
Orgnanization - If it is not prefilled, please enter the name of your organization. This can be different from the organization / legal entity providing the service
2. Organization Information - Legal entity responsible for the service
Organization Name - The name of the organization responsible for the service
Organization Website - The website of the organization responsible for the service
3. Service Details
Service Name - The name of the service
Service Website (URL) - The URL of the website or landing page for the service
Service Logo (URL) - A URL with the logo / icon of the service
Service Description - A description of what the service is
4. Contact Information
Email addresses for administrative, security, helpdesk and technical contacts or teams responsible for the service
5. Service Provider Policies
Privacy Notice (URL) - A URL pointing to the privacy notice of the service
Acceptable Usage Policy / Terms of Use - A URL pointing to the Acceptable Usage Policy and / or Terms of Use of the service
Incident Response Policy (URL) - A URL pointing to the Incident Response policy applicable to the service. This is an optional field
GÉANT Data Protection Code of Conduct - Click the check box if the service is compliant with the GÉANT Code of Conduct. You can find more information about the GÉANT Code of Contact on the GÉANT website
Sirtfi - Click the check box if the service is compliant with Sirtfi. You can find more information about the Sirtfi framework on the REFEDS website
Research and Scholarship - Click the check box of the service is compliant with Research and Scholarship entity category. You can find more information about the Research and Scholarship entity category on the REFEDS website
6 - 1 - A. Registering a SAML Service Provider
SAML or OIDC - Choose SAML for registering a SAML Service Provider
SP is part of eduGAIN - If the Service Provider is already registered in eduGAIN through a national federatoin click this checkbox
SAML2 Entity ID - This textbox is only visible if you have selected that the SP is part of the eduGAIN. Provide the SAML2 entity ID for the service
SAML2 Metadata (URL) - This textbox is only visible if you have NOT selected that the SP is part of eduGAIN. A URL pointing to the SAML2 metadata of the service
6 - 1 - B. Additional Information
Before submitting the application, you can provide extra information about your application. For example, if the service is not ready for production or the service has specific attribute requirements. By default services receive the GEANT AAI Service identifier, the name and the email of the person. You can read about the available attributes here: Attributes available to Relying Parties
6 - 1 - C. Form submission
When you click on the "Submit" button, you will see a page confirming your application request. You application will be reviewed by the GEANT AAI Service Support team and you will be notified via e-mail.
6 - 2 - A. Registering an OIDC Service Provider
SAML or OIDC | Choose OIDC for registering an OIDC Service Provider |
Grants | You can select multiple grants. For more information on "Authorization Code Flow", "Refresh Token" and "Implicit Flow" read the OpenID Connect Core 1.0 document. For more information on "Token Exchange" read the RFC8693 — OAuth 2.0 Token Exchange document. The Implicit Flow is discouraged due to security concerns. Instead, consider the Authorization Code Flow with PKCE. For more information read the OAuth 2.0 Security Best Current Practice document, especially section "2.1.2. Implicit Grant" |
Public client | A "public" client is incapable of maintaining the confidentiality of their credentials. For more information read the RFC6749 — The OAuth 2.0 Authorization Framework document, especially section 2.1. Client Types on the differences between "confidential" and "public" clients. It is recommended to require PKCE when the client is public. This option has no effect on the Implicit Flow. |
PKCE | PKCE stands for "Proof Key for Code Exchange". For more information read the RFC7636 — Proof Key for Code Exchange by OAuth Public Clients document. Using PKCE is recommended for all grants based on the Authorization Code Flow. For more information read the OAuth 2.0 Security Best Current Practice document, especially section "2.1.1. Authorization Code Grant". This option has no effect on the Implicit Flow. |
OIDC Redirect URLs | Enter one or more OIDC redirect URLs for your service. Note, wildcards are not supported. URLs like https://www.example.com/* are considered invalid |
6 - 2 - B. Additional Information
Before submitting the application, you can provide extra information about your application. For example, if the service is not ready for production or the service has specific claim requirements. By default services receive the GEANT AAI Service identifier, the name and the email of the person. You can read about the available scope/claims here: Attributes available to Relying Parties
6 - 2 - C. Form submission
When you click on the "Submit" button, you will see a page confirming your application request. In the confirmation page you will see also the client_id and secret for your client. Please store the securely as these cannot retrieved later. You application will be reviewed by the GEANT AAI Service Support team and you will be notified via e-mail.