- I'm the IT manager for my institution, what services will my users have access to through Edugate?
You can use Edugate to provide Single-Sign-On (SSO) to Edugate participating services, your own internal services and services other external services. Some services require a subscription with the provider.
- As a service provider, do I still have to provision user accounts in advance?
In most cases, no, as many services support account provisioning on-the-fly (or 'just-in-time provisioning'). Provisioning on-the-fly creates accounts using the incoming user data provided by the institution when the user logs in. Only where the incoming data does not provide sufficient detail should bulk account provisioning still be necessary. Edugate can provide user, institution and role data that can be used to provision accounts on-the-fly.
- Must I be a member of Edugate to use federated access?
No, you can agree bilateral or multi-lateral federated access agreements with organisations you trust outside of any federation. However, this approach will become unmanageable once the number of applications begins to increase and will result increased effort for your organisation.
- Can I be a member of more than one federation?
Yes, however, being a member of more than one federation will increase the effort required to manage your federation software. It is recommended that institutions should first check if the federation you are a member of has any plans to join an interfederation scheme (such as that provided by eduGAIN) before joining a second federation.
- Can I use Edugate within my organisation?
Yes, Edugate can be used to deliver SSO within the organisation. Organisations that use Edugate internally as their SSO solution or use similar federated access without being a member Edugate. Using Edugate internally can enable applications to share user data between applications while at the same time reusing the same credentials and sessions. Access control decisions can be easily defined to allow easy selection of which applications are open to external access by other federation members users.
- Can I replace my existing SSO solution with Edugate?
Yes, as explained above Edugate can provide internal SSO to your users. However, there may still be specific cases where your existing SSO solution may be a better fit than federated applications. Organisations who wish to replace their existing SSO solution with Edugate should plan an application-by-application migration strategy and use the same user repository for SSO and Edugate.
- Can I integrate Edugate with my existing SSO solution?
Yes, in fact some SSO products (such as CA Siteminder, Tivoli Access Manager and Sun Access Manager) can be easily integrated with Edugate, others can be integrated using the SSO solutions API and a certain amount of customisation. In either case there are there are two integration possibilities to integrate Edugate with your SSO solution. Firstly, as a service provider (SP) you should create an access control rule (ACL)in your SSO solution for external users who will access the applications you decide should be accessible externally. Your federated access software should request external users to authenticate using the home credentials and then authorise the user based on the users attributes, when this has been successful your SSO solution should then issue a SSO session token or cookie (using the ACL described above) that can then be reused on any SSO protected application. Getting your SSO solution to trust an Edugate session may be trivial or difficult depending on your SSO solution, but the benefit of not having to retrofit Edugate to all of your SSO enabled applications will make any effort worth it. The second option is to make your SSO authentication system issue an Edugate session so that when your users visit other organisations protected resources they are not prompted to authenticate. Again, the degree of integration effort will vary, but the benefit here is that your users experience a seamless login to external resources and will need to familiarise themselves with the SSO login screen only. A variant of this solution is to use the same user repository for Edugate that your SSO solution uses, but this will more than likely mean that the user will be prompted for login on a screen different to your current SSO solution.
- Can I use Edugate in parallel with my SSO solution?
Yes, rather than integrating your SSO and Edugate as described above, you can run both solutions in parallel. You should use Edugate with applications that will be accessed internally and externally and use SSO on applications that will be used internally only. Another consideration is your applications native support for SSO or federated access, applications that will be accessed internally only may offer better native support for Edugate than SSO, in these cases you should choose to use federated access over SSO (in other words if your SSO solution requires you to significantly customise your application you should investigate how much customisation is needed for Edugate before deciding).
- Which of my campus resources should I enable Edugate access to?
You should enable Edugate on any of your resources that will be accessed by users who belong to another organisation and if the service is hosted off-campus and requires user authentication.
- If authorisation to resources is based on user attributes, does that mean I will have to modify the schema of our student repository?
In almost all cases, the answer is 'No'. Most federated access software allows identity providers to map attribute names from the schema of the user repository to the federation schema, this mapping can be as simple as a one to one mapping or more complex. Where mapping is not possible, the existing campus schema can be extended rather than amended to support the Edugate schema.
- The Edugate schema does not contain enough data to fit my needs, what options do I have?
There are two options, you can agree to extend the schema with the co-operation of selected Edugate identity providers or your can synchronise the missing data outside of Edugate (Edugate can still be used for Single-Sign-On purposes).
- Users at our institution have a frequently used faculty credentials and less frequently used institution credentials, which should credentials should we use for our Identity Provider?
Firstly, you should consider using Edugate or SSO internally to help you consolidate on a single user repository. If this is not feasible, you should have two choices, you can either use the single institutional repository or configure your identity provider software to query all your faculty repositories. Using multiple repositories is a practical option when there is no overlap on user id's between repositories, otherwise it becomes difficult to define queries to simulate uniqueness.