Skip to Content

How Edugate Works

Overview Edugate is an implementation of Federated Access, it works by a service provider and an identity provider agreeing a basis of trust between them, this trust is partly managed by the HEAnet, the operator of Edugate. The identity provider authenticates their users credentials and then provide basic user details to service providers. The service provider then decides what level of access the visitor is entitled to based on the users details.

A good overview of federated access can be obtained by watching the 5 minute video provided by JISC Access Management

The diagram and accompanying steps outlined below explain the flow of events that enable federated access.

How Edugate Works

  1. User open his/her browser and requests the Service Providers (SP) website, when the website loads the user clicks a 'Login' link.
  2. The SP will present a the user with a Discovery or WAYF (Where Are You From), this  may be the service providers own web-site or the Edugate shared WAYF website (http://wayf.heanet.ie) and it displays a list of participating Edugate Identity Providers (institutions) to the users browser, the user selects his/her institution from the list.
  3. The WAYF/Discovery redirects the user back to the SP including the details of users institution.
  4. Now the the SP knows where the user is from, it redirects the user to the users institutional identity provider (IdP) website, where the IdP will prompt for the users institutional credentials (only if the user does not already have a web-session at the IdP), the user will enter his/her credentials which will be checked against the institutional user repository (step 6).
  5. If the credentials are verified, the IdP will fetch user information* from the institutions repositories and present an invisible HTML Form that will be pre-populated with encrypted user information. The form is automatically submitted** by the browser to a location on the SP's website.
  6. The data* will be decrypted, and used to create an authorised session between the user and the SP. Optionally, the data will be used to create a persistent SP user account (session) or match a user to existing/stored user account (or session), the SP may also present a 'terms of service','privacy policy', prompt for 'consent' for further processing of the data received
  7. All subsequent requests by the user are handled by the service provider hereafter.

*The data may vary from an opaque identifier known only to the IdP and SP to the full set of data as described in the Edugate Technical Specification.

**The user may be prompted for consent by the IdP before the data is sent to the SP, in which case the users consent will be recorded in a database.

NOTE: Steps 1-4 can be skipped by the SP in any of the following cases;

a) the SP web-site is used by only one institution, in which case the SP can redirect users back to that institutions IdP.

b) the SP uses some other means to determine where the user is from (IP address range, cookie domain etc.)

c) the SP has 'WAYFless URL' that can be customised for each institutions IdP

d) the SP is able to respond to IdP initiated SSO, or unsolicited authentication responses.

Who is Edugate for?

Edugate provides a single access mechanism that can enable access to online resources supporting alliances, research collaboration, consortia and shared services. Now users can use the credentials issued by their institution to access Edugate enabled web-sites and benefit from a personalised and persistent experience, with privacy features that put the user in control.

Enable users to use the campus directory credential to access Edugate enabled web sites beyond the campus boundary from anywhere, whilst protecting the campus directory from unnecessary searches and the user credentials from use on web sites beyond your control. 
 

Your patrons are individuals, not IP Addresses!
 
Enable publishers to provide users with a consistent and personalised experience regardless of their location or the device they are using.
Improve the end-user experience by providing Single-Sign-On and reducing the frequency of prompts for campus credentials.
Connect your patrons to your subscribed resources, regardless of where the user performs their search.

Restrict access to your club or society web-site to valid campus users without needing the campus IT department to provide you with access to the entire campus user database.
For student unions, Edugate enables online elections that can authenticate all students currently enrolled without needing to expose campus credentials or personal information.

Example: UL Students Union

Provide your suppliers with a means to interact with all campus members. Whether its parking management, physical access management, catering or sports facilities, Edugate can provide a secure means to validate staff and student status. Access cards or tokens can be issued online in a self-service manner, removing the some, if not all, of the paperwork.

Example: Apcoa Parking Management

When establishing any online service that will be used by multiple institutions, Edugate will provide a means to authorise access to the service by user, role or institution without having to issue usernames/passwords or other credentials to the users of the service.
Most research projects are collaborations and when it comes to hosting collaborative tools or sharing documents and data, Edugate enables the hosting partner to seamlessly grant access to the project content.

Example: NDLR Repository
Example: HEAR and DARE

Campus IT managers and IT security officers are increasingly reluctant to synchronise user credentials or open up campus directory services to applications that are hosted in the cloud. Even locally hosted managed applications that require the campus credential to be processed by the application present a security risk. Edugate is built on the open SAML federated access standard that is used in the financial services, aerospace and governmant eID and provides Single-Sign-On without the risks.

e-Government
Whether it's a central or local government service that needs to validate that a student is a current student, Edugate can open up the potential for numerous e-Government services for students (e.g. Grants and Tax Credits)

e-Commerce
When offering a student discount online, relying on a campus email address leaves the offer open to abuse since many institutions offer 'email for life'. Edugate will allow you to know if a customer is a current student and which institution the customer is affiliated to.