Overview Edugate is an implementation of Federated Access, it works by a service provider and an identity provider agreeing a basis of trust between them, this trust is partly managed by the HEAnet, the operator of Edugate. The identity provider authenticates their users credentials and then provide basic user details to service providers. The service provider then decides what level of access the visitor is entitled to based on the users details.
A good overview of federated access can be obtained by watching the 5 minute video provided by JISC Access Management
The diagram and accompanying steps outlined below explain the flow of events that enable federated access.
- User open his/her browser and requests the Service Providers (SP) website, when the website loads the user clicks a 'Login' link.
- The SP will present a the user with a Discovery or WAYF (Where Are You From), this may be the service providers own web-site or the Edugate shared WAYF website (http://wayf.heanet.ie) and it displays a list of participating Edugate Identity Providers (institutions) to the users browser, the user selects his/her institution from the list.
- The WAYF/Discovery redirects the user back to the SP including the details of users institution.
- Now the the SP knows where the user is from, it redirects the user to the users institutional identity provider (IdP) website, where the IdP will prompt for the users institutional credentials (only if the user does not already have a web-session at the IdP), the user will enter his/her credentials which will be checked against the institutional user repository (step 6).
- If the credentials are verified, the IdP will fetch user information* from the institutions repositories and present an invisible HTML Form that will be pre-populated with encrypted user information. The form is automatically submitted** by the browser to a location on the SP's website.
- All subsequent requests by the user are handled by the service provider hereafter.
*The data may vary from an opaque identifier known only to the IdP and SP to the full set of data as described in the Edugate Technical Specification.
**The user may be prompted for consent by the IdP before the data is sent to the SP, in which case the users consent will be recorded in a database.
NOTE: Steps 1-4 can be skipped by the SP in any of the following cases;
a) the SP web-site is used by only one institution, in which case the SP can redirect users back to that institutions IdP.
b) the SP uses some other means to determine where the user is from (IP address range, cookie domain etc.)
c) the SP has 'WAYFless URL' that can be customised for each institutions IdP
d) the SP is able to respond to IdP initiated SSO, or unsolicited authentication responses.