iAMRES Identity Federation
Identity Federation considerably simplifies inter-institutional use of web-service. Within identity federation, user has one digital identity (the set of user name, password and other data about him/her) which is provided to him/her by parent institution where he/she works or studies. By using that digital identity, the user may access services offered via Identity Federation. In Identity Federation, institutions which provide digital identity to their users are called Identity Providers , and institutions that provide service Service Providers.
Identity Providers are responsible for checking user identity – authentication and they send pre-agreed data about the user to Service Provider. Service Provider, based on data about the user, may make additional authorization i.e. assignment of rights and privileges that the user has in that service, and it can also make service personalization. Identity Federation is realized within iAMRES service for the AMRES users.
How Does iAMRES Service Work?
Identity Providers, Service Providers and iAMRES make Identity Federation together. iAMRES is primarily realized as federation with the central portal for login to the system. Service Providers within iAMRES Federation communicate with iAMRES portal. iAMRES portal does not store user information, but it sends authentication request to the institution which is AMRES user and which performs user authentication. RADIUS protocol, i.e. current infrastructure made for the needs of eduroam services is used for transport of authentication requests between iAMRES portal and Identity Provider.
If AMRES user does not want to use iAMRES central portal for login to the system, he/she can realize his/her own Identity Provider authentication server which must support SAML 2.0 (Security Assertion Markup Language) protocol for authentication.
How can my institution become the user of iAMRES Service?
iAMRES is currently accomplished as pilot service. During functionality testing, this service is available to all AMRES users who want to participate either as Identity Provider or as Service Provider. After testing of the service in the pilot phase, promotion of this service in production is planned as well as joining to eduGAIN project.