The DFN Association provides an Authentication and Authorisation (AAI) Infrastructure through the DFN-AAI Federation, which not only simplifies but also streamlines existing procedures for controlled access to information and resources. The service is implemented with the software Shibboleth, The DFN-AAI offers students and staff of the HTW with a IT Service Centre login the possibility to authenticate themselves for electronic services without having to request and manage a separate access with the service provider. HTW Dresden has been a member of the DFN-AAI Federation since January 2014 and operates an Identify Provider (IdP) in the Federation.
In order to be able to use the service providers which have been activated for the IdP of the HTW Dresden, the HTW Dresden users need their IT Service Centre login and the associated password. This data will not be transmitted to the service providers. The exchange of data with the IdP is encrypted (HTTPS). The attributes required by the service providers are only transmitted after being verified by the user. The verification is required per service provider and login to the service. All participating institutions are obliged by their contract with the DFN to treat the data transferred to them in accordance with the Data Protection Act.
Various service providers (SP), which have met agreements with the DFN, can be found within the authentication and authorization infrastructure. The participating Identity Providers (IdP)of the DFN-AAI ensure the authentication of users from their local facility. If a user wishes to use a service in the DFN-AAI for the first time, he is first directed to a localisation service (WAYF service - Where Are You From). Here, the user selects his home institution (the HTW Dresden) as an identity provider and is then forwarded to this. Messages about authentication (identity control) and information for authorisation (access authorisation) are sent to the service provider via SAML (Security Assertion Markup Language).
- Distributed authentication and authorisation: The IT Service Centre login and password can be used both for registration for services of the HTW Dresden and for offers of other institutions or service providers
Single-sign-on: With a single login, various services and applications can be used without re-entering the login and password at each individual service.
Data protection: The user may preview his personal information to be sent to a service provider and, if necessary, stop the transmission and use of the service.
Security: The DFN organises and supervises the technical and contractual requirements of the partners.
Published attributes and data protection
Shibboleth supports users and service providers in terms of data efficiency and identity management. Passwords never reach the service providers and their IT systems. With a number of service providers, an anonymous identification by means of a so-called transientId, is enough to ensure a random, short-lived and non-transparent identifier to the service provider.
The data to be transmitted to a service is first displayed to the user after receiving authorisation from the IT Service Centre of the HTW Dresden.
For final authorisation to the service provider, the user must explicitly agree to the transmission of the data ("confirm" button). Alternatively, the user can refuse to publish the data (close browser window).
Shibboleth attributes (* Default permission attribute: These attributes are allowed to be read by all service providers in the DFN-AAI.)
|3||Type of affiliation plus domain name||eduPersonScopedAffiliationemail@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org|
|4||Type of affiliation to one's own organisation||eduPersonAffiliation||student, employee, member, affiliate|
|5||User ID, which may contain name components||eduPersonPrincipalNameemail@example.com|
|9||Organisation name||o||HTW Dresden|
|10||Organisational unit, e.g., faculty, central departments||Ou||Informatics|
|13||Study programme||dfnEduPersonFieldOfStudyString||042 (Business Informatics)|
|15||Date of Birth||schacDateOfBirth||19990101 (1.1.1999)|
|16||Gender||schacGender||1 (male), 2 (female)|
|17||Anonymous, but unique identifier of the user||persistentId|
The following service providers are currently admitted via the IdP of the HTW Dresden. The list of attributes transmitted to the respective service provider can be found in the following list.
Linked service providers (* without standard authorization, ** in test mode)
|1||Opal Online Platform for Academic Teaching||https://bildungsportal.sachsen.de||givenName, sn, mail, o, ou, eduPersonPrincipalName, eduPersonAffiliation, dfnEduPersonTermsOfStudy, dfnEduPersonFeaturesOfStudy, dfnEduPersonFieldOfStudyString, schacPersonalUniqueCode, schacGender|
|2||Microsoft Office 365 ProPlus for Students||https://campussachsen.tu-dresden.de/||persistentId|
|4||VMware Academic Programme (Access only for members of the Faculty of Informatics / Mathematics!)||VMware Academic Programme Store||ou, persistentId|
|5||Dreamspark Premium** Free Microsoft Products for Studies||Dreamspark Premium Store||ou, persistentId|
Share files up to 2GB safely and conveniently with others
|Gigamove||sn, givenname, mail|
DFN web conferencing (including conference call)** |
(Access only for HTW staff)
|DFN web conference||sn, givenname, mail|
QIS portal |
Marks Portal for students and lecturers
|Marks Portal (HISQIS)||qislogin|