Shibboleth (DFN-AAI)

Shibboleth (DFN-AAI)

The DFN Association provides an Authentication and Authorisation (AAI) Infrastructure through the DFN-AAI Federation, which not only simplifies but also streamlines existing procedures for controlled access to information and resources. The service is implemented with the software Shibboleth, The DFN-AAI offers students and staff of the HTW with a IT Service Centre login the possibility to authenticate themselves for electronic services without having to request and manage a separate access with the service provider. HTW Dresden has been a member of the DFN-AAI Federation since January 2014 and operates an Identify Provider (IdP) in the Federation.

[Translate to English:] Logo Shibboleth

In order to be able to use the service providers which have been activated for the IdP of the HTW Dresden, the HTW Dresden users need their IT Service Centre login and the associated password. This data will not be transmitted to the service providers. The exchange of data with the IdP is encrypted (HTTPS). The attributes required by the service providers are only transmitted after being verified by the user. The verification is required per service provider and login to the service. All participating institutions are obliged by their contract with the DFN to treat the data transferred to them in accordance with the Data Protection Act.

Various service providers (SP), which have met agreements with the DFN, can be found within the authentication and authorization infrastructure. The participating Identity Providers (IdP)of the DFN-AAI ensure the authentication of users from their local facility. If a user wishes to use a service in the DFN-AAI for the first time, he is first directed to a localisation service (WAYF service - Where Are You From). Here, the user selects his home institution (the HTW Dresden) as an identity provider and is then forwarded to this. Messages about authentication (identity control) and information for authorisation (access authorisation) are sent to the service provider via SAML (Security Assertion Markup Language).

  • Distributed authentication and authorisation: The IT Service Centre login and password can be used both for registration for services of the HTW Dresden and for offers of other institutions or service providers
  • Single-sign-on: With a single login, various services and applications can be used without re-entering the login and password at each individual service.

  • Data protection: The user may preview his personal information to be sent to a service provider and, if necessary, stop the transmission and use of the service.

  • Security: The DFN organises and supervises the technical and contractual requirements of the partners.

Published attributes and data protection

Shibboleth supports users and service providers in terms of data efficiency and identity management. Passwords never reach the service providers and their IT systems. With a number of service providers, an anonymous identification by means of a so-called transientId, is enough to ensure a random, short-lived and non-transparent identifier to the service provider.

The data to be transmitted to a service is first displayed to the user after receiving authorisation from the IT Service Centre of the HTW Dresden.

For final authorisation to the service provider, the user must explicitly agree to the transmission of the data ("confirm" button). Alternatively, the user can refuse to publish the data (close browser window).

[Translate to English:] Anmeldung Shibboleth
[Translate to English:] Shibboleth Digital Card

Shibboleth attributes (* Default permission attribute: These attributes are allowed to be read by all service providers in the DFN-AAI.)

# Description AttributeID Possible values
1 Short-lived identifier transientID*  
2 Authorisation eduPersonEntitlement*
3 Type of affiliation plus domain name eduPersonScopedAffiliation* student@htw-dresden.de, employee@htw-dresden.de, member@htw-dresden.de, affliate@htw-dresden.de
4 Type of affiliation to one's own organisation eduPersonAffiliation student, employee, member, affiliate
5 User ID, which may contain name components eduPersonPrincipalName @htw-dresden.de
6 Last name sn Doe
7 First name givenName John
8 E-mail address mail @htw-dresden.de
9 Organisation name o HTW Dresden
10 Organisational unit, e.g., faculty, central departments Ou Informatics
11 Matriculation Number schacPersonalUniqueCode 99999
12 Semester dfnEduPersonTermsOfStudy 10
13 Study programme dfnEduPersonFieldOfStudyString 042 (Business Informatics)
14 Study Group dfnEduPersonFeaturesOfStudy 09-042-01
15 Date of Birth schacDateOfBirth 19990101 (1.1.1999)
16 Gender schacGender 1 (male), 2 (female)
17 Anonymous, but unique identifier of the user persistentId  

The following service providers are currently admitted via the IdP of the HTW Dresden. The list of attributes transmitted to the respective service provider can be found in the following list.

Linked service providers (* without standard authorization, ** in test mode)

# service website attributes (attributeID)*
1 Opal Online Platform for Academic Teaching https://bildungsportal.sachsen.de givenName, sn, mail, o, ou, eduPersonPrincipalName, eduPersonAffiliation, dfnEduPersonTermsOfStudy, dfnEduPersonFeaturesOfStudy, dfnEduPersonFieldOfStudyString, schacPersonalUniqueCode, schacGender
2 Microsoft Office 365 ProPlus for Students https://campussachsen.tu-dresden.de/ persistentId
3 Springer Link http://link.springer.com
4 VMware Academic Programme
(Access only for members of the Faculty of Informatics / Mathematics!)
VMware Academic Programme Store ou, persistentId
5 Dreamspark Premium**
Free Microsoft Products for Studies
Dreamspark Premium Store ou, persistentId
6 GigaMove**
Share files up to 2GB safely and conveniently with others
Gigamove sn, ​​givenname, mail
7 DFN web conferencing (including conference call)**
(Access only for HTW staff)
DFN web conference sn, ​​givenname, mail
8 QIS portal
Marks Portal for students and lecturers
Marks Portal (HISQIS) qislogin