AAI-protected demo areas
Access to areas of the web site is controlled by AAI, using the Shibboleth software developed by Internet2 This demo resource is part of the AAI Test Federation, which in contrast to the productive SWITCHaai Federation is part of a test infrastructure.
Some information about the authenticated user gets transferred to the resource, so that it can decide on authorizing access for that user and for knowing with whom the resource is communicating.
This resource holds following areas for demonstration purposes:
Scenario | Description | Valid users | Invalid users |
---|---|---|---|
Demo Portal | Shows a very simple portal application, where logged-in users get customized content. |
demouser:demo demostudent:demo |
all unauthenticated users |
Any authenticated user Home Organization choice by Discovery Service |
Any properly authenticated user gets access. | demouser:demo demostudent:demo |
all unauthenticated users |
Any authenticated user | Any properly authenticated user gets access. | demouser:demo demostudent:demo |
all unauthenticated users |
Any student | All users with an affiliation "student" are authorized to access it. | demouser2:demo demostudent:demo |
demouser:demo demostaff:demo |
Staff from aai-demo-idp.switch.ch | All users with an affiliation "staff" and home organization "aai-demo-idp.switch.ch" are authorized to access it. |
demostaff:demo | demostudent:demo |
An explicit user | Only "demouser2" is authorized to access it. | demouser2:demo | all others |
Lazy session | Authentication is optional, but the application can enforce user authentication when it is needed. |
all users | - |
Re-authentication enforcement | Application enforce Re-authentication of the user at the IdP, although the IdP session is still valid. |
demouser:demo demo[1..50]:demo |
all unauthenticated users |
Passive authentication enforcement | Application enforce a passive authentication of the user at the IdP, means disallowing any user interaction on the IdP side. |
all authenticated users | all unauthenticated users |
Required level of assurance | Application requires a specific authentication context class. 'Unspecified' authentications are rejected. |
demouser:demo PasswordProtected |
demouser:demo BasicAuthn |
Artifact resolution | Application uses ArtifactResolution (Backchannel) instead of the default AttributePush. |
demouser:demo demo[1..50]:demo |
all unauthenticated users |
Attribute release approval | Application triggers the IdP to use
uApprove.
For retrying, delete IdP & SP session cookies and user another account. Already done attribute release approvals are dropped after 1m. |
demouser:demo demo[1..50]:demo |
all unauthenticated users |
X.509 Authentication | Application require the X.509 authentication context class. |
valid X.509 certificates demouser.p12 (password=demo) How to use the certificate |
invalid X.509 certificates |
X.509 Authentication with discovery service | Application requires the X.509 authentication context class. |
X.509 authenticated users | non-X.509 authenticated users |
Changing the Account
Prior to changing from one user account to another please quit and relaunch the browser in order to remove all session cookies.
Information provided by this Service Provider
Status Metadata Session Shibboleth environment Current config Clear