AAI-protected demo areas

Access to areas of the web site is controlled by AAI, using the Shibboleth software developed by Internet2 This demo resource is part of the AAI Test Federation, which in contrast to the productive SWITCHaai Federation is part of a test infrastructure.

Some information about the authenticated user gets transferred to the resource, so that it can decide on authorizing access for that user and for knowing with whom the resource is communicating.

This resource holds following areas for demonstration purposes:

Scenario Description Valid users Invalid users
Demo Portal Shows a very simple portal application,
where logged-in users get customized content.
demouser:demo
demostudent:demo
all unauthenticated users
Any authenticated user
Home Organization choice by Discovery Service
Any properly authenticated user gets access. demouser:demo
demostudent:demo
all unauthenticated users
Any authenticated user Any properly authenticated user gets access. demouser:demo
demostudent:demo
all unauthenticated users
Any student All users with an affiliation "student" are authorized to access it. demouser2:demo
demostudent:demo
demouser:demo
demostaff:demo
Staff from aai-demo-idp.switch.ch All users with an affiliation "staff" and
home organization "aai-demo-idp.switch.ch" are authorized to access it.
demostaff:demo demostudent:demo
An explicit user Only "demouser2" is authorized to access it. demouser2:demo all others
Lazy session Authentication is optional,
but the application can enforce user authentication when it is needed.
all users -
Re-authentication enforcement Application enforce Re-authentication of the user at the IdP,
although the IdP session is still valid.
demouser:demo
demo[1..50]:demo
all unauthenticated users
Passive authentication enforcement Application enforce a passive authentication of the user at the IdP,
means disallowing any user interaction on the IdP side.
all authenticated users all unauthenticated users
Required level of assurance Application requires a specific authentication context class.
'Unspecified' authentications are rejected.
demouser:demo
PasswordProtected
demouser:demo
BasicAuthn
Artifact resolution Application uses ArtifactResolution (Backchannel)
instead of the default AttributePush.
demouser:demo
demo[1..50]:demo
all unauthenticated users
Attribute release approval Application triggers the IdP to use uApprove.
For retrying, delete IdP & SP session cookies and user another account.
Already done attribute release approvals are dropped after 1m.
demouser:demo
demo[1..50]:demo
all unauthenticated users
X.509 Authentication Application require the X.509 authentication context class.
valid X.509 certificates
demouser.p12 (password=demo)
How to use the certificate
invalid X.509 certificates
X.509 Authentication with discovery service Application requires the X.509 authentication context class.
X.509 authenticated users non-X.509 authenticated users

Changing the Account
Prior to changing from one user account to another please quit and relaunch the browser in order to remove all session cookies.

Information provided by this Service Provider

Status Metadata Session Shibboleth environment Current config Clear

 

Live Shibboleth SP daemon log