Shibboleth-Identity Provider

DFN AAI Federation
The DFN AAI Federation is an association of identity providers of the universities and participating service providers. The federation allows participants standard access to the authentication infrastructure of the universities. A list of the participants can be found on the DFN AAI website: List of participants

Transmitted attributes: transientId, affiliation, entitlement
The Shibboleth Identity Provider makes it possible to authenticate BUW users to institutions outside and inside BUW without having to transfer sensitive data to these institutions. The user is forwarded from a service provider to the identity provider and can authenticate there. If the authentication is successful, the user is returned to the service provider and the provider is informed that the authentication was successful.

In addition, it is possible to transmit further attributes of the user to the service provider. These transmitted attributes are listed in the following service variants.

Meaning of attributes
Most of the attributes, such as first name, last name and university login are self-explanatory.

  • transientId:A transient ID is used to re-authenticate a session with different service providers. It is created each time the session with the identity provider expires after 30 minutes of inactivity.
  • persistentId: A persistent id is generated for a specific service provider, stored and transmitted again each time the user authenticates with this service provider. This makes it possible to recognise a user without knowing any additional data. This attribute cannot be transmitted together with a transientId.
  • affiliation: In the affiliation, the group affiliation at the Bauhaus-Universität Weimar is transmitted. Each member has the affiliation »member«. Students also have the affiliation »student« and employees »employee«. Many service providers use this attribute to decide on access authorisations.
  • entitlement: An entitlement is a licence status of the libraries. Thus, the value »common-lib-terms« is usually transmitted.

When attributes are assigned
The transmitted attributes are transferred from the identity management system (IDM) to Shibboleth. Source systems are the systems of the Human Resources Department for employees and the Office of Student and Academic Affairs for students. The SCC cannot make changes to this data. These data are supplemented by the university login and the e-mail address. It should be noted that the affiliation and entitlement attributes for staff depend on the contract status. Thus it is possible that the user account still works with login, but the attribute »employee« is no longer set if the employment contract has expired.