Service Provider (SP)
Authentication
Institutes of Graz University of Technology can (and should) also use this service and thus do not have to set up their own user administration.
Authentication or identification is done centrally via the
IDM of ZID and in principle only checks whether username and password are correct.
Authorization
The service provider (SP) decides independently of ZID whether to offer
single sign-on or only
single sign-in (i. e., the same access data, but with forced re-authentication), how long a login remains valid, and which users or groups (e. g., only employees of the institute) may use the service.
Identification
The data that the service provider (SP) receives from the identity provider (IdP) can also be used to identify the user and thus, for example, to (pre)fill forms with names, email addresses, etc.
However, the users are asked (for systems that you do not have to use, at least the first time) whether they agree that the SP may receive this data from our IdP.
Among other things, besides names etc., the user groups (the account type) to which the logged-in person belongs are also supplied:
- Staff (BEDIENSTETE:OK)
- Students (STUDENTEN:OK)
- Alumni (ALUMNI:OK)
- Basic Users (BASIS:OK)
- Identified guests (KNOWNGUEST:OK)
- Guests (GUEST:OK)
The SSO solution then forms our AAI together with the IDM (TUGRAZonline and the associated Active Directory) and these authorizations.
If you want to offer a service with SSO, please contact us. We need at least a name for your service, the address of your service (we only support https) and also the address to log out from your service (for single log-out).
Examples for authorization
Some examples of how authorization can be implemented can be found in the
Classification section.