General Information
The CLARIN research infrastructure aims to place language resources and services within easy reach of social science and humanities researchers. Making it easier for academic users to get access to password-protected resources is one of CLARIN's important goals. Rather than having to register a new username and password for each individual web application, academic users should be able to login with their existing institutional credentials.
To achieve this, the user stores from universities and academic institutions ('identity providers' or IdPs) are connected to password-protected web applications ('service providers'). This connection is based on mutual trust: the user logs in at the home institution (which checks the validity of the password) and then a signal is sent (via the Security Assertion Markup Language, or SAML protocol) to the protected website that the user is trustworthy.
Shibboleth is the underlying technology that enables users to use the credentials of their home institute in the CLARIN infrastructure. It is based on the SAML, as a Single Sign-On (SSO) system. Shibboleth provides single sign-on for web applications based on national federations, where the universities and research institutions function as IdPs. The CLARIN centres that offer services, fulfilling the role of Service Providers (SPs), have grouped together in a CLARIN federation, which makes it administratively easy for the IdPs to deal with the CLARIN SPs.
Access via the CLARIN Identity Provider
For cases where an academic account does not belong to an identity federation that has ties with the SPF, the CLARIN Identity Provider has been created. It uses the credentials for the Drupal website https://user.clarin.eu/user and thus enables you to login to a service provider with your self-created username and password.
To test this:
- Go to https://catalog.clarin.eu/ds/ComponentRegistry
- Click on login (top right corner)
- Select the 'Clarin.eu website account'.
Does this IdP have the same trust level as official IdPs?
No. The CLARIN IdP relies on the clarin.eu site administrator's judgement who decides about the activation of the Drupal accounts. In general, account requests from academic users (including students) that have a solid motivation are honoured. So if you have an SP that needs a higher degree of trust, do not connect it to the CLARIN IdP. That said, the current setup works well for applications such as the CLARIN component registry.
What are the technical details of IdP?
SAML metadata about the CLARIN IdP can be found at: https://infra.clarin.eu/aai/prod_md_about_clarin_erics_idp.xml. Its entityID is 'https://idm.clarin.eu'. The Drupal user database (email address and password hash) is exported to a Shibboleth IdP.
Attribute Release
All of the attributes as requested by CLARIN SPs:
- eduPersonPrincipalName (= email address with _ instead of @ + @clarin.eu, e.g. john.doe_uu.nl [at] clarin.eu (john[dot]doe_uu[dot]nl[at]clarin[dot]eu))
- cn (common name) (= full name, e.g. 'John Doe')
- mail (= email)
- o (organisationName) (e.g. Utrecht University)
- eduPersonScopedAffiliation which has the fixed value member [at] clarin.eu (member[at]clarin[dot]eu)
- eduPersonEntitlement, which can be:
http://www.clarin.eu/entitlement/academic, meaning: user has academic mail (e.g. mpi.nl)http://www.clarin.eu/entitlement/none, meaning: user does not have academic mail (e.g. gmail.com)
Testing Which Attributes an Identity Provider Releases
To test which attributes are released by an IdP, follow this step-by-step guide.
Connecting your SP to the CLARIN IdP
If you have a CLARIN Service Provider that you would like to connect to the CLARIN IdP, please see the second section of the guide to Creating and Configuring a Shibboleth SP, which contains valuable references to other resources also.
Note that it can take a few hours before the SAML metadata about your SP has been taken in by the CLARIN IdP.