If you are a service provider, you can integrate with the AAI using standard protocols like SAML 2.0 or OpenID Connect. When a user wants to log in to your service, you redirect them to the AAI for authentication. Once they are authenticated, you will receive information about the user (attributes), such as their name, identifier, affiliation, group memberships, and authorisations.
The ELIXIR AAI was migrated to Life Science AAI in April 2022. However, some of the ELIXIR AAI's features are not yet available in LS AAI. To rely on those features, you need to integrate to the Legacy ELIXIR AAI, instead. Before registering your service, please check first if your service needs any of the features in this list.
- If your service does not require any functionality from the list you can integrate to LS AAI. Refer to the these instructions.
- If your service requires some of the functionality from the list, you probably need to integrate to the Legacy ELIXIR AAI. Please contact us first via email at support@aai.lifescience-ri.eu with a description of your requirement and we will confirm with you to follow instructions below.
Useful links
- Legacy ELIXIR AAI service catalogue
- LS AAI home page
- ELIXIR AAI migration news
- How to connect your service to LS AAI
- How to manage a service connected to LS AAI
- How to connect your service to Legacy ELIXIR AAI
- How to manage a service connected to Legacy ELIXIR AAI
Training
- Online training for Relying Parties: How to connect the service to LS Login (17 May 2022), information and registration.
Instructions for services to be connected to the Legacy ELIXIR AAI
Note: for services to be connected directly to LS AAI, please refer to the LS AAI instructions.
How to integrate your service with the Legacy ELIXIR AAI
- First you need an LS ID for yourself. If you do not have one, get one at LS ID registration page.
- Once you have registered, you can register your service via this application.
- Log in using your LS ID, then click on the “New service” button or select it in the left-hand menu. You will be asked to choose a protocol and to fill in other information.
- The LS AAI administrators will review your registration. You will be notified via email about any changes in your registration.
Complete instructions
- How to connect a service to Legacy ELIXIR AAI
- What attributes Legacy ELIXIR AAI provides
- User documentation for the Service Provider Registration Application (SPReg)
- Development Guide for OIDC services
You can find a complete list of online training and webinars in TESS (ELIXIR's training portal).
Instructions for Services connected to Legacy ELIXIR AAI
Note: the ELIXIR AAI team will contact the services separately on migration to LS AAI. See the ELIXIR migration news for more information.
How to manage your service registration
You can manage your service registration via the ELIXIR SPReg application.
How to ask Legacy ELIXIR AAI to manage access to your services
In general, you can configure the Legacy ELIXIR AAI to manage access to your services by creating user groups in the Life Science AAI, adding users to those groups, and then assigning different groups to different services. The setting "Restrict access to the service based on membership in groups" in SPReg enables this functionality. When access control functionality is enabled for the service, a user accessing the service needs to have:
- A valid membership in the ELIXIR Virtual Organisation (VO). The VO is the parent group of all other groups in the ELIXIR AAI. When a user successfully registers for an ELIXIR ID they automatically become a member of the VO.
- A valid membership in at least one of the groups assigned to the resource.
Based on the further configuration of the service, if the user does not meet the criteria above, they can be redirected to an unauthorized page, a specific page of your choice, or offered to register into the configured groups.
See the managing access to services document for more information on the functionality.
How to set up a separate Acceptable Usage Policy in the Legacy ELIXIR AAI
An Acceptable Usage Policy can be set up by the management and service administration in your organisation. See the detailed instructions or check the slides.
Enforcing authentication via a particular Identity Provider
You can force the users to authenticate with a particular Identity Provider, and bypass the "Choose how to log in" page. See Hinting the IdP to be used in the authentication process.
How to implement Multi-Factor Authentication (MFA)
The ELIXIR Legacy AAI supports so-called "step-up" authentication. You can ask the user to perform MFA, so that the user performs MFA with their home organization (if supported), or they make use of the ELIXIR's own MFA service.
ELIXIR MFA is currently supporting several MFA methods. Users can use their smartphone application to generate a unique six digit code, use a WebAuthn capable token (i.e. FaceID device, YuiKey), or get a uniquely generated code for recovery purposes.
Register the MFA capability as a user. You will be asked to enroll a TOTP token. After that, you can enroll more TOTP tokens, WebAuthn tokens, and generate the recovery codes.
What GA4GH passports and visas are, and how to implement them
The ELIXIR AAI implements the Passport specification of the Global Alliance for Genomics and Health (GA4GH), describing the syntax and semantics for expressing a user’s access rights to registered and controlled access data.
See GA4GH passport support in the Legacy ELIXIR AAI.