Skip to content

eduID/eduGAIN authentication

ARISnet has a built-in connector to the Austrian eduID and the international eduGAIN federations. This means that your users can log in with their institutional login without an additional username and passwort.

Your application can use OIDC to authenticate users against the federation. With the OIDC login, you will receive the following claims:

  • sub
  • first_name
  • last_name
  • email
  • affiliation
  • schacPersonalUniqueCode

About Email addresses

Email addresses are not unique in the federations! The same person can have the same email address at multiple institutions and email addresses may be reassigned over time. Do not rely on email addresses as unique identifiers! Instead, use the sub field to receive a generated unique identifier for a user. This ID is generated based on the pairwise ID submitted by the home institution of the user and is guaranteed to be unique for the user.

About affiliation

Affiliations take the form of <role>@<institution>. The only standardized role is student, other roles are only recommended. One person may have multiple roles, so this field is a list.

About schacPersonalUniqueCode

This field is only available in eduID and holds the "Matrikelnummer" of the person logging in if any. Unfortunately, even this ID is not as unique as it should be. In certain edge cases, Matrikelnummer may be combined if a person has erroneously been issued two.

About privacy

Depending on the needs of your application, you should make sure you only store data as long as you need to. When setting up your project, please let us know for how long we need to keep users in the authentication system.

Custom users and custom attributes

In certain situations, you may wish to add custom attributes to your users, or you may wish to create non-federated users who have passwords. These are both possible, please let us know what you need and who should be able to manage such users. We will provide you with the proper access.

Please note, we do not provide full KeyCloak realm admin rights, only limited rights to administer users.

Machine-to-machine authentication

We also offer the ability use the OIDC Client Credentials Flow for machine-to-machine communication. Please let us know what client IDs you will need.

For security, we recommend using signed requests instead of logging in with the client secret. Please let us know if your application supports this.