Welcome to the ELIXIR AAI documentation page. Use the links below to find the information you need.

• If you are a user who wants to use ELIXIR services or seek information about the ELIXIR ID and ELIXIR AAI user account, visit the User Documentation.
• For more advanced topics related to user tasks, you can refer to the Advanced Tutorial section for Expert users, i. e. on how to manage groups, permissions, or access rights.
• If you represent a service (relying party), which you want to connect to the ELIXIR AAI, check out the Relying party section.
• In case you represent an Organization, which can be used for login into the ELIXIR services via the AAI, you can find relevant information here.

You can also visit ELIXIR AAI navigation site.

General information

• Publication: Common ELIXIR Service for Researcher Authentication and Authorisation
• AAI group on the ELIXIR Intranet (for ELIXIR members only)
• ELIXIR Compute services
• ELIXIR Services

 

 

What is ELIXIR AAI?

 

ELIXIR AAI is a service that provides authentication and authorization for other services within ELIXIR. As an end-user, you have a single uniform login mechanism for using the connected services. As a result, you don’t need to have separate credentials for each service.

To log in to the ELIXIR AAI enabled service (i.e. the ELIXIR Intranet), you use your existing accounts at third parties (your home university, research institute or a commercial service). These need to be beforehand linked to your ELIXIR ID, and you can link as many external accounts as you wish. As a result, no matter which linked third-party account you use for login, you will be recognized as the same person at the end service.

How to get an ELIXIR ID

1. Open the link https://www.elixir-europe.org/register and click on „Register“.
2. Choose your home organization, or if you cannot find it on the list, pick one of the supported commercial services.
3. Log in with the selected account using your personal credentials.
4. Fill in the registration form. Review and accept usage policy and click on „Submit“.
5. You will receive an email with a verification link. Click the link in the email to verify your email address.
6. You have successfully registered an ELIXIR ID. Now you can start using it for accessing ELIXIR services.

Please note: Your ELIXIR ID will expire 2 years after your last log in.

Log in to the ELIXIR service using your ELIXIR ID.

1. Visit the website of the service you want to log into. Look for the ELIXIR Login button there. If the service requires a specific registration process and you have not already completed it, look for the ELIXIR Register button and perform the registration.
        
   A list of services integrated into the ELIXIR AAI can be found here.
2. Once you click the login button, you will be asked to choose one of the accounts linked to your ELIXIR ID (home organization or commercial service).
3. Log in with your personal credentials.
4. If you are accessing the service for the first time, you will see a page informing you about the personal data being released to the service. Review it and if you agree with data being sent to the service, accept the transfer.
5. You are now successfully logged in to the service.
6. Some services require you to be a member of a particular ELIXIR community or group. To get access to such services, you will see a registration link or a contact to request access.

Policies for end-users

Acceptable Usage Policy
Privacy Policy

Want to know more?

For more information, visit the ELIXIR AAI homepage. You can also find some FAQs below.

• Q: My home organization is not listed. How can I register for the ELIXIR ID?
• A: You can check if your home organization can be added. When you type in the name of the organization and no results pop up, you will be displayed an information box with a button "Cannot find your institution?". Click it and follow the instructions.
  Alternatively, you can register using a commercial account.
   
• Q: I have multiple external accounts - can I link them all to my ELIXIR ID?
• A: You can, if your account provider integrates with ELIXIR AAI. Browse to "Linked Identities" in your ELIXIR AAI Profile page, click the green "Add" button in the "Your linked identities" section. You will be taken to an account linking service. Follow the instructions the service will display to you. For detailed instructions and slides with step-by-step description, you can check this link.
   
• Q: I have registered multiple ELIXIR IDs. Can you merge them?
• A: Yes, we can. Contact us at aai-contact [at] elixir-europe.org, and we will help you.
   
• Q: After registering for ELIXIR ID, when I try to log in, I end up on a registration form.
• A: Unfortunately, some account providers do not release a persistent identifier for their users. As a result, next time you log in, ELIXIR AAI does not recognize you as a returning user and offers you to register a new ELIXIR ID. Try to register with a different institution or commercial service.
   
• Q: What data does ELIXIR keep about me?
• A: You can view the details of your ELIXIR ID at the ELIXIR AAI profile page. Find out more about the ELIXIR privacy statement here.
   
• Q: How can I register and use Multi-Factor Authentication?
• A: Please follow instructions in this guideline or watch demo for ORCID MFA.

Useful links

Services relying on the ELIXIR AAI

• List of the services relying on the ELIXIR AAI
• Statistics on the ELIXIR AAI usage

Test Pages

• A page to display an ELIXIR user’s profile in the ELIXIR AAI.
• A page to display an ELIXIR user’s GA4GH Passport in the ELIXIR AAI.

Tutorials for Advanced Users

The audience of following documentation are managers of groups in the Perun group management tool of the ELIXIR AAI.

• How to manage groups in Perun
• How to manage access to the services

Back to top

What is ELIXIR AAI for a Relying Party

A Relying Party of ELIXIR AAI can integrate to it using standard protocols like SAML 2.0 or OpenID Connect. A Relying Party redirects the end user to ELIXIR AAI for authentication and receives their attributes, such as name and identifier, affiliation, group memberships and authorisations such as GA4GH Passports.

How to register and integrate a Relying Party to ELIXIR

1. You need an ELIXIR ID for yourself. If you do not have one, register here: https://www.elixir-europe.org/register/
2. Then you can proceed to register your client here: https://spreg.aai.elixir-czech.org/spreg/
3. Log in using your ELIXIR ID, then click on the “New service” button or select it in the left-hand menu. You will be asked to choose a protocol and fill in other information.
4. The ELIXIR AAI administrators will review your registration. You will be notified via email about any changes in your registration.

Training materials: How to connect a service to ELIXIR AAI and User documentation for the Service Provider Registration Application (SPReg)

For developers: Development Guide for ELIXIR OIDC

The complete list of online trainings and webinars you can find on TESS.

What attributes ELIXIR AAI supports

For details check the documentation ELIXIR AAI provided attributes.

How to set up a separate Acceptable Usage Policy for my service in ELIXIR AAI

AUP needs to be set up from both sides of organization manager and service administrator. You can find detailed instructions here or check the slides. 

How to manage access to the services

Services can delegate access control to the ELIXIR AAI where the access is managed by assigning groups to the services. 

If the owner of the service wants to make it available for the ELIXIR users, he/she has to register the service into the ELIXIR AAI environment. Please refer to section How to register. After successful registration of the service, the service owner can manage the service further via the ELIXIR SPReg application.

The setting Restrict access to the service based on membership in groups enables the functionality of limiting the access of users via the membership in the groups assigned to the resource. When the access control functionality is enabled for the service, a user accessing the service needs to fulfill all of the following requirements:

• Has a valid membership in the ELIXIR VO. This implies that the user has got an ELIXIR ID.
• Has a valid membership in at least one of the groups assigned to the resource.

Guidelines: Refer to document Managing access to the services

Hinting the Identity Provider to be used in the Authentication process

This documentation describes how a Relying party, connected to the ELIXIR AAI, can enforce the usage of a particular Identity Provider to be used for user authentication. From the user experience perspective, the Identity Provider discovery will be bypassed and the user passed to the hinted IdP directly.

Guidelines: Refer to detailed documentation Hinting the IdP to be used in the Authentization process.

How to request MFA

ELIXIR AAI supports so-called step-up authentication. A relying service can request ELIXIR AAI for MFA, and after authenticating the user against their home organisation or other authentication provider, ELIXIR AAI requests the user to step up their authentication with ELIXIR MFA. If user’s home organisation has native support for MFA and signals it following standard protocols, step-up authentication is not needed.

ELIXIR MFA is currently implemented using TOTP standard (Time based one-time password, RFC 6238) and expects a user has a TOTP token (for instance, a smartphone app with a secret registered to the ELIXIR MFA server). To register a secret, ELIXIR AAI sends the user an SMS code that they need to present to ELIXIR MFA server. This requires ELIXIR AAI has the user’s trusted cellphone number for SMS delivery.

Guidlines: Refer to detailed documentation Requesting MFA in SAML and OIDC and updates.

What is GA4GH passports and visas and how to implement it

In October 2019, Global Alliance for Genomics and Health approved the Passport specification, describing the syntax and semantics for expressing user’s access rights to registered and controlled access data.

Guidelines: Refer to the document GA4GH passport support in Elixir AAI for detailed information and setting.

Trainings:

Demos: Demo on transferring data access permissions from REMS to EGA

Test pages

• Test page to check an external account provider is releasing attributes properly to the ELIXIR AAI.
• Monitoring of ELIXIR AAI

Useful links

Services relying on the ELIXIR AAI

• List of the services relying on the ELIXIR AAI
• Statistics on the usage of ELIXIR AAI

Back to top

Home Organization Documentation

Access to ELIXIR services requires sometimes that the user has a confirmed affiliation with a home organisation (e.g. a university, research institution or private company). The preferred way for ELIXIR to learn the affiliation is by the user logging in to ELIXIR AAI using the home organisation credentials (via eduGAIN service) and the home organisation releases programmatically to ELIXIR an attribute describing the affiliation (for instance, an assertion that they are a researcher at the university). For technical and other reasons, not all home organisations support it. You can refer to Letter to encourage IdPs to release attributes to Elixir for details.

As a plan B, ELIXIR AAI supports a model where a designated person in the home organisation is granted rights to manually elevate any ELIXIR user to a specified affiliation in that organisation. The affiliation is then valid for the next 12 months after which it needs to be renewed. In practice, the “designated person” is made a manager of a group of users who have the manually assigned affiliation. The manual assignment of affiliation is done using a graphical UI provided by ELIXIR AAI (Perun system) and is described in this document.