Tuakiri - Trust and identity

Tuakiri provides trusted and secure federated identity and access management.

Technical information

  • Our federated identity services use the SAML 2.0 standard, providing a browser-based Single Sign On (SSO) solution.

  • We primarily use Shibboleth software for core Tuakiri services and recommend it to our members, but other SAML 2.0 implementations (like SimpleSAMLphp) are welcome and will work with Tuakiri.

  • As an identity provider, you’ll need to run Shibboleth IdP on a standalone Linux system or virtual machine, which is connected to your user directory.

  • More detailed technical information is available on the Tuakiri technical documentation website. 

Basic Concepts

An identity federation includes:

  • An Identity Provider (IdP) - a service run by a participating organisation, allows the organisation's users to log into services available in the federation. Typically, the IdP is linked to an Identity Management System  (IdMS) run by the organisation where all user identities are stored.

  • A Service Provider (SP) - a service providing value to end users (a collaborative tool, a library service etc.) that uses the identity federation to authenticate users. The SP sends users to an IdP to authenticate and trust the SAML response received from the IdP. The SP needs to run software implementing the SAML SP role, this is typically linked directly into the web server serving the "real" application.

  • Discovery Service (DS) - a website where the user selects their home organisation - the Identity Provider to use. A federation may run a Discovery Service centrally as Tuakiri does, but Service Providers may also run their own.

The role of the Identity Federation is to maintain the register of all IdPs and SPs in the federation, and provide this in a suitable form for the IdPs and SPs to establish trust with each other. This is done via an XML file called the federation metadata.

Information on joining as an Identity Provider

To join as an Identity Provider, an organisation must:

  • Be eligible, a member or an organisation within the R&E community

  • Have a suitable Identity Management System like an on-prem Directory Service or a cloud-based identity management system.

  • The identity management system has to be able to authenticate all users the organisation wants to have access to federated services, provide basic information about the users, user roles and information on other privileges that the Identity Provider should be passing to Service Providers.

  • Install the Identity Provider software: This is typically done on a standalone VM, with modest requirements (2GB RAM, 20GB disk). We recommend Linux distributions with long term support (RHEL, CentOS, or Ubuntu LTS).


Technical details are provided on the Tuakiri technical documentation website. 
For help with the set-up process or more information, email engagement@reannz.co.nz

Information for Service Providers

For Service Providers (website operators), the benefits of using Tuakiri to authenticate users are:

  • Getting trusted identity credentials directly from our member organisations.

  • Reducing user support requirements — identity details are managed by the user’s organisation, so no more password resets for you!

  • Providing your service to all of our member organisations, but only needing to enable it once.

  • You decide who can access your service, and Tuakiri provides the authentication to allow access.

 
To get connected:

  • Apply to REANNZ to become a service provider for the Tuakiri federation.

  • Complete the technical set-up to enable access to your service.

  • Register your service provider into the federation.

  • Our member organisations will provide you with the identity information you need to provide access to their users (if you need access control).

  • You maintain your service and add access to new member organisations as required.

  • There is no cost to provide your service or resource to REANNZ members.

For more information

For a full list of the services available check out the Tuakiri Service Catalogue.

How to become a member of the Tuakiri federation and who currently uses this service.

Documents - Rules for participants, Metadata registration practice statement, Connect to eduGAIN form.

Find anything about our products, services, and more. Enter a query in the search input above.