Tuakiri - Trust and identity

Tuakiri provides trusted and secure federated identity and access management.

Technical information

  • Our federated identity services use the SAML 2.0 standard, providing a browser-based Single Sign On (SSO) solution.

  • We primarily use Shibboleth software for core Tuakiri services and recommend it to our members, but other SAML 2.0 implementations (like SimpleSAMLphp) are welcome and will work with Tuakiri.

  • As an identity provider, you’ll need to run Shibboleth IdP on a standalone Linux system or virtual machine, which is connected to your user directory.

  • More detailed technical information is available on the Tuakiri technical documentation website. 

Basic Concepts

An identity federation includes:

  • An Identity Provider (IdP) - a service run by a participating organisation, allows the organisation's users to log into services available in the federation. Typically, the IdP is linked to an Identity Management System  (IdMS) run by the organisation where all user identities are stored.

  • A Service Provider (SP) - a service providing value to end users (a collaborative tool, a library service etc.) that uses the identity federation to authenticate users. The SP sends users to an IdP to authenticate and trust the SAML response received from the IdP. The SP needs to run software implementing the SAML SP role, this is typically linked directly into the web server serving the "real" application.

  • Discovery Service (DS) - a website where the user selects their home organisation - the Identity Provider to use. A federation may run a Discovery Service centrally as Tuakiri does, but Service Providers may also run their own.

The role of the Identity Federation is to maintain the register of all IdPs and SPs in the federation, and provide this in a suitable form for the IdPs and SPs to establish trust with each other. This is done via an XML file called the federation metadata.

Information on joining as an Identity Provider

To join as an Identity Provider, an organisation must:

  • Be eligible, a member or an organisation within the R&E community

  • Have a suitable Identity Management System like an on-prem Directory Service or a cloud-based identity management system.

  • The identity management system has to be able to authenticate all users the organisation wants to have access to federated services, provide basic information about the users, user roles and information on other privileges that the Identity Provider should be passing to Service Providers.

  • Install the Identity Provider software: This is typically done on a standalone VM, with modest requirements (2GB RAM, 20GB disk). We recommend Linux distributions with long term support (RHEL, CentOS, or Ubuntu LTS).


Technical details are provided on the Tuakiri technical documentation website. 
For help with the set-up process or more information, email engagement@reannz.co.nz

Information for Service Providers

For Service Providers (website operators), the benefits of using Tuakiri to authenticate users are:

  • Getting trusted identity credentials directly from our member organisations.

  • Reducing user support requirements — identity details are managed by the user’s organisation, so no more password resets for you!

  • Providing your service to all of our member organisations, but only needing to enable it once.

  • You decide who can access your service, and Tuakiri provides the authentication to allow access.

 
To get connected:

  • Apply to REANNZ to become a service provider for the Tuakiri federation.

  • Complete the technical set-up to enable access to your service.

  • Register your service provider into the federation.

  • Our member organisations will provide you with the identity information you need to provide access to their users (if you need access control).

  • You maintain your service and add access to new member organisations as required.

  • There is no cost to provide your service or resource to REANNZ members.

Tuakiri Hosted IdP

Simplified access to Tuakiri through a scalable solution

Tuakiri allows an end-user to consume services, access resources, and otherwise collaborate within New Zealand while using their home institution’s identity. However, a barrier to joining Tuakiri for some organisations has been the requirement to run an Identity Provider (IdP) server. Tuakiri Hosted IdP is a scalable solution, that simplifies joining Tuakiri by removing this barrier.

Tuakiri Hosted IdP is the option to have REANNZ host the Tuakiri IdP on behalf of the member. The Hosted IdP instance connects to an Identity Management System run by the member, offering flexibility through multiple options including cloud identity stores like Google Apps/GSuite or Office 365/Azure AD.

How does it work?

  • Users logging into a Tuakiri service first select their institution from the list of Tuakiri members - institutions using the Tuakiri Hosted IdP, the users would get redirected to their Tuakiri Hosted IdP instance.

  • The Tuakiri Hosted IdP would in turn redirect the users to their cloud-based Identity Management System to authenticate.

  • After authenticating, the user would be redirected back to the Tuakiri Hosted IdP, and from there back to the service the user was logging into.

Why Tuakiri Hosted IdP?

This scalable service is designed to make setting up or supporting Tuakiri easier for members, enabling their organisations to access the resources that are available through Tuakiri.

Using the Tuakiri Hosted IdP service also simplifies access to eduGAIN, the global federation of services, research collaborations and tools. The platform meets all the technical requirements, providing easy access to thousands more resources that are designed to support the research and education community.

If you would like to know more about Tuakiri Hosted IdP as a deployment option, get in touch at tuakiri@reannz.co.nz.

For more information

For a full list of the services available check out the Tuakiri Service Catalogue.

How to become a member of the Tuakiri federation and who currently uses this service.

Documents - Rules for participants, Metadata registration practice statement, Connect to eduGAIN form.

Find anything about our products, services, and more. Enter a query in the search input above.