Rapid Connect Integration

Previous Next

This tutorial is part of the Rapid Connect Series.

Back to Rapid Connect

Category: Intermediate

Difficulty: 3 out of 5

Duration: 30 minutes

1. Overview 2. Authentication Interaction 3. JSON Web Token and SAML 4. Standard Flow 5. Provided Claims 6. Integration Examples 7. Integration 8. Attribute Based Authorisation 9. Next Steps

Find a mistake? Let us know the issue here.

Attribute Based Authorisation

Specific claims within the ID token can be utilised to make authorisation decisions within an application.

Below is an example of a decoded JWS for the user “John Doe” sent by Rapid Connect.

{
  "iat": 1516239022,
  "nbf": 1516239022,
  "exp": 1516242622,
  "jti": "f7e8b1b46b4b4b7d8f0f2b7f1b1b4b7d",
  "typ": "authnresponse",
  "https://aaf.edu.au/attributes": {
    "cn": "John Doe",
    "displayname": "John Doe",
    "surname": "Doe",
    "givenname": "John",
    "mail": "john.doe@someuni.edu.au",
    "organizationname": "Some University",
    "edupersonorcid": "0000-0000-0000-0000",
    "edupersonscopedaffiliation": "affiliate@hsww.wiz.edu.au",
    "edupersonprincipalname": "jdoe@hsww.wiz.edu.au",
    "edupersontargetedid": "https://someuni.edu.au!https://someuni.edu.au/some_connections/1!7bVg9m6p/JI3i/JZ76YCZ7k6pQJ="
  },
  "iss": "https://someuni.edu.au",
  "aud": "https://someuni.edu.au/some_connections/1",
  "sub": "https://someuni.edu.au!https://someuni.edu.au/some_connections/1!7bVg9m6p/JI3i/JZ76YCZ7k6pQJ="
}


For a live example of attribute release for your institution, sign in to the AAF Rapid Connector App.


Attributes that can be utilised for authorisation are contained within the claim object https://aaf.edu.au/attributes of the JWS and include:

Attribute Name Notes on Usage
eduPersonScopedAffiliation
  • Used to authorise users based on their affiliation/s in their home organisation.
  • Should be used when the Service Provider does not need confirmation of the security domain of the user.
mail
  • Should only be used when a Service Provider needs to communicate with the end user.
  • This may apply when an applicant needs to be informed whether their access to a research database has been granted or denied.
commonName Should only be used if a user's common name is necessary for a wiki or other collaboration platform.
displayName Should only be used if a user's preferred name is necessary for a wiki or other collaboration platform.

The claim organizationname should not be used for authorisation decisions.

Up Next:

9. Next Steps