The Perun AAI

User administration and controlling access to services.

Standard ServicesStandard Services
Perun
More information

Basic features

Research communities composed of individuals from multiple organizations often face challenges in managing access to shared services. Access control within users' home organizations is impractical because these systems do not account for users from other institutions. Managing access directly on services requires defining user groups across multiple locations, which complicates consistency and maintenance.

The European initiative AARC (Authentication and Authorisation for Research and Collaboration) addressed this issue through the AARC Blueprint Architecture. The Perun Authentication and Authorization Infrastructure, developed jointly by CESNET and Masaryk University, implements this architecture and is employed in various national and international research e-infrastructures.

The AAI connects with academic identity federations through the international eduGAIN network, allowing management of users from academic organizations outside the Czech Republic.

For organizations, the AAI simplifies managing access to their services, even for users from other organizations.

For individuals, it means one account can grant access to many services and keep the identity consistent across different institutions, e.g. for moving from a university to a research institute.

Key features of the Perun AAI include:

  • Managing user logins
  • Authenticating users' identities with their home organizations
  • Combining logins across multiple home organizations into a single account
  • Managing users and user groups through virtual organization management with rules for membership creation and termination
  • Controlling access to services for administrators
  • Data provisioning via standard OIDC, SAML2, LDAP, VOOT, SCIM protocols, and custom push mechanisms
  • Synchronization with external Identity Management systems

The Perun AAI facilitates seamless identity management across multiple organizations, allowing users to maintain a single account and easily transition between institutions while accessing a broad range of services.

  • Single sign-in access to services through a single user account
  • Enables managing users independently without having to contact the administrator of the e-infrastructure

The service is available for free to the CESNET Association members and organizations connected to the CESNET e-infrastructure.

Didn't find what you were looking for?