CESNET's External Identity Provider

This is so called External Identity Provider, which provides a bridge from OAuth and OpenID authentication to SAML (Structured Assertion Markup Language) identity federations. It currently supports the following authentication:

Metadata are available at https://extidp.cesnet.cz/idp/shibboleth. Warning - the server uses SSL SNI, so to access the metadata you need wget version 1.14+ or Java 7+.


This provider provides the following attributes:

Selecting authentication method

You may want to select only one of the provided authentication methods. In that case, specify the required authentication method in the SAML authentication request. The methods are marked by the following URIs:

If you use the Shibboleth Service Provider, you can do it in one of two ways. You can specify the method in the SessionInitiator tag in the /etc/shibboleth/shibboleth2.xml file like this (see NativeSPSessionInitiator#NativeSPSessionInitiator-Attributes):

 <SessionInitiator id="extSI" Location="/WAYF/ext" type="SAML2" relayState="cookie" 
         template="bindingTemplate.html" acsIndex="1" entityID="https://extidp.cesnet.cz/idp/shibboleth"

or you can set it using the URL parameter authnContextClassRef in the URL that starts the lazy Shibboleth session:

   Log in using Google
   Log in using Facebook
   Log in using LinkedIn
   Log in using OrcID
   Log in using GitHub
   Log in using any method

Administrator: Martin Kuba makub@cesnet.cz