+
+
+
+
+
+
+ 
+
+
+
+
+
+
+
+
+ 
+
+ The B2ACCESS service is a Identity and Authorisation Management (IAM) system which arbitrates authenticated + access to registered services in the context of the EUDAT Collaborative Data Infrastructure (CDI). The role + of the B2ACCESS service is to allow these services to make authentication and the authorisation decisions, + and to perform any other processing required, when the end user accesses these services. When connecting to + a CDI service that requires a login (eventually with further attributes) the access request is redirected to + the B2ACCESS instance ( https://b2access.eudat.eu:8443/home/home) and the user can effectively login by + using his/her primary credential (such as username and password).
+EUDAT identifiers provided by the B2ACCESS service are persistently bound to the user's primary identity. + Primary identities can be provided by external identity providers, e.g. shibboleth IdPs of the users' home + organisations or OpenID providers such as the Google IdP, or they can be provided by the B2ACCESS service + itself, if the users registered genuinely on this service. B2ACCESS may use and store the Attributes + provided by the IdP. The B2ACCESS Service Provider makes sure that the end user’s attributes are only + forwarded to lower-level Service Providers which the end user wants to access. Service Providers must have + declared to the B2ACCESS SP that they comply with the GEANT Data Protection Code of Conduct. This implies + that these lower-level Service Providers will only use personal information that is relevant to provide + their service.
+B2ACCESS is the EUDAT Authentication, Authorization and Identity service. When B2ACCESS is integrated with a + given service, you can sign into the service by using EUDAT identity or another identity you have gotten + from en external identity providers - universities, social media.
+B2ACCESS uses secure communications (like you would see in e-commerce except it is not rated to handle + financial data). B2ACCESS has also gone through a security assessment. And don't forget that B2ACCESS - with + the exception of identities managed by B2ACCESS itself - never sees your password!
+If B2ACCESS is your primary identity provider then press "Forgotten Password?" link between + password field and authenticate button. You have to enter your username. Thereafter a reset code will be + sent to your registered e-mail address. If you enter the reset code you are able to set a new password.
+If you are using an external identity provider, B2ACCESS cannot help you with a forgotten password: you will + need to use the helpdesk of your identity provider or password reset mechanism.
+If B2ACCESS is your identity provider, then your username is the name you typed into the registration form. + Names can have spaces in them, for example "Joe Bloggs".
+If your are using an identity from an external identity provider, then please contact their helpdesk.
+In this case your identity provider doesn't support identity exchange with B2ACCESS. Please contact their + helpdesk and ask for enabling B2ACCESS as service provider. B2ACCESS needs mail and EPPN attributes from + your identity provider.
+This message is a general error message. A more detailed message is printed on screen behind this error + message. Please close it and have a look on details.
+This error occurs if something in the response is not signed. In most cases assertion elements within
+ response messages are not signed. The assertion elements must be signed in SAML2int profile. This profile is the only
+ allowed profile within eduGain SSO.
+ B2ACCESS follows these requirements and only accepts responses from identity providers with signed assertion
+ elements. Please contact your identity provider's helpdesk and ask for singing the assertion elements in
+ SAML response.
Additional information for IT-staff:
This error occurs often after Shibboleth
+ update. A working configuration is:
+
+ 
+
+<bean parent="RelyingPartyByName" c:relyingPartyIds="https://b2access.eudat.eu:8443/unitygw/saml-sp-metadata">
+ <property name="profileConfigurations">
+ <list>
+ <bean parent="SAML2.SSO" p:encryptAssertions="true" p:signResponses="true" p:signAssertions="true"
+ p:encryptionOptional="false" p:nameIDFormatPrecedence="#{{'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'}}"/>
+ </list>
+ </property>
+</bean>
+In most cases the external identity provider doesn't release all attributes needed by B2ACCESS. B2ACCESS + consumes mail and EPPN attributes. Please contact your identity providers helpdesk and ask for releasing + this attributes to B2ACCESS. If this error still occurs although these attributes are release, please contact us. We will try to + find a solution for your problem.
+Account association is not supported. Your different accounts may have different attribute values which will + clash. To avoid problems using the EUDAT services, we decided not to support the account association.
+Please use a valid certificate instead of your Apple ID. If you don't have a valid certificate, press + "Deny" if you get asked about access to your Apple ID in keychain. B2ACCESS will be loaded after + it.
+Please contact our helpdesk: + you will get an answer very soon!
+Get in contact with us: we + will provide a great support!
+ Version 1.6 + 2020-04-02 +