Documentation – EGI Check-in

Users: Sign up for an EGI Account

Mon, 01 Jan 0001 00:00:00 +0000

Before accessing EGI services, you’ll first need an account through EGI Check-in, which is the Identity and Access Management (IAM) system used by EGI. An Identity Manager (or IAM system) is a secure layer that handles who you are, how you log in, and what you’re allowed to access across all participating platforms and services.

Instead of creating a new username and password for every service, EGI Check-in allows you to log in using an existing identity you already trust — like your institutional account, ORCID, Google, or even an X.509 certificate. It does this by acting as a central gateway that connects your trusted login with the services and resources you need across the European research ecosystem.

This approach offers major benefits:

You don’t need to remember another password.
You can access multiple services with a single, consistent profile.
Your permissions and roles are automatically applied based on your identity.
If you later switch institutions or accounts, you can still retain your access (especially if you link identities, which will be discussed later on).

Signing up is simple. You don’t create a new account from scratch — instead, you sign in once using an identity provider (IdP) you already have, and EGI Check-in creates a secure profile for you.

Go to https://aai.egi.eu/signup
Choose your identity provider: You’ll see a list of login options — such as “University of X,” “ORCID,” “Google,” and many others. You can use the search bar to find your institution or provider.
Enter your login credentials to authenticate yourself with your Home Organisation
After successful authentication, you may be prompted by your Home Organisation to consent to the release of personal information to the EGI AAI Service Provider Proxy.
After successful authentication, you will be redirected to the EGI account registration form. On the introductory page, click Sign up to start the registration process.
Note
EGI requires some basic information from you, depending on the attributes released by your Identity Provider, you may need to provide the values of the missing attributes.
On the registration form, click Review Terms and Conditions (Acceptable Use Policy and Conditions of Use - EGI AUP)
If you agree to the Terms of Use, select the I Agree option.
Finally, click Submit to submit your request.

Very Important
You wont be able to submit your request until you agree to the terms.

You will receive an email to confirm your new identity linked to EGI Check-in. Confirm your identity to continue:

Important

- You do not need a new password for EGI Check-in — it always uses your existing
account's login system.
- If you don’t see your institution in the list, check whether they are part of
the eduGAIN federation, or consider using ORCID or another supported identity.
- If you plan to use certificates, make sure they are installed in your browser
before logging in.

Viewing user profile information

The profile includes all the information related to the user. This information can be categorised as follows:

Basic profile

Includes the basic information about your profile:

Name
Identifiers
Email addresses

VO/Group membership and roles

Includes information about the Virtual Organisations (VOs) and groups the user is member of and the roles assigned to the user within those VOs. Check the guide about VOs for more details.

Linked identities

Information about linked identities to your account. Check the guide for linking accounts for more information.

Next steps

Once your Check-in account is ready you can check how to link it with different identities or how to join an existing Virtual Organisation (VO).

Users: Linking Identities

Mon, 01 Jan 0001 00:00:00 +0000

What does identity linking mean?

Linking identities allows you to associate multiple login methods — such as your university account, ORCID, a Google account, or a certificate — with a single EGI Check-in account. This means that no matter which identity you use to log in, you will access the same EGI profile, with the same permissions, group memberships, and project access.

What Happens When Your Identities Are Linked?

You can log in with any linked identity and always reach the same services and projects.
You only need to manage one identity no matter how many login options you have.
If one identity becomes unavailable (e.g., your university account expires), you can still access your work using another linked identity.
You have a more consistent and secure experience across platforms.

Warning

Important: While your EGI profile remains the same, access to specific services may depend on the identity assurance level of the login option used. Some services require identities with higher levels of assurance (e.g., issued by academic institutions). If you log in with an identity that does not meet these requirements, access to those services may be restricted.

What Happens If You Don’t Link Them?

Each login creates a separate EGI account, treated as a different person.
You may not have access to the projects, roles, or services you used under your other login.
Services and collaborators won’t recognize you if you log in a different way.
If one identity is lost, you might lose access completely or need support to recover it.

Step by step guide

Enter the following URL in a browser: https://aai.egi.eu/auth/realms/id/account/#/security/linked-accounts
Click Login and authenticate using any of the login credentials already linked to your EGI account
You will see the EGI Check-in profile management. Select “Linked Identities” under the Account security section.
Under the “Account security” section of your profile page, expand Linked identities menu.
Search for your desired identity. In case you cannot see it at first glance, you can use the search box.
Click on the “Link account” blue link on the right side of the identity to link it.
You will be taken into the identity login page. Proceed with the login, it will take you back directly to the EGI Check-in site once done.
Once done, your new login will be listed under “Linked accounts”.

Warning
You will need to sign in using the login credentials from the institutional/social identity provider you want to link to your account.
After successful authentication, the new Identity Provider will be available under the Organizational Identities tab and you’ll be able to access EGI resources with your existing personal EGI ID using the login credentials of the identity provider you selected.

Linking your certificate to your EGI Account

Certificate linking allows you to add the subject DN of your certificate to your existing personal EGI ID. For this you need to import your certificate to your browser.

To link a subject DN to your EGI account:

Make sure your certificate is already imported in your browser.
Follow the same steps as above: go to “Account Security” and click on “Linked identities”.
You will need to link the IGTF Certificate Proxy service. Find it and click “Link Account”.

Warning
It is very important to escape the identity provider selection, cached in the discovery page, before picking the new one.
Then select the certificate you want to link to your account from the popup window.
After successful authentication you will be redirected back to your EGI Account. Also, you’ll be able to access EGI resources with your existing personal EGI ID using IGTF Certificate Proxy and your certificate.

Users: Obtaining Access/Refresh Tokens

Mon, 01 Jan 0001 00:00:00 +0000

Overview

This page includes all the available ways to obtain OAuth tokens from EGI Check-in.

Users: Virtual Organisations

Mon, 01 Jan 0001 00:00:00 +0000

A Virtual Organisation (VO) represents a research community and, in practice, it is just a group of users. VOs are created to organise a community of researchers, who can share resources across the EGI Federation and other services to achieve a common goal, as part of a scientific collaboration.

See the list of Virtual Organisations

Existing VOs can be found in the EGI Operations Portal.

Click on the icon under the “Details” column to access more detailed information of the VO.

How to join a Virtual Organisation

There are different ways to join a VO:

Contact the administrators of the VO (the VO Managers). They can send you an invitation or a link to apply for membership in a VO.
Some community services provide a link on their Websites to grant access to their respective VOs.
Use the enrolment URL that can be found in the detailed information of the specific VO, in the EGI Operations Portal.

Often, your request to apply for VO membership will be evaluated by a VO Manager before you are accepted in the VO.

How to create your own Virtual Organisation

To register a new VO, access the VO registration page of the Operations Portal. You will need to log in via Check-in and fill in the VO ID card, which is the basic information for the VO.

The VO registration process is detailed in the procedure PROC14 VO Registration.

The person registering a VO is considered the administrator of the VO, also known as VO Manager. Additional VO Managers do not need to be included at the time of the VO creation, they can be added later.

Manage a Virtual Organisation

A VO is managed by its VO Managers. VOs can have more than one administrator, and they are responsible for the correct operation of the VO. The functions of the VO Managers include:

Evaluate membership requests and approve or reject them. This is an important point, since membership in a VO may grant access to data or resources, so normally a VO Manager should not accept members arbitrarily.
Attend security recommendations, provide information requested by the EGI security teams and maintain the resources and users of the VO secure.
Provide information about the VO activities for EGI and for VO members (to both people and sites).

VOs can be structured in groups, to organise the different permissions that users have inside a community. For example, inside a VO there can be a group for users that will manage cloud infrastructure, another group for users that access a specific application, other group for users that will attend a workshop and need access to Notebooks, etc.

Check-in offers two tools to organise a community:

Keycloak.
Perun.

Follow the links for detailed information on how to manage VO groups.

Users: Frequently Asked Questions

Mon, 01 Jan 0001 00:00:00 +0000

Getting help

Requests for technical assistance and other issues related to Check-in can be obtained by sending an email to:

checkin-support@mailman.egi.eu

Alternatively, if you already have a Check-in account, the EGI Helpdesk can be used. More information can be found in the Helpdesk documentation. In that case, submit a new ticket and make sure that the support unit is assigned to “Check-in (AAI)”.

Connect to Check-in an IdP federated in an hub and spoke federations

I get an error similar to: “Error - EGI Check-in Service not accessible through your institution” (SURFconext example)

In case of a “hub and spoke” federation the federation coordinator may require that the IdP administrators explicitly request to connect to a SP and let their users to authenticate on these SP.

In most of the cases this is not a configuration problem neither for the Check-in service nor for the Identity provider. The connection needs to be implemented in the hub and spoke IdP Proxy.

One example of such federation is SURFconext, the national IdP federation for research and education in the Netherlands operated by SURFnet. If you are using credentials from a Dutch IdP in eduGAIN, the SURFconext administrator of your institute needs to request the connection.

Authentication error with ADFS-based Identity Providers

Why do I get the error below after successfully authenticating at my Home IdP?

opensaml::FatalProfileException at (https://aai.egi.eu/registry.sso/SAML2/POST)
SAML response reported an IdP error.
Error from identity provider:
Status: urn:oasis:names:tc:SAML:2.0:status:Responder

The Responder error status is typically returned from ADFS-based IdP implementations (notably Microsoft ADFS 2.0 and ADFS 3.0) that cannot properly handle Scoping elements. Check-in can be configured to omit the scoping element from the authentication requests sent to such IdPs in order to allow successful logins. Please send an email to the Check-in Support team using checkin-support <AT> mailman.egi.eu and include a screenshot of your error.

I have linked an IGTF X.509 certificate to my Check-in identity but the information is inaccurate or incomplete

What can I do?

To update your certificate information, follow these steps to log into your Check-in profile page using your IGTF certificate:

Click here to access your profile page

Warning

This may log you out of any service you have accessed with Check-in on this browser!

2. On the Check-in identity provider discovery page, select IGTF

Warning

If prompted to log in with a different identity provider, click CHOOSE ANOTHER ACCOUNT and then select IGTF. Alternatively, you can click here for your convenience

Documentation – EGI Check-in

Users: Sign up for an EGI Account

Why do I have to sign up?

How do I sign up?

Note

Very Important

Important

Viewing user profile information

Basic profile

VO/Group membership and roles

Linked identities

Next steps

Users: Linking Identities

What does identity linking mean?

What Happens When Your Identities Are Linked?

Warning

What Happens If You Don’t Link Them?

Step by step guide

Warning

Linking your certificate to your EGI Account

Warning

Users: Obtaining Access/Refresh Tokens

Overview

Users: Virtual Organisations

See the list of Virtual Organisations

How to join a Virtual Organisation

How to create your own Virtual Organisation

Manage a Virtual Organisation

Users: Frequently Asked Questions

Getting help

Connect to Check-in an IdP federated in an hub and spoke federations

I get an error similar to: “Error - EGI Check-in Service not accessible through your institution” (SURFconext example)

Authentication error with ADFS-based Identity Providers

Why do I get the error below after successfully authenticating at my Home IdP?

I have linked an IGTF X.509 certificate to my Check-in identity but the information is inaccurate or incomplete

What can I do?

Warning

Warning