artistic title image

Helmholtz Login & Helmholtz AAI

Sketch: Seamless access to Helmholtz Resources for Helmholtz Scientists and external partners, finely controllable by access lists

What is it about?

HIFIS built, maintains and continuously expands a technical and procedural infrastructure that allows users from all Helmholtz Centres as well as external collaboration partners to access distributed resources — for example cloud services — in a seamless way.

To enable this, the Helmholtz Authentication and Authorisation Infrastructure (AAI) has been implemented.

The Helmholtz AAI:

  • Enables seamless login to the Helmholtz Cloud Services and other resources for any Helmholtz users and invited partners from external institutions, by using only the home institution’s username and passphrase.
  • Allows cross-institutional group management and fine-grained resource sharing via so-called Virtual Organisations (VO) Management.
  • Maintains compatibility with international initiatives, such as the European Open Science Cloud EOSC by using frameworks such as the AARC blueprint.
  • Allows for easy connection of new institutions and new services.
  • Transfers and processes only minimal sets of personal data; for example, passwords do not leave your home institution.
  • Strongly facilitates parallel usage and even interconnection of multiple services by Single-Sign On (SSO).
  • Understands different identity qualities via Levels of Assurance.

How to use it?

How does this work?

From user perspective, the connected Helmholtz Cloud services can be logged in by clicking “Helmholtz Login”, “Helmholtz AAI” or comparable buttons. This ultimately allows the users to select their home institution and log in via the home institution’s credentials.

Have a look at our illustrated tutorial on this to see more of it!

If you happen to run into any issues, check our FAQ and never hesitate to contact our integrated helpdesk at

The technical view

All details on the technical and procedural implementation can be found in the documentation.

Spoken on a very high level, there are at least three instances exchanging data with each other:

  • the service,
  • the central community AAI (, and
  • the user institution’s Identity Provider (IdP).

The first station itself can consist of multiple sub-instances, for example involving an Infrastructure Proxy, to streamline multiple service connections of one institution to the whole infrastructure.

As a user, you are basically following the route downwards and then up again when logging in to a service.


All participants, including end users, need to comply to the Helmholtz AAI policies, and possibly additional policies related to specific groups (VOs). Further, you are informed about and need to agree to every transfer and processing of personal data. Sorry for bothering you on all of these steps, but it’s mandated by GDPR. But it’s handy that you can save your preferences and not be bothered again on this when you log in the next time.

Furthermore, a Helmholtz-wide rule set is currently being set up by HIFIS in order to facilitate cross-centre sharing of Helmholtz Cloud resources in the future.

Comments? Suggestions? Questions?

  1. Check our FAQ
  2. Contact us at