How a shared idea grew into the national foundation of Croatian academic digital identity
On March 1, 2006, the AAI@EduHr system, the Authentication and Authorisation Infrastructure of the Croatian science and higher education system, was launched into production. Twenty years later, AAI@EduHr represents the national digital identity infrastructure of the academic community: a system that gives its users secure and reliable access every day to thousands of services in Croatia and abroad.
How it all began: from directories and network access to one credential
The story of AAI@EduHr begins in the early 2000s, when people connected to the internet via dial-up. At the same time, SRCE and CARNET, working with institutions across the Croatian academic community, were building a network of directory services based on LDAP, enabling a simple, standardised way to share contact information and support inter-institutional cooperation.
As new web applications emerged rapidly, it became clear that a simple, secure, and standardised method of authentication and authorisation was needed both for internet access (dial-up ports) and for accessing various applications. We found an ideal proof of concept in the CARNET modem access system (CMU). In 2002, we connected the existing directory service network as a source of credentials and began using it to authenticate CMU access.
Through collaboration with colleagues from academic communities across Europe – primarily via GÉANT projects – we reached a common idea: to connect academic authentication and authorisation systems into one unified system in a secure and standardised way. This was the beginning of eduroam, which we were among the first to join in 2003. From there, our goal was clear: one credential for all applications, built on open standards.
From project to infrastructure
AAI@EduHr did not emerge as an isolated technical project. It was a strategic response to the growing need for standardised, interoperable management of electronic identities within the science and higher education system.
SRCE launched the project of establishing AAI@EduHr in 2004, in cooperation with CARNET and with the support of the then Ministry of Science, Education and Sports. The challenges were both organisational and technical: standardising attributes for users and institutions, establishing clear rules and responsibilities, and developing reliable mechanisms for exchanging authentication and authorisation data.
During the project, national attribute specifications were defined (the hrEduPerson and hrEduOrg directory schemas), rules and norms of the system were adopted, and a federation model was established — based on trust between member institutions and SRCE as the coordinator. The goal was to reach a solution built on existing standards and the experience of the European academic community, adapted to local capabilities and needs. After two years of preparation, the system was launched into production on March 1, 2006.
One of the first examples of a widespread AAI@EduHr implementation was the StuDOM project, through which Croatia became the first country to deploy 802.1X-based network access across all student dormitories effectively creating, at the time (2003–2007), the largest wired eduroam network in the world.
In 2007, AAI@EduHr became the first federation to establish and test connectivity with the emerging eduGAIN infrastructure, now a global network with thousands of services.
In 2011, SRCE established a certification framework for identity providers in AAI@EduHr, ensuring compliance with defined technical and organisational standards and marking an important step towards a more robust, secure and trustworthy federation.
Since then, AAI@EduHr has been growing continuously – not only in terms of users and services, but also regarding the level of technical maturity and security.
SRCE: coordinator and driver of development
SRCE’s role within AAI@EduHr is continuously evolving. From the very beginning, it covers coordination, operations, and ongoing development, serving as system coordinator, operator of central services, custodian of the normative framework, and initiator of technological improvements.
Today, the system hosts over one million electronic identities, issued by 239 member institutions, which can be used to access 944 services. The largest identity provider within AAI@EduHr is skole.hr – CARNET’s hosting system for primary and secondary schools, which accounts for nearly 75% of all identities.
Its use is best illustrated in numbers. In 2025, the AAI@EduHr SSO service was used at least once by over 700,000 unique users, generating more than 54 million successful authentications, while the system’s central RADIUS servers processed over one billion successful authentication requests.
Today, AAI@EduHr supports a wide range of authentication protocols and methods, following best practices and standards while safeguarding the security of its users and their data.
National and European dimension
AAI@EduHr is connected to the national NIAS system, meaning an electronic identity from AAI@EduHr can be used to access services within the e-Citizens (e-Građani) framework.
AAI@EduHr is also connected with the international eduroam and eduGAIN systems. Through eduroam, users can connect to the internet via access points worldwide. Through eduGAIN, Croatian users can access thousands of international research and education services, while Croatian services are opened to the global academic community.
In the international digital environment, the concept of the OpenID Federation protocol is gaining importance, enabling more dynamic and transparent trust management among entities and facilitating easier international connectivity. SRCE’s experts contribute to developing this protocol specification and its implementation in SimpleSAMLphp. At the same time, we are working on implementing the concept of verifiable credentials in SimpleSAMLphp, opening the door to a new generation of digital identities.
SRCE and AAI@EduHr are not merely users of European solutions. We are active contributors to its development.
A glimpse of the future
In the coming decade, digital identity will increasingly move away from username-and-password logins, and toward cryptographically verifiable claims, attributes that users can selectively share. In higher education, a particularly important topic is student credentials – including student status, certificates, qualifications, and micro-credentials – where SRCE and AAI@EduHr can serve as a trusted issuer, provided policies, processes, and alignment with the European framework are clearly defined.
