It is with great pleasure that we can report the next milestone in the development of the SWITCH edu-ID.
As you know, most of the Swiss university libraries launched the joint library platform Swisscovery in December last year. All university members can log in to Swisscovery exclusively with edu-ID.
However, many libraries have a service mandate not only for universities but also for private users. This means that authorisation via edu-ID had to be extended so that users who are not enrolled at a university can also use library resources.
Pierre Deshayes, team leader and expert engineer “Infrastructures and Systems» at University of Geneva, explained at the SWITCH edu-ID update event (slides) how the change from AAI to SWITCH edu-ID took place. Here is a summary:
A special IdP setting at University of Geneva
“Since February 25, 2021, the approximately 36,000 membersof the University of Geneva have been able to use SWITCH edu-ID for all federated web services. The situation turned out to be somewhat more complex in Geneva than at other universities, because nowhere else was the local Shibboleth IdP used as extensively as here: All authentication – external and internal – went through this one identity provider. With the use of SWITCH edu-ID’s central IdP, this type of single sign-on was no longer possible. It was therefore necessary to weigh up the advantages and disadvantages and ensure that operation with external authentication would continue to function smoothly and in compliance with data protection requirements. Various questions led to answers, which SWITCH was able to make available to other universities in the form of legal FAQs.
Convincing advantages
In the end, the following points tipped the scales in favor of the migration: The possibility of standardizing the registration process in the medium term and the user-centric approach of SWITCH edu-ID, which allows lifelong use of services from different universities with one account.
Back in 2016, Daniel Lutz showed how the Shibboleth IdP can offer a real SSO feeling by reusing an already existing authentication token on domain-joined windows clients. SWITCH has now extended this concept in order to offer it to all organisations that have migrated to the SWITCH edu-ID.
As in 2020 we’ve organized the TRID WG meeting and SWITCH edu-ID update event as online meeting because of the COVID restrictions.
Nevertheless, around 70 members from different organisations have decided to participate, which of course makes us very happy.
Highlights were the guest contributions by Pierre Deshayes about the migration experiences at University of Geneva and Manne Miettinen about the edu-ID initiatives in Finland. You find the corresponding slideshere.
Follow-Up Discussions
Many questions were asked, ideas were proposed and there was a lively exchange, which we would now like to deepen in follow-up discussions.
The first of these meetings will be held on June 23, 16:00-16:45. Then we will be happy to discuss “Authentication Methods: New methods? Parameter tuning” – the topic rated as the most important at the event.
If you would like to participate please register here.
We will communicate further follow-up discussion topics and meeting dates via this mailing-list and our website.
On 7 March, Switzerland rejected proposed legislation to establish an e-ID.
As a neutral and independent foundation for Swiss universities, SWITCH has over 20 years’ experience in the field of electronic identities and participated in the process of designing the e-ID. We interviewed Christoph Graf, Programme Manager of SWITCH edu-ID, about the next steps in introducing an e-ID in Switzerland and the role SWITCH can play in this process. Read more.
Christopher Greiner, service coordinator, UNIL IT:
It has been two months since our move to edu-ID, here is a recap of our trials and tribulations in switching identity provider.
The University of Lausanne (UNIL) successfully migrated to SWITCH edu-ID on the 10th of February 2021.
We had been preparing for this migration for quite a long time: we first heard about the Swiss edu-ID project back in early 2014. Our university had been one of the early adopters of SWITCH AAI, and quite heavy users of the service, so we were very interested in hearing what SWITCH had in store for the future of this digital identity; we decided to take part in the workshops organised by SWITCH, thinking that the earlier we were involved, the easier it would be for us to find solutions specific to our university’s needs.
SWITCH invites you on Wed, 26 May 2021
to the 4th Trust & Identity WG Meeting combined with the SWITCH edu-ID Update Event (online).
Registration is open until Friday, 21 May 2020.
There you will find as well the preliminary agenda and meeting topics.
We are looking forward to the contributions of our colleagues from Geneva and Finland.
Details (links etc.) will be provided three days in advance to registered participants.
The event is aimed at the following target groups:
IdP and SP Administrators
Home Org Administrators
RRA & Attribute Policy Administrators
IdP hosting customers and
IT staff with interest in authentication and authorization
for both – Swiss universities that still use SWITCHaai and those that have already switched over to SWITCH edu-ID.
This group is informally involved with the further development of SWITCHaai/edu-ID and SWITCHpki and has the opportunity to provide feedback if there are questions or changes upcoming.
For more than 15 years, the SWITCHaai federation was entirely based on the SAML protocol. SWITCH is happy to announce that as of March 1st 2021 the edu-ID identity provider (IdP) officially also supports OpenID Connect.
Sarah Frederickx, Head of Digital Learning Center at Hochschule für Heilpädagogik Zürich HfH (University of Teacher Education in Special Needs Education)
Planning
In November 2019, we talked about SWITCH edu-ID seriously for the first time. We planned to work out the changeover in 2020 and so as to actually switch over in 2021. Naturally, it didn’t go as planned. After a thorough analysis of our systems and a definition of our roadmap (two phases) at the beginning of 2020, everybody forgot about the edu-ID implementation project because of the lockdown in March. In May, though, the pressure of the new library system swisscovery, which requires a SWITCH edu-ID account, grew stronger, and we decided to attack our first phase.
The lowest complexity level
Our first phase only had the one goal: changeover to edu-ID. Nothing else! No changes in processes, no changes in our systems. Nothing complex. So, we implemented a linking service and the affiliation administration with our partner who hosts all our students’ mailboxes. Easy-peasy.
Success
Everything went very smoothly in November 2020. Thank you, SWITCH, for all the help, discussions, templates, checklists, and so much more. Thank you, exigo, for the professional and smooth technical implementation. We had sent an info mail 10 days before the change and a reminder two days before the changeover. Brace yourself after you send out the reminder! The support cases then rose until very shortly after the change. But after a few cases, we had standard email texts for seven different problem cases that almost covered it all. By now, a few months later, 87% of our users have linked their SWITCH edu-ID account to HfH.
Aftermath
We still have lots to do to streamline our processes and make user management better and easier. But before that, we’ll do our second phase, and we’ll do just that. Our second phase is the change from ‘Linking after admission’ to ‘Linking at registration’. New students will (have to) have an edu-ID before we enter them into our systems. Everything else will come later. With only few resources, we break things down and proceed one step at a time.
In December and January two new features were silently introduced for edu-ID organisation administrators. One provides graphical statistics and one allows restricting technical accounts to certain services. This blog post provides a short overview on what is new.
Like described in the blog post Sending Users on the Right Path, it sometimes is in everybody’s interest to guide end-users on a certain path to achieve a goal. Such helpful nudges are also used during account creation when end-users choose how to create their SWITCH edu-ID account.
Project team: Dominik Hofer, Stefan Keller, Andreas Scheppele (KOGIT GmbH), Xiang Wang, Erwin Wendelspiess, Jan Stucki, Thomas Mundschin
Successful transition
“For the University of Basel (UNIBAS), the changeover to SWITCH edu-ID went smoothly. The project was a success, because everything was well prepared from a technical point of view and it did not cause any big issues with regard to communication and user feedback. Successful projects often remain “under the radar”. The management sometimes hardly notice projects, when everything is running smoothly. This is our motivation to write this short success story:
Today, with the going live of SLSP we have seen quite a few thousands SWITCH edu-ID accounts being created. This amount was considerably more than we have seen in the past. While the SWITCH edu-ID infrastructure kept working for those who had created their account already before, some users who created their account today before noon, had to wait a couple of minutes until their account was ready to be used to log into swisscovery.
We apologise for this inconvenience and ask our customers to try again.
Starting from around 12:10 today, operation goes smoothly again, meaning that newly created accounts can be used for login right away.
Here’s a couple of pictures to show what actually happened:
New record of accounts created per dayNumber of phone number verifications compared to the days beforeSynchronisation of one of the slave lagging behind between 10:00 and 12:10
We thank our customers for their patience within this period of time. In case someone created more than one account – while assuming that a second one might work better – we strongly recommend to merge these two accounts back again.
With the University of Teacher Education Zug, the second PH switched to SWITCH edu-ID on 7 October 2020.
Abdel Benhauresch, head ICT PH Zug
Abdel Benhauresch (head of the ICT PH Zug), can you tell us a little bit about how the adoption of SWITCH edu-ID took place and what further objectives the PH Zug is pursuing after the successful changeover?
“We are a relatively small university with a core of about 800 users and about three times as many people who attend our continuing education courses. Accordingly, our IT is small and efficiently structured. Projects have to be well planned and implemented in stages. The preparations for the adoption of SWITCH edu-ID started two years ago. At first it was unclear when the new Campus Management System (CMS) would go live. Finally, we decided to switch to edu-ID first and to use the new system not before 2021. This means that we will then have to check the interaction of edu-ID with the new CMS. For the linking process we decided to use a function in Microsoft Azure, because all our users use an Azure Active Directory account (AAD) to authenticate.
In SWITCH edu-ID the e-mail addresses play a crucial role not only for communication with an edu-ID user but also for authentication. Every e-mail address associated to an edu-ID account also serves as login name. An e-mail address can also be used to reset the password of an edu-ID account. And unless Two-Step login is activated, this would be sufficient to gain control of an account.
Unfortunately, many e-mail addresses don’t belong permanently to the same person. When a student finishes her studies, she will loose her university e-mail address after some time. When a staff member changes jobs, he won’t keep his company e-mail address either. In case of popular names, some organisations re-assign e-mail addresses to persons with the same name, hopefully only after a long grace-period. If such a “recycled” e-mail address is still associated to a user account of the original holder of this address in a system like SWITCH edu-ID, this might cause severe security problems. Therefore, SWITCH edu-ID has some automated mechanisms to detect, remove, replace and inform about e-mail addresses that no longer work. How do these processes work?
