Duplicate user accounts on a single system are sooner or later causing a nightmare. One ambition of the SWITCH edu-ID has always been the prevention of duplicate user accounts. However, only a few weeks after the edu-ID launch in 2015 we already found indications for a couple of duplicate accounts. How did that come about and what can we do to prevent duplicate accounts?
Only a few days remain for the registration for this year’s Swiss edu-ID Update Event, June 27 in Berne.
Besides general project status we will inform you about the next (and last) project submission and the concrete concepts which are now being pursued for the Microsoft integration.
The SWITCH identity federation was conceived almost two decades ago. The SWITCHaai service, implementing its concepts, has been in operation for over a decade. Today, the SWITCH edu-ID service is in its initial stages to become its successor, and it is still following the same model: to stay the identity federation of the Swiss academic community. That is reason enough to address those two rather fundamental questions:
- Are national identity federations still the right approach to satisfy the needs of the academic community – a community with increasing international collaboration?
- Will emerging e-ID services, or services like SwissID, eventually replace the SWITCH identity federation?
Both question the remits of the current solution: national and academic. But they differ in perspective: while the first is questioning the national remit, the second is questioning the academic-only context. Continue reading
This is a core promise of the SWITCH edu-ID: An individual should be able to use one single digital identity to authenticate, while at the same time being able to choose the appropriate organisational role – or, using a more technical and precise term, the appropriate affiliation – in which to enter a service.
For members of organisations which have already adopted the SWITCH edu-ID, this concept has now arrived in the real SWITCH edu-ID world. The module called “affiliation chooser” is now executed right after authentication. It lets the user choose the appropriate affiliation, before consenting to attribute release and service access.
The affiliation chooser is intended as an intelligent replacement for the well-known discovery service (WAYF). The good thing about the affiliation chooser is that it knows when to show a choice at all. Unlike the WAYF, it only bothers the end user with its question when it really needs to. If e.g. the end user has only one affiliation, then there’s no real choice. Most edu-ID users have just one single affiliation to an organisation, if at all, which is then the one to present to the service. On the other hand, if the service allows only one affiliation, then again, this is the one to check against, even in the rare case when the user has more of them. In a more complex scenario, the affiliation chooser would actually do some set operation. The intersection of all affiliations the service is intended for, with all affiliations that an end user has, may actually contain zero, one, or more items:
- If no affiliation remains, then the user, although correctly authenticated, cannot be admitted to the service, as none of his affiliations would fit. This check is now being done by the edu-ID IdP, before the user is sent to the service.
- If there remains exactly one out of this intersection, then it’s the one to choose. No need to bother the end user with a choice if there’s just one item to choose from.
- If multiple affiliations remain, then this is where the end user actually sees something. A dialog box similar to the one in figure 1 is shown, and the end user has to choose the affiliation – given by a certain set of attributes – to present to the service. Based on these attributes, the service can then assign the appropriate privileges and access rights.
Figure 1: The Affiliation Chooser
What’s in for the end user?
Once the organizations the users are affiliated with adopt the SWITCH edu-ID, the end users will see much fewer possible choices in the affiliation chooser than they currently see in the discovery service. At the point of writing this article, only SWITCH has adopted the SWITCH edu-ID, therefore this currently only applies to SWITCH staff members.
What’s in for the services?
When registering with the federation, services declare their “intended audience”, and thus give an upfront indication about which organizations users must have an affiliation with, in order to be allowed on the service. This indication is picked up by the affiliation chooser which then puts it into an intelligible form and thus helps in pre-filtering the users arriving at the service.
Certain services allow for “private identities”, i.e. without any affiliation to an organisation. In that case, the affiliation chooser flags this possibility separately. Figure 1 shows this as “Private Person” option.
Future services might be able to cope with more than just one affiliation at a time, as the “extended attribute model” in the Swiss edu-ID Architecture suggests. For such services, the affiliation chooser won’t be needed, as no affiliation would have to be chosen at that point.
Project for Deployment Step 2 in 2018/19 submitted
Within this next project phase – once approved by swissuniversities – the first three universities will implement SWITCH edu-ID:
- Université de Lausanne
- Universität St. Gallen
- Zürcher Hochschule für Angewandte Wissenschaften.
They’ve developed their individual integration plan during 2017 (Deployment Step 1). As the other four participating universities they have considerably contributed to elaborate and sharpen adoption scenarios for linking of new and current members and for managing affiliations.
Eleven universities will start implementation planning: Berner Fachhochschule, FernUni, Fachhochschule St. Gallen, Haute école spécialisée de Suisse occidentale, Hochschule Luzern, Hochschule für Technik und Wirtschaft Chur (HTW Chur), Pädagogische Hochschule Bern, Pädagogische Hochschule Schwyz (PHSZ), Université de Neuchâtel and Zürcher Hochschule der Künste.
In 2017, seven universites have started planning their adoption of SWITCH edu-ID. Together with the edu-ID project team each university organized 2-4 workshops to elaborate an individual integration concept and to determine a time schedule for the transition.
It was no surprise to see that the IT landscape and identity management (IdM) processes of the universities are fairly different. Based on the workshops we were however able to identify and document a few major categories which may serve as source of ideas for other universities.
SWITCH invites you on Wed, 14 March 2018 to the 1st Trust & Identity WG Meeting in Berne.
The intended audience of this event are administrators of either an Identity Provider or Service Provider registered in SWITCHaai as well as the SWITCHpki registration authority operators. The participants will gain more insight into the technical details that support the seamless adoption of the SWITCH edu-ID service.
Registration is open until Wed, 7. March 2018 and required for logistical reasons. Refer to the registration page for the draft agenda and schedule.
- The new SWITCH edu-ID Service Description
- An Organization adopts SWITCH edu-ID
- Single digital identity and multiple affiliations
- What happens when a current affiliation ends?
- “SWITCH edu-ID behind the scenes”
- Custom-tailor the SWITCH edu-ID service for your SP
- Think about data protection
- Secrets of the SWITCH edu-ID password
- Interfederation Update
- Single Logout
- SWITCHpki News
- SWITCH edu-ID Liaisons
- SWITCH edu-ID Roadmap
What’s the SWITCH Trust & Identity WG?
The SWITCH Trust & Identity WG is a new forum in analogy to the well established SWITCH Network WG or the SWITCH Security WG, which you might have heard of before.
The newly formed Trust & Identity WG comprises representatives of all SWITCHaai Participants and SWITCHpki Participants in the SWITCH Community and the Extended SWITCH Community.
This group is informally involved with the further development of these two services and has the opportunity to provide feedback if there are questions or changes upcoming.
Relationship to other SWITCH events
- The Trust & Identity WG Meeting replaces the earlier SWITCHaai update events.
- The SWITCH edu-ID update event is planned for early summer and will focus on the migration projects and less on technical issues.