How to support Research with AAI

AAI is not only used within Switzerland. As of today there are 44 production and 17 pilot identity federations like AAI known around the world. 34 of the production federations are also part of the interfederation service eduGAIN, which interconnects these federations and allows AAI users of Interfederation-enabled Swiss institutions to access AAI services operated in other eduGAIN federations. Vice versa, AAI services in SWITCHaai (e.g. operated at CERN) now also be easily opened to and accessed by users from other eduGAIN federations.

Using AAI across national borders is in particular useful for research projects whose participants often come from different countries in the world. How research can benefit from eduGAIN and how SWITCH in the context of the GÉANT project is helping research projects to make use of AAI internationally is described in a new SWITCH story called “The recipe for cutting-edge international research“.

AAI & Swiss edu-ID Update Event

Thursday 13 August 2015, Berne

Would you like to know more about the SWITCHaai current state, IdP Clustering, MFA and eduGAIN, or more about how Swiss edu-ID progresses, outcomes, next steps and what pilots are on the way?
Then we would like to invite you to this event with an AAI Update in the morning (10:15 – 12:00)

  • SWITCHaai Status Update
  • IdP Clustering
  • Multi-factor Authentication and Shibboleth IdPv3
  • SP Reverse Proxy Server at ZHAW
  • How the SAMLtrace Firefox add-on can be useful
  • eduGAIN: An Opportunity for Research Collaborations
  • eduGAIN Access Check (also a topic of interest for SWITCHaai?)

followed by a Swiss edu-ID Update in the afternoon (13:15 – 16:15) to inform and discuss about

  • The future of AAI and Swiss edu-ID; Outlook to Swiss edu-ID 2.0
  • Results from the working groups and call for new working groups
  • Swiss edu-ID 1.0: Status
  • Pilot Projects Overview
  • Adoption of OAuth2, OpenID Connect in the Swiss edu-ID.

Details and registration

Business & Governance Model Reports

The final reports of the Business Model and Governance Model Working Groups are available

The Business Model Report describes relevant information and methods to be used for the Business Model as

  • general assumptions
  • IdM market analysis
  • identification of stakeholders
  • general quantity structures
  • description of the value proposition for different stakeholders
  • potential risks
  • outlining of financing options.

Recommendations for the Swiss edu-ID Business Model elaboration and refining:

  • New user groups: increase the user base and number of provided resources are fundamental for success (doubling of user numbers within the next 3 years)
  • Costs: not charge users. A cost-sharing model has to bee agreed with Universities. Third party Service Providers can help to reach a better financing of the service.
  • Transition phase: as early and short as possible in order to limit costs of parallel operation
  • Roadmap: include information about the revenue streams that might shift over the three stages (1: AAI in parallel; 2: AAI replaces; 3: access for additional external services)

Next steps:

  • develop adoption and coinnovation risk maps and a stakeholder risk matrix
  • define appropriate actions and assign to a person or group with a deadline to reduce identified risks
  • describe concrete financing options (including numbers)

The Governance Model Report describes

  • existing governance structure for SWITCH and SWITCHaai
  • new stakeholder groups that may become part of the governance structure
  • how those stakeholder groups could be involved.


  • use SWITCHaai Governance Model as far as possible and extend it in order to include new stakeholder groups (Continuing Education, University Administration, Alumni-Organisations,  third party Service Providers)
  • involve more topical/stakeholder/working groups (scalability), approach potential stakeholders early and give them a formal “seat” in a committee
  • continue work of Processes working group
  • address business side in continuing education

Next steps:

  • develop joint roadmap for AAI and Swiss edu-ID
  • elaborate communication concept
  • involve new stakeholders in Governance structures

Simplify Shibboleth IdP Debugging: Quickly Identify Related Log Entries

Why isn’t it possible to easily identify all log messages belonging to particular user that authenticated at a Shibboleth Identity Provider?” This question was asked at the SWITCH Shibboleth Training in June 2015. Many other Shibboleth Identity Provider (IdP) administrators acknowledged they miss such a useful feature too. It would make debugging Shibboleth login issues easier since parallel user logins at the IdP result in many log entries that become a challenge to analyze. By default, the IdP does not provide enough log information to identify all related log entries  for a particular login attempt.

The answer to this question is: This is possible! It’s in Shibboleth already and it’s easy to use but it is a bit hidden. There are two key ingredients needed to activate this.

Continue reading “Simplify Shibboleth IdP Debugging: Quickly Identify Related Log Entries”

Swiss edu-ID Phase 2 Approved

The Swiss edu-ID project management is happy to announce that we received the approval for the Phase 2 project by swissuniversities (CUS P-2 program) ! The corresponding proposal was submitted in February 2015.

Main goals of Phase 2 (Aug. 2015 – Dec. 2016) are:

  • successful operation of Swiss edu-ID v1.0 and its use cases from phase 1
  • implementation of the Swiss edu-ID v2.0 service with new features
    • connect the Swiss edu-ID platform to institutions (enabling of attribute exchange with Attribute Authorities operated by universities)
    • support for authentication protocols beyond SAML allowing access to non-web resources
  • continuation of community involvement (working groups, events)

Project Abstract

New national services being developed within the frame of the CUS P-2 project will in almost all cases require reliable identity and access management (IAM). The Swiss edu-ID addresses that need, by providing a comprehensive IAM service framework to all relevant players: universities, individuals and service providers.

The SWITCHaai is a well-established IAM solution for the Swiss universities that places identity management under the responsibility of the participating universities and allows for effective resource sharing across organisational borders. However, this approach has several drawbacks:

  • University members with multiple roles or jobs are assigned multiple electronic identities, which need to be managed individually.
  • Individuals lose their electronic identity when they change role or affiliation and are unable to recover the same identity if it is needed at a later date.
  • Individuals collaborating with universities, but without a strong affiliation with one of those universities are not issued such an organisation-centric identity. Almost all resources need to manage this potentially large user group without SWITCHaai support.
  • The existing SWITCHaai service is not perceived to support mobile and other non-web environments adequately.

The Swiss edu-ID is addressing those shortcomings. It does it by building on the very successful SWITCHaai, but changing/extending it in several ways. In the predecessor project “Swiss edu-ID” the basis for a successful continuation was set by completing the Swiss edu-ID high-level architecture, by implementing Swiss edu-ID V0.5 with a new set attributes, and by conducting a market overview of access management platforms. The first important change is delivered by the Swiss edu-ID v1.0 service:

  • All individuals collaborating with our community can get a Swiss edu-ID identity, regardless of whether a user is currently affiliated with an organisation in our community or not.

The project „Swiss edu-ID Phase II“ described in this proposal will implement the Swiss edu-ID v2.0 service with those two additional features:

  • The Swiss edu-ID will carry up to date information about roles and affiliations within the academic community. This information will be provided by those member organisations themselves.
  • The Swiss edu-ID will support the most promising protocols for mobile integration.

Services wishing to make use of the functions offered by the “Swiss edu-ID” will receive consultancy services from the project, get access to the Swiss edu-ID service and the project will seek ways to support use cases needing adaptations or extensions to the existing services. Specific integration work at the user side, however, is not within scope and should be provided by the respective user service. Project management will take appropriate steps to evaluate requests for functional extensions within the governance structures.