Bye-bye Guest IdP – Welcome Swiss edu-ID

Since February 2012, SWITCH has operated the Guest Login Identity Provider (Guest IdP), which allowed users without a regular AAI account to access certain services. The Guest IdP has also allowed what was otherwise not possible with SWITCHaai: a quick and easy self-registration to access AAI services.

Especially in environments where people collaborate in non-formal or semi-formal ways, the Guest IdP has made life easier for users and for service administrators who do not want to manage manual registrations and external users in their directories, or carry out additional (unnecessary) identity checks. The Guest IdP also provided a benefit for services that allow their users to invite other people beyond SWITCHaai to collaborate – e.g. to share a file with them or to write in a wiki. Sometimes the invited persons may not have a valid account already to access the service. In such cases the Guest IdP has offered a suitable solution. It was a helpful workaround to allow full or restricted access for “unknown” users outside of the own organisation and outside of the AAI federation.

Now, with Swiss edu-ID a user-centric alternative exists. Self-registration is the standard method to create a Swiss edu-ID account. Therefore around 1000 Guest IdP users have been migrated to Swiss edu-ID during the second half of 2015. Most Guest IdP users had accessed seven services (out of the 22 available ones), provided by SWITCH, Swissbib and ETH Zurich.
Guest IdP users of those three institutions have been informed in advance and been guided through the very easy account migration process. In most cases, service providers supported the migration by modifying the accepted attribute values – especially those for identifying attributes. This is quite an easy job for experienced administrators. If Guest IdP users had only restricted access to a service (as to SWITCHtoolbox), some code adaptations were necessary.

The Guest IdP will no longer be available after end of December. But services with a need for self-registration can now rely on the Swiss edu-ID, which includes all features of the Guest IdP, plus some more. Since the Swiss edu-ID IdP is part of the SWITCHaai federation, additional configuration is no longer needed, unlike the Guest IdP. Only access restrictions within the service have eventually to be applied to Swiss edu-ID users. How to configure a service correctly is explained in detail in the Service Provider Access Control Rules.

We take this opportunity to thank the participating service providers for their preparatory work that allowed a very smooth migration process for all involved parties.


Leave a Reply

%d bloggers like this: