Back in August 2016, SWITCH and seven partners (EPFL, FHNW, UNIFR, UNIGE, UNIL, UNISG and ZHAW) applied for project funding through in the framework of the P2/P5 programme of swissuniversities. Regular readers of our blog might remember, that we wrote about the submission and the nature of the proposal in the blog post Project for Deployment Step 1 in 2017 submitted which you are encouraged to re-read.
We are delighted to share with you the good news that this project received green light from the “Comité de pilotage du programme CUS P-2” at their meeting on 5 December 2016. This is good news for SWITCH and the university community as well as their stakeholders, as it marks the first of four “deployment steps” to implement the Swiss edu-ID roadmap until 2020.
This week, we received the formal approval letter annexed with an assessment note and additional obligations, which mean some additional homework for SWITCH (clarifications, reporting and project management obligations, as well as accommodating a cut in overall spending). Another good news for our project partners: these obligations are not impacting our partners’ work packages nor do they affect the support they receive from SWITCH.
We are looking forward to start the process of entering the deployment phase of the Swiss edu-ID roadmap and rolling out the SWITCH edu-ID service until 2020.
The SWITCH aai identity federation is based on one important concept: The separation of identity management (IdM) and access management (AM). Identity providers are trusted sources of a set of well defined attributes. For each user trying to access a service, the service itself decides based on his/her attributes if access to the service is granted or denied.
The identity provider in its purest form only manages general user information like name, age, email address, membership status at a university etc. This information is general and not specific to services. The service specific part is the way how attribute information can be combined by a service to build complex access rules like: “This service accepts math students and staff members”.
What if a group of services needs to share additional information about a user that is not part of the standard attribute set? For this case SWITCH has developed the shared attribute service for the edu-ID.
The shared attribute service consists of a database where additional attributes can be stored for each SWITCH edu-ID user. The contents of this database are not managed by the SWITCH edu-ID Identity Provider. Some external entities can access to the shared attributes database via an API, and set or delete attribute values for selected edu-ID users. When a user accesses to a service provider the shared attribute for that user is added to the standard attributes and sent to the service.
What effectively happens with shared attributes is that one part of AM (the part that is common to a group of services) is extracted from the services and centralized
First application: National Licences
The first application to use shared attributes is the National Licenses service. In the context of the national licenses some publishers grant access to users who satisfy a complex access rule. The user has to be a Swiss citizen, has to accept specific terms, must have been active during the last year and must not be blocked due to service abuse.
A specially developed national licenses service registration platform checks if a user meets all the requirements of a user. If the user does meet the requirements, the flag national-license-compliant is set in the shared attributes database for that user. Consequently, services participating in the national licenses program get the additional attribute and grant access to licensed publications.
If a user does not meet all requirements, the national-license-compliant flag is removed. The user gets an explanation on the registration service and some indications how he or she could re-gain access to the national licenses program.
Note: The shared attributes service has been developed by SWITCH to solve a specific problem and to gain experiences with the concept. It is possible that the service will be replaced in the future by a more general group management service.
Services use SWITCH edu-ID as authentication mechanism for their users. Universities use SWITCH edu-ID to onboard new students or staff members. Branding is a great new feature to integrate the SWITCH edu-ID into services and to improve the user experience.
