Wait!? We all know that SWITCH develops edu-ID – so what does adopting edu-ID mean?
It is true that SWITCH as the operator of the AAI federation develops edu-ID. On the other hand, the organization SWITCH with its IdP is also a SWITCHaai Home Organization in the AAI federation. In this post we will describe how the organization SWITCH integrated edu-ID, allowing it to turn off its own IdP.
With the introduction of the SWITCH edu-ID, the Swiss AAI-Federation will take the endeavor to change its architecture from full mesh to hub and spoke. The transition is smooth in the sense that every organization running its own IdP today (full mesh) can choose the best time to adopt SWITCH edu-ID (hub and spoke). It is planned that after 4 years from now most organizations will have carried out the adoption.
SWITCH has carried out the adoption on November 1st this year.
Identity management in general, and the adoption of edu-ID in particular concerns three mayor stakeholder groups: 1) the users (the members of the organization), 2) the service providers and 3) the organization itself. Let’s have a look at each stakeholder group and how they perceived the adoption of the edu-ID. If you want to know more details, check out pages 72-97 of this recent presentation at the ICT-Focus.
The Users’ Perspective
In the preparation phase before Nov 1st SWITCH has instructed all staff members to create their own edu-ID, and to link it to their SWITCHaai account.
Then, 10 days before Nov 1st the staff members were informed that their AAI login window is going to change and that they will have to type in their edu-ID username and password.
The login window before Nov 1st:
The login window after Nov 1st:
That’s it. More actions on the side of the user were not necessary.
The Service Providers’ Perspective
For the service providers the adoption was even simpler. The edu-ID IdP is capable of fully simulating the IdP of an organization. Properly configured SPs automatically load the new metadata on the day of the transition. No special actions are necessary for SPs – really none!
The Organization’s Perspective
With or without edu-ID – an organization has a number of identity management processes like enrolling a new student or hiring a new staff member. The difference is the way a federation account is created. In traditional AAI (full mesh) the organization creates the account for the user. However, with edu-ID (hub and spoke) users themselves create their federation account, and bring their identity to the organization where they become member of. Consequently, an organization needs to slightly adapt its enrollment processes when it adopts the edu-ID.
One major part of the adoption project at SWITCH was to
- Describe the IdM process for the enrollment of new staff members at SWITCH
- Describe the data schema and data flow in the internal IT system
- Adapt IdM process, data schema and data flow for edu-ID integration
The picture below shows the data schema and flow (on the left) and the identity management process for the enrollment of a new staff member (on the right). The green parts show the extensions that were necessary to integrate the edu-ID.
Final Remarks
Altogether, the adoption of the edu-ID was a smooth transition for the users, the service providers and the organization. The planning and implementation effort of the organization was well below 10 days of work. This covers HR’s adaptation of the registration process, the technical implementation in the IT infrastructure, bringing internal support up to speed and taking all necessary communication measures.
Although SWITCH is not a typical organization of the AAI federation in terms of number of users and complexity of IdM processes, it’s edu-ID integration still gives a good picture for the steps that are necessary at other organizations.
Please bear in mind that the adoption approach as it is described above is just one example. For an organization, there are many different paths to the edu-ID (see presentation Integration Scenarios). The edu-ID team at SWITCH actively supports organizations with the development of an appropriate adoption approach.
More information about the adoption of SWITCH edu-ID can be found on the edu-ID project page https://projects.switch.ch/eduid/adoption/