SWITCH Identity Blog

The Identity Blog puts the spotlight on identity management, digital identities, identifiers, attributes, authentication and access management.

Technical Accounts

“Thou shalt not have more than one SWITCH edu-ID user account!” this is one of the commandments in the edu-ID terms of use. It originates from a need of the organizations to be able to unambiguously assign an edu-ID account to one person. But what can an organization or service operator do if it needs a special edu-ID account, e.g. for testing?

Yes, duplicates are a nuisance. This is why the edu-ID service makes considerable efforts to prevent the creation of duplicates, or to resolve them if they were created anyway. However, there may exist cases where the prohibition to create multiple accounts is too restrictive. Examples are accounts for the purpose of testing or monitoring.

To support these use cases SWITCH edu-ID provides technical accounts. Here are some of their most important properties:

  • A technical account is non-personal, and it should not represent a real person.
  • A technical account is owned by an organization. It is created and managed by administrators of an organization.
  • A technical account can be used like any normal edu-ID account to log in to services, to reset the password etc. Affiliations can be associated if required by any organization.
  • The email address associated to a technical account must be operational. Emails sent to this address must be read by an administrator of the owning organization or a delegate.

Technical accounts are managed in the edu-ID organizational administrator interface. It should be fairly intuitive for an administrator to use it. You find more information on the organizational administrator interface in this blog post.

TechAccts

As said above, a technical account can be used just like any other edu-ID account to log in to services. For most case this may be fine. But what if a service wants to treat technical accounts differently, and for example prevent them from accessing to certain of its resources?

Whenever a technical account is used to log in to a service, the attribute eduPersonEntitlement is added to the set of attributes. It has a value of the form:

https://eduid.ch/spec/technical-account/#homeOrgName

A service may interpret this entitlement value and act accordingly.

More information on technical accounts can be found in the edu-ID documentation.

Comments are closed.