On July 17 2019, the University of St. Gallen and SWITCH have flipped the switch.
From now on, members of the university will use SWITCH edu-ID accounts to access federated services.
Armin Schibli, Thomas Köppel and Thomas Mesaros drove the project forward and ensured the successful implementation in St. Gallen.
One of the early birds
The University of St Gallen was one of the first planning phase participants in 2017 and therefore, ready to start planning at a time when not all components of the SWITCH edu-ID service were available and no clear paths for adoption had been defined.
Nevertheless, the IT team was ready to accept the challenge and held intensive discussions with SWITCH and the local stakeholders to find the best suitable way to adopt SWITCH edu-ID. The result was what we internally call “the St. Galler model”.
Priorities and meaningful work sequence
The agenda of all universities’ IT teams is pretty full. A prioritisation is unavoidable. Especially if a university has the intention to revise or completely redesign their IdM, it must be decided whether an adoption of SWITCH edu-ID has to be done before, during or after the other work. This decision is not trivial and takes a while. However, compared to other tasks, the adoption of edu-ID is a rather a small project and the University of St. Gallen has therefore decided to advance it.
The roadmap for the adoption was ready in April 2018, the linking service and ADFS connection realized in April 2019 and the related communication started in May. The university has informed its users via email and their website about the upcoming changes.
New members will also be notified of the change in the usual welcome letter from autumn on.
Know the “important” services and what users do
During the planning phase, the number of users accessing federated services and which services were visited was counted. We’ve seen 129 logins per day (47106 per year) and around 160 services – 120 of them constituting the long tail with less than 100 logins. Around 80% of users have accessed federated services once or regularly.
What does “the St. Galler model” look like?
The numbers above show that the University of St. Gallen has not used SWITCHaai as intensively as some other organisations do. Only a handful of services are registered by the university in the federation so far. Following this situation, the IT project group wanted a scenario that takes into account the fact that not all people need access to federated services. Subsequently, an on demand scenario was elaborated: “Linking after admission” for new members.
The University of St. Gallen uses this scenario for all its user groups. Once people are registered at the organisation, they can go to the linking service, link their local account with their SWITCH edu-ID account and – now that their university affiliation is attached to their SWITCH edu-ID account – access federated services granting access only to university members. The linking service is the only component that sends affiliation updates via push API to SWITCH edu-ID.
Linking after admission can be a good variant to equip employees with an edu-ID, because there is often no staff registration application comparable to registration applications used for future students.
And the current members?
For users (and support staff) it can be very uncomfortable if access to a service does not work anymore. To avoid flooding their help desk on adoption day with many requests from frustrated students and employees discovering that access to a particular service is no longer granted, the IT of UNISG has decided to start an information campaign in advance corresponding to the “Linking before day X” approach.
This campaign allows detecting potential issues with a limited population of users so they can be resolved before adoption day.
Since the linking service remains available after adoption day, people who didn’t link their account before that day (when the Shibboleth IdP of the university was replaced by the edu-ID IdP) can easily link it afterwards, if they need access to federated services.
The linking service at the University of St. Gallen was implemented in different way than at the University of Lucerne. It’s the linking service itself which pushes attribute changes to edu-ID. This means that attribute changes require user interaction with the linking service also in the future.
The right way for each organisation isn’t necessarily the same
As the adoption of SWITCH edu-ID at the University of St. Gallen shows, there isn’t only one way towards edu-ID. Organisations have to select the most suitable approach(es) and implement the processes in a way that fits them best.