Right at the start of the year on 8 January 2020, the Zurich University of the Arts (ZHdK) switched over to SWITCH edu-ID.
Smooth changeover thanks to good preparation and a high ‘linking’ success rate
Technically, everything was threaded perfectly and the changeover of the IdP went off without a hitch. After initialization and planning in 2018, the work could be started at the beginning of 2019 with the development of the connector, followed by the setup of the linking service and the migration of the IdP. The fact that everything went so smoothly was partly due to the fact that a large number of users had linked their accounts in time for the migration:
|Target group||Target value
|Students||60 %||67.4 %|
|Lecturers||60 %||68.5 %|
|Midlevel faculty||70 %||83.1 %|
|Staff||70 %||79.1 %|
|Externes||0 %||5.3 %|
The communication measures were very successful with all target groups.
These consisted of a post in the Rectorate newsletter, a poster at the helpdesk, multiple e-mails sent to people without a linked account (maximum of three follow-ups and a final e-mail to users of the three most frequently used services), a message in the Rectorate newsletter shortly before the changeover, and detailed instructions on how to create and link the edu-ID account. E-mails were sent to the different groups of people in a staggered manner. This meant that support before and after the changeover to SWITCH edu-ID was uncomplicated and that the work involved was predictable and manageable.
The linking service set up by the ZHdK is intuitive and will remain in operation after the changeover for employee registration (Linking after Admission https://www.switch.ch/edu-id/organisations/idm/link-new-members/#linking-after-admission).
New employees will automatically receive a request to create an edu-ID account or to link to it after joining the ZHdK. This is done via the linking service on the ZHdK intranet and ensures a simple procedure. Persons who have already linked their accounts will see this directly after calling up the linking service:
Those people who have not yet linked will be guided through the process:
It had to be taken into account that employees might not have access to their private e-mails from their work device. These persons had to use their university e-mail address for the creation of the edu-ID account, so that the linking process is not interrupted.
Once equipped with the edu-ID account and logged in, the two accounts can be linked with one click:
Users will then be notified that the process has been successfully completed:
The linking instructions also cover the case of a forgotten password and an interrupted session.
Nothing is as constant as change
At the ZHdK, the first deliberations on switching to SWITCH edu-ID had already begun in August 2016. A replacement of the existing IAM system was imminent and the choice fell on midPoint, which was to be put into operation with the help of an external partner. In addition to adjustments in the AD and the basic structure of the identity management system, the changeover includes a revision of the role model, access governance and various connections. It is therefore not a replacement project that can be implemented overnight. As part of the IAM programme with several projects, it has been decided to launch the SWITCH edu-ID project in summer 2018. Under the leadership of Maurizio Mattiola, project manager at the ZHdK, and together with the external partner, the scenarios were evaluated and the project was divided into three phases. In the first phase, the development of an IAM connector to SWITCH edu-ID was implemented, which sends push messages to SWITCH edu-ID in real time for the updating of account information. The second phase included the Linking Service with the logical processes “Linking Start”, “Account Linking Page – at SWITCH”, “Linking Finish” and “Linking E-Mail Service”, in which checking of requirements, creation of edu-ID account, linking and communication were handled. The third and final phase was devoted to the migration of the IdP and the service providers.
Duplicate cleanup and tests are part of it
One of the processes to be redesigned at the ZHdK was the online registration for studies (ONLA). Since the roll-out in autumn 2018, prospective students of the ZHdK have registered with an edu-ID account. The corresponding extension in Evento simplified integration.
With this early use of edu-ID accounts without a corresponding synchronization, special attention had to be paid to avoiding duplicates during subsequent migration. Many students at the ZHdK did not use the edu-ID account for a long time after registration. Consequently, it was not surprising that some could not remember their password or did not know which e-mail address they had registered with. Others had even completely forgotten that they had created an account earlier. It was therefore important to be prepared for support requests and to quickly clean up duplicates.
To ensure that the changeover to SWITCH edu-ID ran smoothly, prior tests were carried out, e.g. of successful synchronisation. This enabled weak points or bugs to be eliminated, instructions to be optimised and the necessary security in the handling of tools and interfaces to be gained. Even special cases that had to be supported only came to light during the tests. In addition, this also resulted in new requirements for the functionalities and interfaces of SWITCH edu-ID.
No rule without exception
The changeover involved practically no further effort for practically all services of the ZHdK already integrated into the AAI Federation – with the exception of organisational and coordination tasks. At the ZHdK, two services were identified which use SAML but do not comply with the Federation standards (LinkedIn Learning and Adobe). These two should now also be accessible via SWITCH edu-ID. A corresponding solution was available with the SAML Proxy Service by edu-ID.