SWITCH Identity Blog

The Identity Blog puts the spotlight on identity management, digital identities, identifiers, attributes, authentication and access management.

Behind the Scenes of SLSP and SWITCH

1 Comment

As we have announced in our blog post “SWITCH edu-ID as door opener for libraries”, SLSP officially launches its new library service in December 2020, which relies on SWITCH edu-ID for user authentication and user management. With several hundred thousand expected users it is likely that the SLSP service will become one of the most widely used services with edu-ID/AAI in Switzerland. Therefore, the SWITCH edu-ID team is actively supporting the SLSP colleagues to optimally integrate it with edu-ID.
In this blog post we describe a few technical details and extensions that the edu-ID team implemented with and for SLSP. Last but not least, there is also a hint on what organisations can do to facilitate access to the SLSP service for their users.

Architecture

SLSP

High-level architecture overview of SLSP and SWITCH edu-ID components

SLSP decided to rely on the ExLibris Alma and Primo VE system as their library system. Alma is a back-end not visible to end-users, whereas Primo VE is the web interface allowing users to search and discover content. Primo VE already supports login via SAML. However, Primo does not automatically create new user accounts when somebody authenticated via SAML. To still allow a large number of users to access Primo VE via SAML, an intermediary system is needed. We call it the SLSP Registration Platform. The Registration Platform acts as glue connecting the different components involved in the SLSP registration and login process. The functions of the SLSP Registration Platform are:

  • For the user who authenticates, it requests SAML attributes from the SWITCH edu-ID Identity Provider (IdP)
  • It creates and updates Alma user records via the Alma API with the SAML attributes it receives from the SWITCH edu-ID IdP. Using the edu-ID private identity and organisational identity data, the Alma user record is created and gets assigned the best matching Alma user group and roles
  • It checks and processes library card numbers optionally provided by the library user or library staff users
  • It redirects the user to the Primo instance of one of the 30 participating library networks.

The SLSP Registration platform has been designed collaboratively with SLSP and it has been implemented by SWITCH for SLSP.

Custom Registration

Before a library user can access the SLSP Primo instance and search for books and other content, the user first needs to register with SLSP. This means

  • accepting the terms of use,
  • reviewing user data to be transmitted to the ExLibris-hosted SLSP Alma and
  • optionally providing a library card number.

To register with SLSP, an edu-ID account is needed for most users. Exceptions are for example organisations or service accounts for libraries.
If a library user already has an edu-ID account, likely not all data required for a successful SLSP registration might be available in his account. In this case, the Registration Platform ensures via the SWITCH edu-ID attribute completion flow  that the user adds the required data (e.g. a phone number, postal address or date of birth) to the edu-ID account before the registration with SLSP is completed.

slsp-reg

Draft of the SLSP-specific custom registration for an edu-ID user account.

If a library user does not have an edu-ID account yet, the registration process will create one on the fly. For these users an SLSP specific edu-ID custom view was created. The custom view not only asks for name and e-mail but also for a phone number, a postal address and the date of birth.
This new feature is now available also for other edu-ID services to request additional data provided by the user during the edu-ID registration.

User Data Synchronisation

Library users don’t have to manage yet another account in Alma/Primo. Instead, they only need to keep up-to-date their user centric edu-ID account. As soon as they for example update their e-mail address or mobile number, this change is propagated to SLSP within seconds. Also, if for example a university updates some organisational identity data of a user, this change will be propagated automatically to SLSP if it is relevant for the Alma user record.

sp-notification-request

SCIM SP notification request to inform SLSP Registration Platform about change of a user.

To initiate an update, the SLSP Registration platform is triggered via the “edu-ID SP notification API”, which has been improved and optimized to cope with a larger number of user update events. An example of such a SCIM-based trigger event is depicted above.

Data Quality Feedback Loop

Collections of e-mail addresses and postal addresses soon get out of date. With SWITCH edu-ID we have the means to verify e-mail addresses on a regular basis. Out-dated e-mail addresses get automatically removed while reminding users to keep them up-to-date. Nevertheless, it still can happen that e-mail addresses become inactive before edu-ID notices it. This can happen when systems like SLSP send messages to these user addresses, which then bounce. SLSP and SWITCH intend to process these bounce e-mails to keep the e-mail addresses accurate. The same goes for postal addresses, which are harder and costlier to verify. SLSP will however send content to user postal addresses via postal mail. If these packets “bounce”, this is valuable information for edu-ID.

SLSP-data-feedback

Foreseen data feedback loop between SLSP and SWITCH

There are ideas to implement automated feedback processes that would allow SLSP to notify SWITCH edu-ID that an e-mail, postal address or phone number might not be correct anymore. This information will allow edu-ID to trigger a verification or removal process.

Optional Preparation Steps for AAI Organisations

The above topics represent only a subset of work areas where SWITCH has supported SLSP to make good use of edu-ID.  SWITCH has invested quite some manpower in extending and improving edu-ID to make it ready for SLSP. Most of these developments also benefit the wider edu-ID community because they improve usability, scalability and overall adoption of edu-ID.
One might wonder what organisations (e.g universities) can do to make life easier for their users to start the SLSP service? The short answer is that no special steps are required for organisations to prepare for the launch of SLSP. However, there are a few points that can ease registration for end users. These points are explained in greater details on the page Integration with SLSP, which is recommended to have a look at for those administrators responsible for the identity management of an organisation.

Author: Lukas Hämmerle

I'm a member of the SWITCHaai team and the SWITCH edu-ID team.

One thought on “Behind the Scenes of SLSP and SWITCH

  1. Pingback: A fast track to edu-ID for PHZH | SWITCH Identity Blog