SWITCH Identity Blog

The Identity Blog puts the spotlight on identity management, digital identities, identifiers, attributes, authentication and access management.

PH Zug + edu-ID: Linking should be easy for users

Leave a comment

With the University of Teacher Education Zug, the second PH switched to SWITCH edu-ID on 7 October 2020.

Abdel Benhauresch, head ICT PH Zug

Abdel Benhauresch (head of the ICT PH Zug), can you tell us a little bit about how the adoption of SWITCH edu-ID took place and what further objectives the PH Zug is pursuing after the successful changeover?

“We are a relatively small university with a core of about 800 users and about three times as many people who attend our continuing education courses.
Accordingly, our IT is small and efficiently structured. Projects have to be well planned and implemented in stages.
The preparations for the adoption of SWITCH edu-ID started two years ago. At first it was unclear when the new Campus Management System (CMS) would go live. Finally, we decided to switch to edu-ID first and to use the new system not before 2021. This means that we will then have to check the interaction of edu-ID with the new CMS.
For the linking process we decided to use a function in Microsoft Azure, because all our users use an Azure Active Directory account (AAD) to authenticate.

The adoption of SWITCH edu-ID has basically worked well. On the first day, we had problems with the linking service and the transfer of the affiliation to SWITCH via push, which we were able to solve within a reasonable amount of time after we had identified the cause. In tests, all roles should be taken into account, not only “staff” and “student” but also “affiliate”, in order to prevent such difficulties.

Our support was briefed and able to handle the user requests well. However, excessive help was required from participants in continuing education who had limited computer experience.

We designed the linking process in such a way that SharePoint was our starting point where users had to authenticate first. However, we found out that it would be more intuitive for users and thus advantageous for all of us if the linking process could start with the creation of the edu-ID user account and the linking could be done directly from the edu-ID account. This would make the process also more transparent. We would appreciate it very much if the linking would be simplified e.g. by verifying a university e-mail address or by selecting a university affiliation in the My edu-ID web application. Adding a university affiliation (after the adoption) should be as easy as linking to an AAI account (before the adoption).

Our continuing education participants not only have an account on the Microsoft tenant of the PH Zug, but as teachers often also another one on the Microsoft tenant of their own school. However, many of them did not know how to correctly log out of their own school’s tenant and register in the tenant of the PH Zug in order to successfully link the edu-ID account with the PH Zug account. As a result, they were unable to complete the linking via AAD login. Accordingly, the helpdesk was under great pressure. Forced authentication via PH Zug tenant could possibly provide a remedy. We will therefore further expand the used Azure function.

I would advise other universities to first ask the users to create an edu-ID account and to emphasize that the linking only starts after this first step. This way, users will not just abandon the second step of the linking process while supposing that everything is already done with the edu-ID account creation. Illustrations or videos can be a valuable help.

SWITCH edu-ID is a new concept that students, participants in continuing education and employees are not yet familiar with. They must have to become acquainted with the characteristics of this self-managed account, e.g. with the fact that it can be used at several universities. Only then they really recognise the advantages. And again, any simplification of the linking process is important. For example, one could also think about increasing the lifetime of web tokens with the objective that users can continue the process where they left off, if they have interrupted it. Or again, it would be very intuitive and user-friendly to enable linking by verifying the university e-mail address directly from the edu-ID account”.

What's your opinion?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s