Dominik Hofer, Stefan Keller, Andreas Scheppele (KOGIT GmbH), Xiang Wang, Erwin Wendelspiess, Jan Stucki, Thomas Mundschin
“For the University of Basel (UNIBAS), the changeover to SWITCH edu-ID went smoothly. The project was a success, because everything was well prepared from a technical point of view and it did not cause any big issues with regard to communication and user feedback.
Successful projects often remain “under the radar”. The management sometimes hardly notice projects, when everything is running smoothly. This is our motivation to write this short success story:
One of the most successful projects
We had already completed essential preliminary work in 2019. This left us time in 2020 to complete everything, carry out tests and focus on the communication with the various stakeholders.
Working with the checklist, that SWITCH provided, was very helpful. We were able to plan exactly which tasks had to be completed when and work through the points step by step. Our partners SWITCH and KOGIT came up with several suggestions for improvement, and we made good progress with debugging some initial issues. SWITCH’s response times to technical questions was always fast. We received very helpful feedback on our planned communication measures, as well. Our wish would be that all projects run as well as this one.
Service Desk was called upon for a short time
Our service desk had prepared manuals and FAQs for the users – especially the more than 13’000 students. We kept a constant eye on the number of linked accounts. The peaks with several thousands of new linked accounts following our information e-mails are clearly visible on the curve below. Nevertheless, an unexpected high number of users waited until it was unavoidable, to get active.
The curve flattened out already one day after the changeover and thus the number of support cases also decreased to a normal level. At first, there were somewhat longer technical waiting times before the affiliation was activated, because the load of the Identity-Management-System on the day of the changeover was much higher than usual. After the peak, users were able to access their services almost immediately.
Lesson learned: Privacy and data protection
Initially, we had requested the users to provide a private e-mail address for the linking service besides the UNIBAS mail address. We displayed this address, to ensure, that the correct account was linked. This private e-mail address was also passed on, when linking with AAI. This led to a large number of support requests. Obviously, our students and staff handle their data responsibly and wonder, what their data are used for, before they agree to being them passed on. We reacted and no longer request a private e-mail address. If services should require further personal data, e.g. the date of birth, which are not stored in the affiliation, then users should have the opportunity to decide for themselves, whether they want to store these data and transfer it to the specific service, in order to be able to use that service.
Lessons learned: Know-How and documentation
During the project, the team had to build up, improve and spread knowledge about federated identity management systems, Active Directory, SAML and OAuth. Misunderstandings lead to some lengthy discussion. Therefore we recommend to extend the documentation of SWITCH edu-ID about these topics.
In a separate project, we will roll out two-factor-authentication for some of our services in near future. SWITCH edu-ID also supports this with two-step login. We will review the protection needs of our edu-ID authenticated applications and introduce two-factor authentication with edu-ID per service, where needed. This will also run smoothly if we use the knowledge we have gained in the edu-ID rollout project.”