SWITCH Identity Blog

The Identity Blog puts the spotlight on identity management, digital identities, identifiers, attributes, authentication and access management.

Graphical Statistics and Service Restriction Features

Leave a comment

In December and January two new features were silently introduced for edu-ID organisation administrators. One provides graphical statistics and one allows restricting technical accounts to certain services. This blog post provides a short overview on what is new.

Graphical Statistics

Exampe statistics of an organisation that adopted edu-ID

The Organisation Administrator page has always shown the current number of organisation identities/affiliations of the organisation. Since a few weeks this data can also be shown over time as is shown in the above screenshot. Also, there is now an overview of the number of the different user types (staff, student, other). The third statistics graphic shows the top services that users of the organisation have been accessing as well as the overall logins performed by users of this organisation.

These graphical statistics are shown on the Organisation Administrator page when clicking on the link “Show more statistics”. All time-based information can be shown for the past day, week, month and year. The statistics showing the top services accessed is for obvious reasons only available for organisations that have adopted SWITCH edu-ID. Only edu-ID organisation administrators can access these statistics and they can only view statistics of their own organisation.

Restricted Service

Restricting services also works after account creation

Technical accounts are edu-ID accounts reserved for test and monitoring purposes. They don’t represent a real person and have some special characteristics. Often these accounts are created by organisations to allow external developers to test their edu-ID/AAI services. By default, technical accounts behave like normal edu-ID accounts. Even though they can be restricted to be read-only so that the persons having the credentials for these accounts cannot change them, they still can be used to access any edu-ID/AAI service which allows private edu-ID identities.

Since January 2021, Technical Accounts can be restricted such that only certain services can be accessed with them. Organisation administrators can define service restrictions during the creation of the Technical Accounts or afterwards. Restrictions can be defined on the Organisation Administrator page. A good indicator to define service restrictions is to first inspect the “Accessed Service Providers” of a technical account and then define restrictions based on this list.

If there exists a list of restricted services for a technical account and the account is used to access a service not on this list, an error message like below is shown after authentication at the edu-ID Identity Provider.

Please note that the service restriction currently only applies when the private identity of the technical account is used to access a service. In case an organisation identity is linked to the technical account and a service is accessed using this organisation identity, there is currently no restriction enforced.

Organisation Administrators are the AAI/edu-ID users who have the privileges to create and modify various aspects of edu-ID for their organisation (e.g. university). Who are the (home) organisation administrators of a particular organisation is shown in the AAI Resource Registry, the tool to manage the SWITCHaai identity federation.

Author: Lukas Hämmerle

I'm a member of the SWITCHaai team and the SWITCH edu-ID team.

Leave a Reply