Pierre Deshayes, team leader and expert engineer “Infrastructures and Systems» at University of Geneva, explained at the SWITCH edu-ID update event (slides) how the change from AAI to SWITCH edu-ID took place.
Here is a summary:
A special IdP setting at University of Geneva
“Since February 25, 2021, the approximately 36,000 members of the University of Geneva have been able to use SWITCH edu-ID for all federated web services. The situation turned out to be somewhat more complex in Geneva than at other universities, because nowhere else was the local Shibboleth IdP used as extensively as here: All authentication – external and internal – went through this one identity provider. With the use of SWITCH edu-ID’s central IdP, this type of single sign-on was no longer possible. It was therefore necessary to weigh up the advantages and disadvantages and ensure that operation with external authentication would continue to function smoothly and in compliance with data protection requirements. Various questions led to answers, which SWITCH was able to make available to other universities in the form of legal FAQs.
Convincing advantages
In the end, the following points tipped the scales in favor of the migration: The possibility of standardizing the registration process in the medium term and the user-centric approach of SWITCH edu-ID, which allows lifelong use of services from different universities with one account.
It was decided to solve the authentication of internal services via ADFS in the future (>150 web services) and to use SWITCH edu-ID for externally accessible web applications (around 80 services).
Rapid procedure
Once the path had been defined, the necessary preparations began in November 2020. Initially every 2 weeks, then weekly, progress and questions were discussed with SWITCH. First, the internal services were migrated to ADFS, then the linking service was developed and the SCIM Connector was put into operation (push method).
Lastly, the metadata was adjusted on the day of the migration.
The date was planned in such a way that it was during the semester break but did not affect any exams.
The most complex task
The opinions regarding communication measures were initially far apart.
Finally, everyone agreed on a short lead time with a start in mid-January. In addition to emails, messages were displayed on frequently used services such as Moodle and Mediaserver as well as on the login window of the local IdP. Around 15,000 users responded positively to these measures and linked their accounts. In most cases, this was achieved on the first try thanks to a step-by-step guide.
Since not all members of the university use federated services, 100% coverage was not to be expected here.
Minor Hickups
Continuing education had not been included in the communication measures, which is why there were more support cases here. Due to the large number of emails, e.g. when validating or resetting the password, the anti-spam software kicked in and many mails were blocked. The postmaster was able to solve this quickly. This kept the helpdesk busier than expected around the day of the changeover. Shortly thereafter, however, support requests decreased.
Not the end of the line
Now that SWITCH edu-ID is integrated into the everyday life of members of the University of Geneva, we can tackle the registration processes. Until these are converted, new students will continue to use the “linking after admission” scenario.
Account and identity management will evolve. User-centricity is the right way to go, and the University of Geneva will continue to focus on it in the future.”