The integration of the edu-ID previously required the implementation of two small software components on the university side:
- the linking service with which the edu-ID account of a person is linked to the internal account at the university,
- and the attribute synchronization with which the university manages the affiliations in the edu-ID accounts.
A new integration method is now available that does not require the development and operation of software at the university.
The new integration method is based on the idea that a university member can be identified by their organization email address.
From a user’s point of view, the process is as follows:
- the person creates an edu-ID account (if she doesn’t already have one).
- the person goes to the account management on https://eduid.ch
- the person adds her personal university email address
- like every newly added email address, this one also has to be confirmed by the person. The edu-ID system sends a confirmation link by email, which has to be clicked on by the person.
eh voilà – the linking is completed!
Behind the scenes, here’s what happens.
The edu-ID account management keeps a list of email domain names for all organizations who are using the email-based linking method. If a newly added email address matches one of these domain names, the associated university is determined. In the next step, edu-ID queries for a user with that email address on the Attribute Provider API. If a user is found, an affiliation is added to the edu-ID account.
So the creation of the affiliation takes place immediately.
From then on, the edu-ID’s attribute aggregator will query the organization’s affiliation API daily to update or remove any affiliations.
The innovations include on the one hand the new email-based linking method. This linking method is always operated by SWITCH in the edu-ID account management.
On the other hand, the Attribute Provider API has been extended so that it can be operated entirely by SWITCH. If SWITCH is to host the AP-API, read-only access to the university’s directory is required. If the university does not want to grant direct access to the directory for regulatory reasons, it can also operate the AP-API itself.
This exciting new integration method has been implemented in tight collaboration with SFUVET and is now available to all interested organizations.